Saturday, June 12, 2010

Secure Remote Password protocol

I was doing some research related to authentication and networked games and came across SRP. It seems to be the standard when developing a MMO for password authentication. Since Blizzard uses it for WoW (I would assume Battle.net as well) then that's got to say something. The user's password it sent to the server in the form of a one-way hash proof that is unique per session. This makes it useless for  hacker to try an play the packets back to replicate a session since it will be different every time. If both the client and server are in agreement you can also generate a unique session key to be used to encrypt/decrypt communications. There are several implementations out there if you are interested. I've written a simple implementation in Java that I'm going to use for my own projects. If there is enough interest I'll clean it up and release it.