user password authentication and cracking password – multiple rounds of hashing

when multiple rounds of hashing are performed, why is it that john the ripper cannot crack hashed passwords? (multiple rounds of hashes basically). On the other hand, the system can, however, authenticate a user even when passwords are stored using multiple hashing. how does it do that? is it that John the ripper can only crack 1 level of the hashed password. and the system just matches the hash to the database or something?

Authentication for LAN Multiplayer Games

I’m working on the authentication scheme for a multiplayer game using only C++ and SLD2.

It’s an RPG with a kind of complicated character-group/permadeath scheme, and world-instances are intended to be hosted by the players. So it matters that players have exclusive access to controlling their characters. I want players to be allowed to save the current state of a multiplayer world instance, close it, and come back to it later, or set up their own dedicated world instance for them and their friends to join/quit/rejoin at will. Absent player characters will simply not be present in the world until their creator returns

Servers will be hosted by player-computers. I’m not planning to set this up with a dedicated hole-punching or identity server, so players will just be playing with people who they intentionally connect to. I don’t want to deal with encryption, so I’m not planning to require passwords to log in. I figure since there’s no formal identity server and no encryption, passwords might do more harm than good. Player character names will change over the course of the game, and I don’t necessarily mind if two players have the same username.

Here’s my current authentication strategy:

When a player creates an account on his game instance, the account will just consist of a username and an automatically generated (random) UUID. The username and UUID will be stored in a SQLite file that the user can copy onto any computer with this game installed, and access their unique account. The username and a naively hashed UUID will be stored in a connection log on every server that the player connects to (so the server can assign them to the right character when they log back in). I recognize this means that programmers who know what they’re doing will be able to hack each other’s accounts, but I’m not convinced that I should really be concerned about that in the case of this particular game.

Here are my questions:

  • Is copying the file too much to expect from users who want to switch computers?
  • Can you guys think of any potential issues with this, other than what I’ve already pointed out?
  • Is there a better (common) way to achieve what I’m trying to do?

Thanks!

Preventing Users from Using QR Code Password and Scanner for Authentication

A user was discovered using a QR code to log into a PC. Apparently, the password was put into a QR code generator and printed. The user:

  1. Provides their username
  2. Scans the QR code with a handheld scanner and is granted access

Our company utilizes handheld scanners for a variety of reasons so it is not feasible to use endpoint protection USB device control to block all scanners or brands of scanners. This user also uses handheld scanners for everyday work duties. We are curious of a creative way to prevent this technically. We also plan on addressing this administratively through policy. One idea was floated that if possible (through GPO):

  1. Having a startup script to disable scanners
  2. A log off script to disable scanners
  3. A login script to re-enable the scanner

The handheld scanner apparently shows as a generic HID keyboard in device manager. Does anyone know of a feasible way to block this or perhaps an alternative solution to the problem (blocking the device at login)? Thank you!

Biometric authentication against server

I’m working on an iOS app whose login system does not seem entirely secure but I don’t know enough to be sure.

Skipping account creation, the first time the user logs in they send their user and hashed pass to the server to acquire a token with which they can make the rest of the API calls.

This seems fine but the user is given the option to activate biometric authentication in the app’s settings and this is where I’m not certain about the implementation being secure.

To activate this feature, the user proves the ownership of their phone using Face ID or Touch ID. If this is done successfully, the app makes an API call sending the following information to the server which activates biometric authentication for this user’s account:

  • the username (redundant)
  • the session token
  • the device’s internal id number
  • the device’s notification (APNS) id

From that point on, in order to acquire a token (login) the app makes a different API call (not the normal user/pass call) where only the user and the 2 previously mentioned ids are sent (obviously this is done only after the user successfully uses the phone’s biometric authetication).

Is this secure? It doesn’t seem inconceivable that someone could figure out the username, and those 2 device identifiers to gain access. If it isn’t secure, what would the right approach be? How do bank apps do it for example?

I couldn’t find an answer to these questions by googling etc.

Inverse of Third Party Authentication

Consider this scenario. I have a file hosted on AWS with private access. I want the file to be accessible to several authorized users of a web applicaton that I have built. As I am the one authenticating these users, how do I tell AWS to delever the file only to users authenticated by my applicaton?

This seems somewhat like Oauth turned around where I am the third party authenticator between Amazon and the user. It seems like a common paradigm but I’m ignorant and can’t think of what to even search for. Any help appreciated.

How do I configure the Calculator web service sample code in netbeans to use x509 certificates for authentication?

I have successfully followed the steps outlined here: https://netbeans.org/kb/docs/websvc/jax-ws.html

Everything works correctly (i.e. I can run a client jar file from terminal and have it send two numbers to add; the calculator web service receives them and returns the correct sum in the SOAP response).

I now wish to add authentication using x509 certificates, but I am unable to find specific documentation on how to do so. The closest link I found is a secure calculator here:

https://netbeans.org/kb/docs/websvc/wsit.html#Exercise_2_2

But this appears to be using “Username Authentication with Symmetric Keys”, which is not what I am looking for.

I am looking for the calculator client to send its x509 certificate over to the calculator web service. The calculator web service authenticates the x509 certificate it just received from the client. If authentication is successful, it will proceed to add the two numbers sent by the client. Otherwise it returns “invalid cert”.

This seems like a simple thing to do, but I am not able to find any documentation or a sample netbeans project that does this.

This website seems promising: https://docs.oracle.com/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security9.html#wp162511

Specifically the Example: Mutual Certificates Security (MCS) . However, when I get to the step in the “Securing the Example Web Service Client Application (MCS) section that says:

Select the WSIT Configuration tab of the CalculatorWSService dialog.

Netbeans does not have a WSIT Configuration tab. So this appears to be outdated since I am running Netbeans 8.2.

Would appreciate all / any help from the community.

Does Kerberos authentication handle DNS names the same way between Windows 7 and Windows 10?

Recently, we migrated from Windows 7 to Windows 10 and during that migration, we progressively ran into some issues with our NAS device. To be more precise, we progressively noticed some tcp socket flooding on it while client computers were upgraded to Windows 10. We suspect that our NAS has some difficulties with NTLM, but this is out of this question scope.

Our NAS has a FQDN : filesvr1234.prod.company

We also have a DNS alias pointing to that FQDN : prodfiles.company

Kerberos authentication is enabled on filesvr1234.prod.company, but not on the alias prodfiles.company because we have some legacy apps that need NTLM.

We investigated on those issues by running WireShark while trying to read a file from a samba share on our NAS \prodfiles.company\shared\test.txt.

We observed the following behaviour. Both Windows 7 and Windows 10 try first to authenticate using Kerberos.

Windows 10 will try authenticate using the alias prodfiles.company (which is the expected behaviour because we access the share with \prodfiles.company\shared\test.txt). It will use NTLM. However, we noticed that Windows 7 uses the FQDN (filesvr1234.prod.company) instead of the DNS alias, even if we access the share using the alias (\prodfiles.company\shared\test.txt). It will use Kerberos.

To see this, we looked at “SNameString” in KRB5 packets (Wireshark). To summarize : We read a file in \prodfiles.company\shared\test.txt Windows 7 use filesvr1234.prod.company even if we access the share using prodfiles.company. Windows 10 use prodfiles.company

Does something changed between Windows 7 and Windows 10 that makes the authentication process to use the DNS alias instead of the FQDN ?

implementing an authentication mechanism for understanding the basics of client authetication

I’m trying to implement a simple protocol to authenticate users and authorize them to access a certain web page/resource via a login form.

Please note that this is just something to use on my own and that it’s just to get the basic idea of how such systems work.

My idea is to store the hash of a shared secret between Server and client on the server side and then use a challenge-response mechanism to authenticate the user. The user would type an username and the server will respond with a challenge that implies the use of the shared secret to get access to the resource. For example, hashing the password and the challenge together and sending it back to the server. The server would do the same with the user’s stored password and check if both values are the same.

However, how can this authenticate a user A to a server B if, let’s say user C can intercept A’s response to the server and send it to the server as if it was C? Then the server would authorize C to the resource A was supposed to gain access to.

Isn’t this the way protocols such as CHAP or EAP work? (in an over-simplified way). I think I have a bit of a mess in my head, but the only solution I can think of to prevent a MiTM attack is to use TLS/SSL. But how do websites authenticate users nowadays without TLS? Also, OpenID seems to me equally vulnerable to man in the middle attacks, but it must be something I don’t understand or I’m missing.