XMPP Based Authentication

This page is intended for fleshing out the details of a simple authentication scheme.

The Authentication

 * The client logs into the player's IM account and sends a join request to the game server's IM address.
 * The game server sends a random session identifier, along with its connection information (hostname/IP and port) to the client.
 * The client connects to the game server's supplied connection info.
 * The client sends the session identifier back to prove it is the original player to contact the game server.
 * The server now knows that the client indeed represents the player it claims to.

Stats and Conversation
The game server deals primarily with an IM address or, in the case of an anonymous player, a guest name, which is enclosed in double-quotes. All conversation and stats are recorded by this identifier. For example, when sending a chat message to another player, the server will transmit something along the lines of: luke@dashjr.org says, "Hi!"

Displaying Names For Players (Name Resolution)
If the IM address luke@dashjr.org appears on the player's roster/buddy list, the associated nickname is displayed instead. If not, the full IM address is displayed.

Attack Vectors
All possible security issues of the used IM system will be inherited.

The Phishing Server
I can't see a possibility here.

Faking the Authentication Server
DNS poisoning.

Spam Attack
An evil server sets some innocent bystander's IM address as its own, clients will try to send messages to it, the bystander complains, and the players' accounts get suspended. Countermeasure: the master server protocol needs to be reworked to go over IM, so the master can verify the servers' accounts.


 * Since the master server protocol would need to be reworked anyway (to get IM addresses instead of IP/hostname pairs), that would be a good idea-- though it does create a dependency on the master server. --Luke-Jr 20:47, 7 March 2006 (CST)

Since the involved packets would not be a regular message type, non-game clients would ignore it (at least from the user's perspective) and only (a little) bandwidth is wasted.