Jump to content
  • We need you!

    You must register to discover all the features of our community!

[RLS] Upgrade your password security


Recommended Posts

Posted (edited)

Hello togehter,

today i want to share a small, but in my opinion, usefull security upgrade for your player password-hashes.
The current default hash, which is used by the most of you (some exeptions might be out there) is the MD5
Hash. This hash might be not the best choice for hashing passwords in this modern days. This is why i thought
about something to change there. And my solution for this is Argon2. This Method had won the Password Hashing Competition
and this is why i had choosen this over bcrypt or scrypt.

This tutorial isn't a 100% beginner firendly guide! Just follow my instructions if you 
got a little bit of c++ knowledge and know how to work with the source!


Create the libargon2

Spoiler

 

1. Download the Git-Repo as ZIP File from HERE and extract it.
2. Create a folder by your libgame folder and name it libargon2
3. Now copy includesrcMakefile and libargon2.pc.in into the new created folder libargon2.

Now your folder should look like this: 

Spoiler

cf199d25e1.png


4. Now upload this libargon2 to your compile server and get into the folder.
5. Enter the command: "gmake all" and wait for it to finish.
6. Move to your game source and open the Makefile.
7. Search for the MAINCPP = main.cpp part inner the Makefile and add the code below above this line
NOTE: You might need to edit the Path to your libargon2!

# Argon2
INCDIR += -I../../libargon2/include
LIBDIR += -L../../libargon2
LIBS += ../../libargon2/libargon2.a

 Now it should look like this: 
 

Spoiler

9ed4cccc06.png


Your done for the libargon2!

 


Change the hash inner the game-core source (DEFAULT PASSWORD() MYSQL FUNC TUTORIAL)
 

Spoiler

 


1. Open the db.cpp and add on the top:

#include "../../libargon2/include/argon2.h"


2. Search for:

char szEncrytPassword[
char szPassword[

and replace it with

char szEncrytPassword[EArgon2::HASH_LENGHT * 2 + 1] = {0, };
char szPassword[EArgon2::HASH_LENGHT * 2 + 1] = {0, };

3. Search for:

"SELECT PASSWORD('%s'),password,securitycode,social_id,id,status,availDt - NOW() > 0,"

4. Remove the PASSWORD( ... ) Part and make it look like:

"SELECT '%s',password,securitycode,social_id,id,status,availDt - NOW() > 0,"

5. Now search a bit below for szLogin and add before Argon2PasswordHash(pinfo->passwd).c_str(),
This should look like this:

Spoiler

cf470617f2.png


6. Search for AccountDB::AccountDB() : and add above this pice of code:

std::string DBManager::Argon2PasswordHash(const char* c_pszPassword)
{
	std::string returnStr = "";

	uint8_t hash[EArgon2::HASH_LENGHT];
	uint8_t salt[] = "MYSALTISCOOL";
	uint32_t saltlen = strlen((char*)salt);

	uint8_t* pwd = (uint8_t*)strdup(c_pszPassword);
	uint32_t pwdlen = strlen((char*)pwd);

	argon2id_hash_raw(EArgon2::TIME_COST, EArgon2::MEMORY_COST, EArgon2::PARALLELISM, pwd, pwdlen, salt, saltlen, hash, EArgon2::HASH_LENGHT);
	free(pwd);

	char s_buffer[EArgon2::HASH_LENGHT * 2 + 1];
	memset(s_buffer, 0x00, sizeof(s_buffer));
	for (uint32_t i = 0; i < EArgon2::HASH_LENGHT; ++i) {
		sprintf(s_buffer + (i * 2), "%02x", hash[i]);
	}

	returnStr = s_buffer;
	return returnStr;
}

7. Now open the DB.h file and add above typedef struct SUseTime this piece of code:

enum EArgon2
{
	HASH_LENGHT = 64,
	TIME_COST = 2,
	MEMORY_COST = 1 << 16,
	PARALLELISM = 1
};

8. Now search for std::vector<TUseTime>            m_vec_kUseTime; and add below:

public:
		std::string	Argon2PasswordHash(const char* c_pszPassword);

9. Open up the input_auth.cpp and search again for:

"SELECT PASSWORD('%s'),password,securitycode,social_id,id,status,availDt - NOW() > 0,"

10. Change it to:

"SELECT '%s',password,securitycode,social_id,id,status,availDt - NOW() > 0,"

11. Look a bit below and change:

szPasswd, szLogin);

//CHANGE TO

DBManager::Instance().Argon2PasswordHash(szPasswd).c_str(), szLogin);

 

 

 


For now you just need to edit the account.account table and set the size for the password to 128 (Why 128? Db.h EArgon2::HASH_LENGTH = 64. 64 * 2 = 128)
And you need to replace your hashes with the argon2 once. For this follow the link to the generation: https://argon2.online
Example config for the tutorial setup: 
3aec2ade7a.png


Have fun ;)

Edited by B4RC0D3 (see edit history)
  • Love 14
  • Scream 1
  • Confused 1
Link to post
  • VIP

And is it compatible with PHP?

 

On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL and cryptopp, which is already necessary)?

QJ0orbR.png

Logo M2IconDB

Link to post
Posted (edited)
1 hour ago, hachiwari said:

Nice! 

btw. did you check or test the performance between old and new encryption?

 No i didn't tested the Performance difference.

1 hour ago, Karbust said:

And is it compatible with PHP?

 

On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL and cryptopp, which is already necessary)?

Because, simplified , you can change so many parts on their input that the Output will be different. Even if you use the same password and salt the hash will be different in many ways. Test it with the online generator. If you just change the memory or the iterations ... You will get different outputs. So as an attacker i need all of this informations and not just to know the hash algorithm and can search for some rainbow tables and maybe find some Data. Even generated keys, which are stored on the server can be loaded by the algorithm to enhance the security of your system. So its hard to get rainbow tables or otherwise forced Data out of a argon2 Hash.

 

SHA is good, that not the point here. But Argon2 can be better in a easier way of use.

 

(OFC it is my personal way of thinking, so its free to everyone if they want to use it or not)

 

€dit: Yes since PHP 7.2 Argon2 is useable as algorithm

Edited by B4RC0D3 (see edit history)
Link to post
Posted (edited)
3 hours ago, Karbust said:

And is it compatible with PHP?

 

On MySQL8 the PASSWORD function is already deprecated. Why add a new lib when you can have SHA256 or SHA512 with salt (both hashes available on MySQL

and cryptopp, which is already necessary)?

 

password_hash https://www.php.net/manual/en/function.password-hash.php

example: 

password_hash('test', PASSWORD_ARGON2I)

 

to log in you need to do selecto on mysql with the email name. Download the password and compare with the function
example
SELECT `password` FROM `account` WHERE `login` = test

https://www.php.net/manual/en/function.password-verify.php

if(password_verify($_POST['password'], $row['password']){
return true;
}else{
return false;
}

 

@TOPIC

Nice idea, I was thinking recently whether to publish a similar solution.

 

  

3 hours ago, hachiwari said:

Nice! 

btw. did you check or test the performance between old and new encryption?

The performance is poorer, the longer the hash counts, the harder it is to break it. Imagine a computer that does 1 million md5 per sec and 1k argon2 per sec. Even if the calculation of it is longer, it does not affect the performance of the game. The user will not feel the difference when logging in 0.01sec for 0.1 sec

Edited by Alerin (see edit history)
  • Love 1
Link to post
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.