[sldev] [AWG] realXtend login process for distributed virtual worlds

Matti Reijonen matti.rn at gmail.com
Tue Mar 18 03:27:06 PDT 2008

Previous message: [sldev] Re: [Opensim-dev] Violating the GPL by looking (Re: Voice Module)
Next message: [sldev] [AWG] realXtend login process for distributed virtual worlds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(reply to Argent Stonecutter, I wasn't on this list previosly, so I'm not
sure if this message goes to right place)

Thanks for commenting authentication process..

We've being planning to put authentication under SSL connection,
but we have so far postponed implementing that.

Currently in the auhtentication sequence client sends the hash of
password to the authentication server in the same manner as in
Second Life. In return authentication server sends disposable hash
back to client. Client uses that hash when it logs into world.
Sim then checks client login is valid with that sessionhash and
authentication sends new sessionhash to sim as reply. Sim uses
then that hash to fetch userprofile from authentication server.

If exampleworld.com were trying to use sessionhash it received to
authenticate itself to expencive.com it would be using account
that is already logged into authentication server.. then authentication
server would know this is a dublicate login aptempt, and could
deny that.. but there's one but..

I think there's problem here even if the hash is not replayable,
the exampleworld.com could use the hash it gets in the first
place from the client, to login with users account to expensiveworld,
expensiveworld would then use that hash to authenticate and get
second hash from authentication server and know nothing about
exampleworld. Problem is with the second phase authentication..
Proposal for sending the domain of the world that client is trying
to connect to the authentication server sounds good.
At least it would be harder for exampleworld.com to fake domains..

Other way around it could be with trusted sim list on authentication
servers.. client could be notified when it's loggin to untrusted sim.

I'm not familiar with the term "time dependent nonce", would that be a
lightweight alternative solution for SSL?

- Matti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20080318/7b4898c7/attachment.htm

Previous message: [sldev] Re: [Opensim-dev] Violating the GPL by looking (Re: Voice Module)
Next message: [sldev] [AWG] realXtend login process for distributed virtual worlds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list