-
Member
SRP6 and WoW Authentication Process
Hi guys,
Very happy to join the community !
I am coding a Wow Server Emulator with C# language. Actually, i'm stuck on the WoW Authentication Process.
I wrote this code Code
But i'm not pretty sure about the Verifier algorithm...
User's password is stored into database with SHA1 algorithm, but SRP6a Protocol mention that the password need to be raw... i looked to the MaNGOS code and it seems that only the username is uppercased and hashed...
Someone could help me ?
Thank you !
Last edited by julienguillot; 07-26-2017 at 11:31 PM.
-
★ Elder ★
What is the WoW patch you want to use?
-
Member
Thank you !
I would use patch 3.3.5a of Wotlk.
-
★ Elder ★
The WoW client uses a combination of the password and the username for p. Both are uppercase
var p = Encoding.UTF8.GetBytes(userName + ":" + password);
Also I think mangos uses a static salt and saves the sha1(p) hash to the database which shouldn't be done.
The passwordverifier + salt (a random one) should be saved to the database. I don't see a reason to save sha1(p) ^^
Last edited by doityourself; 07-27-2017 at 12:55 AM.
-
Post Thanks / Like - 1 Thanks
stoneharry (1 members gave Thanks to doityourself for this useful post)
-
Member
Thank you for answer !
I also store s and v into database but i think we need password just the first time to generate v and then we clear it. If password is changed, we need to generate again v.
Am I right ?
-
★ Elder ★
Yes, he password itself should only be needed at account creation to generate the verifier. Also the salt should be regenerated for each password change.
-
Post Thanks / Like - 2 Thanks
-
Member
Nice thank you very much !
-
Member
Hello,
Sorry i have one more question.
When server receive M1 from client, server verifies if M1 equals M (M is the value that server calculates). But how do it do ?
-
★ Elder ★
I don't remember if it's the same for wotlk, but this is what I used for wod: WoW-Core/SRP6a.cs at 36e3eebc2501a97b1757c7cad8f49c6deed6e588 * Arctium-Emulation/WoW-Core * GitHub
You may need to use sha1... and another sessionkey calculation for wotlk^^
-
Post Thanks / Like - 1 Thanks
julienguillot (1 members gave Thanks to doityourself for this useful post)
-
Member
Thank you !
Is the hashedIdentifier need to be stored into database too ?
-
Contributor
@julienguillot
Take a look at these threads too:
Last edited by Glusk; 12-28-2020 at 09:49 PM.
Reason: Removed broken search link, fixed OP name
-
Post Thanks / Like - 2 Thanks
-
★ Elder ★
Originally Posted by
julienguillot
Thank you !
Is the hashedIdentifier need to be stored into database too ?
the passwordverifier and the salt only. the others shouldn't be needed
-
Post Thanks / Like - 1 Thanks
julienguillot (1 members gave Thanks to doityourself for this useful post)
-
Member
How can i do generate x if i can't obtain hashedIdentifier from somewhere ? I can't rebuild it because account is created and its password is hashed too
-
★ Elder ★
you don't need to rebuild x because it's only used to generate v (passwordverifier). It's not used anywhere else
//edit
You don't compare it to v since the user/pw is never send directly to the server. you just exchange information of the srp6 implementation and calculate the 'm' value of the client and compare that one with the value sent by the client. Then you send the calculated 'm2' value to the client so it can verify it.
Last edited by doityourself; 07-28-2017 at 05:55 AM.
-
Post Thanks / Like - 1 Thanks
julienguillot (1 members gave Thanks to doityourself for this useful post)
-
Member
Thank you !
I recoded a bit my class with some helpers. But....
On the Server Logon Challenge, client show an error with wrong password/username 4 once. And sometimes, my ServerPublicEphemeral value is 33 bytes when converted to byte array...
Something is wrong but i don't know what...
Here is my SRP6 class :
[C#] using SharpCore.Framework.DataExtensions; using System; using System.Collectio - Pastebin.com
When i create an account, i create an instance of SRP6 to generate S and V to store it into database.
Last edited by julienguillot; 07-28-2017 at 06:05 AM.