Algorithm to generate security token for MMO Login Service

Question

I'm building a Login Service for an open source MMO game. I do not know much on the side of security/encryption and I am looking for a solution that will provide good protection against hackers and must not be too costly to generate.

Our old system used a very simple system of authentication by storing the password as SHA1 in the database. For our new service we want to authenticate this through an auth token that is generate when the user logs in for the first time and is valid throughout the session. Would a simple randomly generated string suffice for this or should I be looking at something more complicated to keep it secure?

Answer 1

• Rule 1: don't try to build your own single sign on.
• Rule 2: If tempted, refer to Rule 1.

There are lots of freely available systems. Consider using OpenID. It's simple, pretty strong, and free.

PS. Have a look at the Wiki article.

Answer 2

Don't reinvent the wheel. The biggest problem with modern cryptography is when people want to roll their own, use SSL/TLS or HTTPS. This can be done safely without buying a certificate if you hard-code a self-singed certificate. Although each server should have its own certificate, or you run this risk Of MITM.

What you are looking for is a Session Handler, and ideally you would use the witty library. However this library may or may not be appropriate. In short a session handler uses a Cryptographic Nonce as a key, and this key is used to look up session state in a persistent data store. Each time a user authenticates he is given a new Cryptographic Nonce, and this value expires after a set amount of time of inactivity. For nonce generation I would use the openssl library, and 256 bytes in size should be plenty. A timeout depends on your application, but it should be no more than 1 day.

Answer 3

Well there are so many vectors of attack in a system. These sorts of problems are quite complicated to solve properly. First step would definately be to make sure you're not re-inventing the wheel, it will save you time and probably prevent a host of mistakes.

I did build a system recently. In my case I didn't need secrecy I just needed authenticity. I built my system on top of openssl's crypto library. I used predominantly the DSA algorthim. Communication was autheticated with signatures attached to all comms. It's not particularly efficient to do it that way but for my purposes communication was irregular and as such it was fine. The relevant key was distributed with the software for generating DSA signed comms.