• Welcome to Valhalla Legends Archive.
 

Creating Authentication Systems

Started by Mephisto, December 12, 2004, 05:49 PM

Previous topic - Next topic
|

Mephisto

What are some good ways to create authentication systems for applications you want to keep private but are at risk of being leaked by other people?

Banana fanna fo fanna


Mephisto

Omit the "good" then.

I have an idea that I haven't fully thought through, but it invovles taking a value which is unique for each user, but never changes and have that value sent to a Website which will encrypt it and come up with some sort of "key."  The user takes that key and puts it into a file, and the application decrypts the key and checks it against their unique value that never changes, and if it passes, the application proceeds.

hismajesty


Eibro

Quote from: Banana fanna fo fanna on December 12, 2004, 07:11 PM
In short: there aren't any.
That is a horrible answer.

QuoteBase it on harddrive serial.
Base what on hard drive serial?


"Good" is a relative term. No matter how great your protection scheme is, it can always be broken. You want to find some middle ground-- there isn't much point in spending a lot of time on a elaborate scheme if no one has any reason to want to break it. If there is a reason for someone to want to break it, you need to implement something which will require a significant amount of time/skill to defeat. You can create protection which will defeat the average user. You can create protection which will defeat an amateur hacker. You can create protection which will defeat an experienced hacker. However, will there be such a demand for your application that an experienced hacker will ever take a look at it?
Eibro of Yeti Lovers.

Mephisto

The protection need not warrant an experienced hacker, but it needs to be sufficient enough to prevent people from just using the application without permission granted, and made to where they can't just get a key without actually doing some hacking, and that hacking they do do shouldn't be as easy as 123 to get break the protection, but it doesn't need to be extensive protection as I said.

hismajesty

QuoteBase what on hard drive serial?

Use the persons harddrive serial number for authorization. Or maybe generate a key based on their serial number.

Rabbit did his authorization using a haddrive serial number, I don't remember the exact method though.

QuoteThe protection need not warrant an experienced hacker

It doesn't take much experience to map the address where your auth file is stored to a point to a different one, or nop out a few lines after disassembling it. However, as Eibro said, would anybody care?

iago

Doing it based on harddrive serial is useless, because they can just bypass that part of the code. 

The best way is just to make your software opensource, and release the entire thing publicly, encouraging others to work on it, and provide patches if they find a bug.  It works surprisingly well.  Think about the REASON you want it to be closed.  The only one I can think of is so that people who don't have it say, "I want it! I'm going to be friends with the person who wrote it so that he'll give ME a copy!" and anybody who does it for that reason is pathetic.

Look at Skywing's BinaryChat: it had amazing protection on it, since we all know that Skywing is totally elite, and somebody has broken it.  There isn't a lot you can do to prevent a serious hacker from getting at your code, short of not giving it to them.  And even that doesn't always work (see also: half life 2).
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Kp

Quote from: iago on December 13, 2004, 08:27 AMThink about the REASON you want it to be closed.  The only one I can think of is so that people who don't have it say, "I want it! I'm going to be friends with the person who wrote it so that he'll give ME a copy!" and anybody who does it for that reason is pathetic.

There's also the reasoning that it's simply too dangerous for public consumption.  Consider what a mess it would wreak on BW public gaming if the sum total of SCRL (Adron's SC HDL), SCE (Sky/Grok's SC HDL), and my BW work were merged into an open source project and released.  Obviously a special case, but it is another reason against release. :)
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

iago

Quote from: Kp on December 13, 2004, 10:30 AM
Quote from: iago on December 13, 2004, 08:27 AMThink about the REASON you want it to be closed.  The only one I can think of is so that people who don't have it say, "I want it! I'm going to be friends with the person who wrote it so that he'll give ME a copy!" and anybody who does it for that reason is pathetic.

There's also the reasoning that it's simply too dangerous for public consumption.  Consider what a mess it would wreak on BW public gaming if the sum total of SCRL (Adron's SC HDL), SCE (Sky/Grok's SC HDL), and my BW work were merged into an open source project and released.  Obviously a special case, but it is another reason against release. :)

Indeed, I should have mentioned that.  The only thing that I've made that I haven't released with source is my Starcraft/Diablo hacks.  I completely agree, some things are destructive.  But in general, my statements stand :P

On a sidenote, to be technical, there is a lot of code that I've never made public for the sole reaason that I don't think anybody would care.  Of course, if somebody asked me for it (for example, my Java Huffman implementation), I'd happily give it to them.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


hismajesty

Quote from: iago on December 13, 2004, 08:27 AM
Doing it based on harddrive serial is useless, because they can just bypass that part of the code.

That applies to a lot of current methods. Think of those games that we cracked when you were teaching me to read Assembly.

QuoteThe best way is just to make your software opensource, and release the entire thing publicly, encouraging others to work on it, and provide patches if they find a bug. It works surprisingly well.

Despite his reason, making it open source/freely available kinda defeats the point which is to keep it private...

UserLoser.

Quote from: iago on December 13, 2004, 08:27 AM
Look at Skywing's BinaryChat: it had amazing protection on it, since we all know that Skywing is totally elite, and somebody has broken it.

You forgot ZeroBot (binary version)! *;)*  But I'm pretty sure Sky doesn't use that same method anymore

iago

Quote from: hismajesty[yL] on December 13, 2004, 01:48 PM
Quote from: iago on December 13, 2004, 08:27 AM
Doing it based on harddrive serial is useless, because they can just bypass that part of the code.

That applies to a lot of current methods. Think of those games that we cracked when you were teaching me to read Assembly.
I know, you can bypass ANY protection.  There's nothing at all that you can do to stop it, just slow it down.

Quote
QuoteThe best way is just to make your software opensource, and release the entire thing publicly, encouraging others to work on it, and provide patches if they find a bug. It works surprisingly well.

Despite his reason, making it open source/freely available kinda defeats the point which is to keep it private...
My point is that keeping stuff private is stupid.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Mephisto

Regardless of your guy's opinions which I appreciate, not one person here has provided me with an authentication/protection method.  If someone has a public one and wishes to share, please do so.

UserLoser.

Quote from: Mephisto on December 13, 2004, 07:00 PM
Regardless of your guy's opinions which I appreciate, not one person here has provided me with an authentication/protection method.  If someone has a public one and wishes to share, please do so.

Strong encryption based off of certain values returned from querying the user's system info

|