• Welcome to Valhalla Legends Archive.
 

So... SRP?

Started by MyndFyre, December 15, 2004, 06:31 PM

Previous topic - Next topic

MyndFyre

I've been looking through RFC 2945 on the SRP authentication method (the one described in that article is SRP-3), and I'm not quite catching on to what he says.  First:

Quote
        <salt> = random()
        x = SHA(<salt> | SHA(<username> | ":" | <raw password>))
        <password verifier> = v = g^x % N

He never defines g or N.  I realize N is the modulo root for the function by which all modulo operations take place, but what is g?  [edit: I see it says "g should be a generator modulo N (see [SRP] for details), which means that for any X where 0 < X < N, there exists a value x for which g^x % N == X."  Is this coded into the client?]

Then he says:
Quote
   Authentication is generally initiated by the client.

      Client                             Host
     --------                           ------
      U = <username>              -->
                                     <--    s = <salt from passwd file>
I don't see inside of the documentation of the BNLS protocol spec anywhere where Battle.net transmits its salt to the client (as the only communication required to Battle.net is 0x50 and 0x51 before logon is attempted); after CD key verification is complete via X-SHA-1, the client can procede to log on using 0x53.  Does that mean that Battle.net uses the same salt for every client?

They then establish that they have the same key; this is part of the function of BNLS_LOGONPROOF (correct?) -- the client should abort the connection, according to the RFC, if B % N is 0.

Ultimately, I get the impression that the Battle.net auth scheme is something along the lines of:


        Client                             Host
       --------                           ------
        U, A                        -->
                                    <--    s, B
        H(H(N) XOR H(g) | H(U) | s | A | B | K)
                                    -->
                                    <--    H(A | M | K)


Any help or clarification here from those of you experienced in this area?  I feel lost in adapting the SRP RFC to the actual thing.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

EpicOfTimeWasted

#1
I haven't had a chance to look too deeply into what Warcraft 3 is doing, but at first glance it looks like Blizzard is using a "modified" SRP implementation.  I don't know how strictly I should read that "SHA(<salt> | SHA(<username> | ":" | <raw password>))" line, but I haven't found that code in Warcraft 3 yet, though I have found similar.  Perhaps finding a SRP implementation in another program to use as reference would help?

dxoigmn

#2
Quote from: MyndFyre on December 15, 2004, 06:31 PM
I've been looking through RFC 2945 on the SRP authentication method (the one described in that article is SRP-3), and I'm not quite catching on to what he says.  First:

Quote
        <salt> = random()
        x = SHA(<salt> | SHA(<username> | ":" | <raw password>))
        <password verifier> = v = g^x % N

He never defines g or N.  I realize N is the modulo root for the function by which all modulo operations take place, but what is g?  [edit: I see it says "g should be a generator modulo N (see [SRP] for details), which means that for any X where 0 < X < N, there exists a value x for which g^x % N == X."  Is this coded into the client?

Yes, it's coded into the client.

g = {47}
N = {0x87, 0xc7, 0x23, 0x85, 0x65, 0xf6, 0x16, 0x12, 0xd9, 0x12, 0x32, 0xc7, 0x78, 0x6c, 0x97, 0x7e, 0x55, 0xb5, 0x92, 0xa0, 0x8c, 0xb6, 0x86, 0x21, 0x03, 0x18, 0x99, 0x61, 0x8b, 0x1a, 0xff, 0xf8}

...according to iago's SRP.java.

Quote
Then he says:
Quote
   Authentication is generally initiated by the client.

      Client                             Host
     --------                           ------
      U = <username>              -->
                                     <--    s = <salt from passwd file>
I don't see inside of the documentation of the BNLS protocol spec anywhere where Battle.net transmits its salt to the client (as the only communication required to Battle.net is 0x50 and 0x51 before logon is attempted); after CD key verification is complete via X-SHA-1, the client can procede to log on using 0x53.  Does that mean that Battle.net uses the same salt for every client?

The BNLS spec doesn't really define anything about the protocol other then telling us how many dwords are in the packet.  I'm pretty sure this is how it's defined:


S->C SID_AUTH_ACCOUNTLOGON
(DWORD)  Status
(DWORD[8]) s - Salt
(DWORD[8]) B - server public key


Quote
They then establish that they have the same key; this is part of the function of BNLS_LOGONPROOF (correct?) -- the client should abort the connection, according to the RFC, if B % N is 0.

Ultimately, I get the impression that the Battle.net auth scheme is something along the lines of:


        Client                             Host
       --------                           ------
        U, A                        -->
                                    <--    s, B
        H(H(N) XOR H(g) | H(U) | s | A | B | K)
                                    -->
                                    <--    H(A | M | K)


Any help or clarification here from those of you experienced in this area?  I feel lost in adapting the SRP RFC to the actual thing.

You scheme looks correct.  I'd take a look at iago's code for more information and this webpage.  I'd like to see a nice text developed about Battle.net use of SRP with samples and such.  Perhaps we can do that in this thread?

iago

Quote from: EpicOfTimeWasted on December 15, 2004, 07:55 PM
I haven't had a chance to look too deeply into what Warcraft 3 is doing, but at first glance it looks like Blizzard is using a "modified" SRP implementation.  I don't know how strictly I should read that "SHA(<salt> | SHA(<username> | ":" | <raw password>))" line, but I haven't found that code in Warcraft 3 yet, though I have found similar.  Perhaps finding a SRP implementation in another program to use as reference would help?

The war3 version looks like this:
        username = username.toUpperCase();
        password = password.toUpperCase();
        MessageDigest mdx = MessageDigest.getInstance("sha-1");
        mdx.update(username.getBytes());
        mdx.update(":".getBytes());
        mdx.update(password.getBytes());
        byte []hash = mdx.digest();

        mdx = MessageDigest.getInstance("sha-1");
        mdx.update(salt);
        mdx.update(hash);
        hash = mdx.digest();

        return new BigInteger(1, reverseArray(hash, SHA_DIGESTSIZE));


The white paper at http://srp.stanford.edu was quite good for giving a high level overview.  If you can understand that, you are already most of the way there.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


EpicOfTimeWasted

Ok, apparently I'm quite wrong about my modified SRP theory then.  I had only gotten so far as to see the strupr()s and some odd little hashing functions, but nothing that looked like sha1(username . ":" . password);  Guess I'll have to look a bit closer.  Thanks, though.

iago

I recall somebody saying something about War3's algorithm being similar to SRPv3 (where the current is v6).  But I can't confirm or deny that.

What Blizzard uses is quite similar to SRP, I think there was only one function that didnt make sense.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


dxoigmn

Quote from: iago on December 16, 2004, 12:48 PM
I recall somebody saying something about War3's algorithm being similar to SRPv3 (where the current is v6).  But I can't confirm or deny that.

What Blizzard uses is quite similar to SRP, I think there was only one function that didnt make sense.

Do you remember what?  I remember Skywing saying something about this, but he didn't elaborate.  I was looking through the RFC link above and it looks exactly like Battle.net implementation.  The only thing I noticed it didn't follow is the host doesn't disconnect if A % N = 0, which could be  security vulnerability; but nothing I was able to exploit.  It looks to check that in SID_AUTH_ACCOUNTLOGONPROOF and not SID_AUTH_ACCOUNTLOGON.

MyndFyre

I checked with Skywing, and he confirmed that BNLS doesn't actually use your password during the first time you send it.  The data is only used in the second packet (the logon proof one, with data you send to BNCS in 0x54).

There is a bug though, he said, that causes the server to fail to authenticate some sessions randomly where they would be correct.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

dxoigmn

Quote from: MyndFyre on December 20, 2004, 02:19 AM
I checked with Skywing, and he confirmed that BNLS doesn't actually use your password during the first time you send it.  The data is only used in the second packet (the logon proof one, with data you send to BNCS in 0x54).

There is a bug though, he said, that causes the server to fail to authenticate some sessions randomly where they would be correct.

Ahh, yes this is expected since SID_AUTH_ACCOUNTLOGON is a random public key and username.  Did he elaborate on the bug?  If not, anyone else know anything about this or perhaps Skywing himself can?

Kp

Quote from: dxoigmn on December 20, 2004, 02:59 AM
Quote from: MyndFyre on December 20, 2004, 02:19 AMI checked with Skywing, and he confirmed that BNLS doesn't actually use your password during the first time you send it.  The data is only used in the second packet (the logon proof one, with data you send to BNCS in 0x54).

There is a bug though, he said, that causes the server to fail to authenticate some sessions randomly where they would be correct.
Ahh, yes this is expected since SID_AUTH_ACCOUNTLOGON is a random public key and username.  Did he elaborate on the bug?  If not, anyone else know anything about this or perhaps Skywing himself can?

There's a buffer mismanagement bug in the BNCS code that causes it sometimes to get the wrong result, and then it punishes you when you send an answer that's actually correct, since you two don't match.  There's been some discussion of having BNLS attempt to warn you of an impending BNCS bug, since the client (which in this case means BNLS since it's the one doing the NLS work) can detect that the bug will occur, but by the time it's detectable, it's too late to change the parameters.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Maddox

They do indeed use SRP-3 and a slightly modified out-of-the-box implementation available on the site.
asdf.