Re: Serial/PW Generation

From: Patrick Dughi (dughi@imaxx.net)
Date: 12/01/02


> I am looking to set up a system where with 3 pieces of information
> (Character name, race as a number, date of expire) can be turned into a
> password, and then turned back into the information.  However, I have
> no idea where to start with this.  What I am looking to do is setup a
> system where certain races are restricted, but with the proper
> password, given by an immortal, you can choose a restricted race.  With
> the expiration date, you can set it so that the player must make the
> character by a certain date, and with a certain name.  Basically, the
> player enters the password, and it checks: is the name the same? is the
> password expired?  If it passes, it gets the race from the password and
> sets it.

        Sounds like you're making software licence certificates.  This
shouldn't be too hard, the only trick is to make sure that no one else can
make their own.

        In theory and in practice, this is actually very very hard.

        Since it contains at least some known information, decrypting
won't be very difficult.  If someone gets 2 or 3 of them on the same
character & race, it probably wouldn't take more than 15 minutes to
'decode' your system and forge their own certificate.

        I'd recommend just storing the information on the player structure
somehow, and making it transferable if that's necessary.  If you _need_ to
have a password system, I'd just store the certificate data in a seperate
file, load it at boot time, and auto-generate passwords which index the
necessary data (character name, race, expiry).

        Still, it's not like it's a difficult thing.  Just make up an
encryption method that takes those three values, and spits out a string.
I recommend you make the algorithm you use rely on look-ahead or
look-behind tricks though; using caesar's cipher (ROT13, etc) is too
simple and will quickly fall apart.

        Ie,

        Hello => Uryyb

        Sucks because it's a 1 for 1 'encryption' that can be broken with
a captain crunch decoder ring, or any one over the age of 6.

        Try something more creative like, instead of always using 13,
rotate it by the value of the sum of the remaining un-encrypted letters.
This is about as secure as putting a 'do not enter' sign on a door, but it
will disuade the casual cracker, though it relies entirely on keeping
your encryption method secret.

        Don't feel bad if your technique seems inadequate; the method I
described above is used (with some modification for (nearly) all printable
characters) by a multibillion dollar corporation for some of it's flagship
products.

        I've seen some that just XOR their entire file, or use a static
internal keyword to encrypt and decrypt the data (and some even have shell
scripts that create the intital file on install with the word in
plaintext!!!)

                                        PjD

--
   +---------------------------------------------------------------+
   | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
   | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |
   | Newbie List:  http://groups.yahoo.com/group/circle-newbies/   |
   +---------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 06/25/03 PDT