General Password Security && Implementation in Actionscript 3

Question

My project for this summer is to make a multiplayer online flash game. I could use some advice as I've never implemented a secure login system before, let alone done so in Actionscript.

My setup right now is a .swf sending/receiving game data to/from a Java server which communicates with a MySQL database about account info.

1) How should I proceed in general? I was thinking that maybe I should have my .swf encrypt the password, send it, (have my server encrypt it again?), then store it in the database.

2) I'm sure I can find plenty of guides to encryption in Java. Can anyone recommend an Actionscript library, or even just a general encryption algorithm (so I could search for an AS equivalent myself) which would be acceptable for this task?

Also, my game is communicating via an XMLSocket. I don't think this should cause any security issues but please let me know if I'm mistaken.

Answer 1

Here is a link about encrypting in md5 with ActionScript (I just googled it), since is the most commonly used encryption algorythm. You should not encrypt it in the server, but use a secure connection to the database, and compare what is encrypted in the message to the encrypted password in the database.

Answer 2

Hi,

A generally excepted way of sending password is to not actually send them at all, as this is considered highly insecure. Instead as you've mention you send a different form of them such as the hashed password, althought this still has some draw backs - i.e. rainbow tables etc.

Therefore the best approach is to hash the password with a nonce (number only used once) i.e. a random string and a timestamp and send that instead. I would then send the hashed string, the nonce and the timestamp in an xml format to your db server who could then try and reproduce the hashed password using the password you have stored for the user.

This is how the W3C usernameToken spec do it. see - http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf

<UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wsswssecurity-utility-1.0.xsd"&gt;
  <Username>jon</wsse:Username>
   <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"&gt;9JSGeXj+zpvEp42I20K/1bg8rCE=&lt;/Password&gt;
   <Nonce>TaF3g5F37wSHtSdY</Nonce>
   <Created>2009-07-25T10:29:34Z</:Created>
</UsernameToken>

However, this may introduce unwanted complexity.

So you could simply just hash the password and send it to the server who would then hash its version of the password and if it matched your away. Although at the end of the day, you have to ask your self how secure is the actual .swf file becuase you can decompile them and just jump over the original login anyway. However, for this most part this will be sufficient.

To hash stings i usually use as3crypto (code.google.com/p/as3crypto/) - but I know the abode utils package has a md5 and sha-1 implementation.

As for the xml socket this will be fine as long as you have a cross-site-policy file in the action script app that allows it to talk to that domain and one on the domain that allows flash to talk to it. otherwise you may get security errors.

Hope this helps.

Jon