This is a read-only snapshot of the ComputerCraft forums, taken in April 2020.
HDeffo's profile picture

Secure Hash Keys

Started by HDeffo, 08 February 2016 - 05:02 AM
HDeffo #1
Posted 08 February 2016 - 06:02 AM
I am currently programming something which uses cloud based account verification in computercraft. Simply put I would like to add a "remember me" button. However the only two options I can see are to either store the user's password in plain text (very bad) or store a hashed authorization key in plain text (still bad)

either option a person could just copy and use to bypass someone's login very easily. Does anyone on here have an idea on how i can prevent this or any other way I could possibly implement a remember me button into computercraft.
Anavrins #2
Posted 08 February 2016 - 06:43 AM
I highly doubt it.
There will always be a trade-off between convenience and security when doing this kind of feature.
It's the same for a real website, an auth cookie is just sitting there in plaintext waiting to be read by somebody else or a virus.
Though, from your two options, I would choose to store a randomized authorization key since it would at least not leak the password.
Edited on 08 February 2016 - 05:44 AM
HDeffo #3
Posted 08 February 2016 - 06:54 AM
I highly doubt it.
There will always be a trade-off between convenience and security when doing this kind of feature.
It's the same for a real website, an auth cookie is just sitting there in plaintext waiting to be read by somebody else or a virus.
Though, from your two options, I would choose to store a randomized authorization key since it would at least not leak the password.

usually programs have the advantage of storing some unique identifier in the key. Though you can spoof those too its much easier to spoof the only real identifier we have os.computerID().
H4X0RZ #4
Posted 08 February 2016 - 10:01 AM
If you use a real server, you could try out JWTs.
HDeffo #5
Posted 08 February 2016 - 12:59 PM
If you use a real server, you could try out JWTs.

wouldn't solve the issue. In order to "remember" the login I have to save the JWT then and that means it can be copied and inserted into another computer.
Lupus590 #6
Posted 08 February 2016 - 01:22 PM
can you save the cookie to a CC-disk and have that disk on your player when not in use?

related idea, cookie is on CC-pocketPC and is encrypted and transmitted to client computer when needed
Edited on 08 February 2016 - 12:23 PM
Dragon53535 #7
Posted 08 February 2016 - 05:30 PM
For auth keys, you can just create a random key for a person, know that the key is for that person, and if anyone steals it, allow the person to revoke access to that key. That is kinda how mobile apps do it.

However for safety of your users, watch this video to see how NOT to handle this. Here ya go.
Edited on 08 February 2016 - 04:32 PM
HDeffo #8
Posted 08 February 2016 - 07:13 PM
I found a way to do this. Essentially I am sending bitcode from the server for the computer to run which verifies that os.computerID() is a java function and then returns the auth key, secret key, and computer ID to the server. The true auth key is then generated as a hash of these three plus another secret salt. Theoretically it can still be bypassed but since everything is hidden behind bitcode its now a little more difficult
Wojbie #9
Posted 08 February 2016 - 09:04 PM
I found a way to do this. Essentially I am sending bitcode from the server for the computer to run which verifies that os.computerID() is a java function and then returns the auth key, secret key, and computer ID to the server. The true auth key is then generated as a hash of these three plus another secret salt. Theoretically it can still be bypassed but since everything is hidden behind bitcode its now a little more difficult
That depends how you are testing if os.compuerID() is not changed. It sounds like an easy to spoof test (considering that you can mess with bytecode enviroment) especially now that you told people what it does. There are few lua "uncompilers" that transform bytecode into human redable code.
Edited on 08 February 2016 - 08:05 PM
HDeffo #10
Posted 08 February 2016 - 09:24 PM
I found a way to do this. Essentially I am sending bitcode from the server for the computer to run which verifies that os.computerID() is a java function and then returns the auth key, secret key, and computer ID to the server. The true auth key is then generated as a hash of these three plus another secret salt. Theoretically it can still be bypassed but since everything is hidden behind bitcode its now a little more difficult
That depends how you are testing if os.compuerID() is not changed. It sounds like an easy to spoof test (considering that you can mess with bytecode enviroment) especially now that you told people what it does. There are few lua "uncompilers" that transform bytecode into human redable code.

those are very difficult to port to computercraft though. And since true security is impossible in CC i think this is as secure as its gonna get
Wojbie #11
Posted 08 February 2016 - 09:25 PM
True