Thread: Static RSA keys.

Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1 Static RSA keys. 
    Registered Member
    Join Date
    Jul 2016
    Posts
    52
    Thanks given
    1
    Thanks received
    38
    Rep Power
    48
    Still using them on your server/client? Your wrong.

    It baffles me that after all this time, people still think its secure. It's easy to scrape them from a jar.
    It's so damn simple to write up a method to generate new keys on server startup, and pass them to the client on login.
    Reply With Quote  
     

  2. #2  
    Community Veteran

    Songoty's Avatar
    Join Date
    Dec 2007
    Posts
    2,740
    Thanks given
    211
    Thanks received
    1,034
    Rep Power
    2455
    Quote Originally Posted by Null_Life View Post
    Still using them on your server/client? Your wrong.

    It baffles me that after all this time, people still think its secure. It's easy to scrape them from a jar.
    It's so damn simple to write up a method to generate new keys on server startup, and pass them to the client on login.
    Dude I need you to think about what you just said. You are saying that you can get them from the jar file (which you can, you can receive the public key from the jar file), and are suggesting that you send them to the client, from the server, on login. What is going to prevent me from modifying that jar file to print out the received public key?

    I think you have a misunderstanding of what RSA is used for. RSA in the 317 client is used to 'encrypt' the username, password, uid, and ISAAC cipher keys on login. That's it. It is not used again. It is to prevent someone else on the network intercepting your plain text password pretty much.

    Having the public key doesn't mean anything. I mean I guess you could put that in a different client and connect to that server, but chances are, especially these days, that most servers clients have protocol modifications anyways that will probably crash the client.
    Reply With Quote  
     


  3. #3  
    Registered Member
    Join Date
    Jul 2016
    Posts
    52
    Thanks given
    1
    Thanks received
    38
    Rep Power
    48
    Quote Originally Posted by Songoty View Post
    Dude I need you to think about what you just said. You are saying that you can get them from the jar file (which you can, you can receive the public key from the jar file), and are suggesting that you send them to the client, from the server, on login. What is going to prevent me from modifying that jar file to print out the received public key?

    I think you have a misunderstanding of what RSA is used for. RSA in the 317 client is used to 'encrypt' the username, password, uid, and ISAAC cipher keys on login. That's it. It is not used again. It is to prevent someone else on the network intercepting your plain text password pretty much.

    Having the public key doesn't mean anything. I mean I guess you could put that in a different client and connect to that server, but chances are, especially these days, that most servers clients have protocol modifications anyways that will probably crash the client.
    You are very correct in all statements, however it is TOO EASY for even a novice to get those keys. it's as easy as doing a search for BigInteger in de-obfuscated source. It's not supposed to be an impenetrable wall, just a wall.

    You are especially correct in your last statement, and it IS a problem considering most servers share the same bases, and in fact you CAN use other clients with someones server with those keys drastically reducing security because of things like noclip.

    I think you over estimate developers abilities here on rune-server when you talk about protocol modifications. No offence lol.

    example: on DeadmanPS when I was working on it, while doing security I had forced the meralin client to login. using that client, I accessed dormant code in the DMPS base, gaining the ability to teleport directly to rogues den. In there, i was able to be the only one to collect onyx - in bulk, and alch for 300k each.

    It's not the biggest problem in RSPS's but it's a problem none the less.

    It doesn't even have to be RSA keys or even at login. People need to implement some kind of security handshake that is dynamically built and checked against at multiple stages of user use. That's just the route I chose, because if the client doesn't know how to request the handshake it gets booted immediately.
    Reply With Quote  
     

  4. #4  
    Community Veteran

    Songoty's Avatar
    Join Date
    Dec 2007
    Posts
    2,740
    Thanks given
    211
    Thanks received
    1,034
    Rep Power
    2455
    Quote Originally Posted by Null_Life View Post
    You are very correct in all statements, however it is TOO EASY for even a novice to get those keys. it's as easy as doing a search for BigInteger in de-obfuscated source. It's not supposed to be an impenetrable wall, just a wall.

    You are especially correct in your last statement, and it IS a problem considering most servers share the same base, and in fact you CAN use other clients with someones server with those keys drastically reducing security because of things like noclip.

    I think you over estimate developers abilities here on rune-server when you talk about protocol modifications. No offence lol.
    I don't know man. I've been here for ages. I've watched the rise and fall of countless empir- i mean servers with what we would consider mediocre developers who were able to figure out how to drop botnets onto computers. Most content is copy and paste, and most content that is being copied from the newer engine requires some protocol modifications (think npc/player sync, messages, login even etc).

    It's just such a non issue man. In addition, any semi-competent developer knows not to trust any information the client sends and will always preform the necessary checks on received packets, so even the threat of someone getting an RSA key and using a 'cheat client' is negligible.

    I know where you're coming from at a security standpoint, but maybe instead focus more so on teaching people to verify all data received from the client.
    Reply With Quote  
     

  5. Thankful user:


  6. #5  
    ???

    funkE's Avatar
    Join Date
    Feb 2008
    Posts
    2,612
    Thanks given
    255
    Thanks received
    989
    Rep Power
    1366
    Quote Originally Posted by Null_Life View Post
    You are very correct in all statements, however it is TOO EASY for even a novice to get those keys. it's as easy as doing a search for BigInteger in de-obfuscated source. It's not supposed to be an impenetrable wall, just a wall.

    You are especially correct in your last statement, and it IS a problem considering most servers share the same base, and in fact you CAN use other clients with someones server with those keys drastically reducing security because of things like noclip.

    I think you over estimate developers abilities here on rune-server when you talk about protocol modifications. No offence lol.

    example: on DeadmanPS when I was working on it, while doing security I had forced the meralin client to login. using that client, I accessed dormant code in the DMPS base, gaining the ability to teleport directly to rogues den. In there, i was able to be the only one to collect onyx - in bulk, and alch for 300k each.

    It's not the biggest problem in RSPS's but it's a problem none the less.
    These are defensive mechanisms designed to stop credential sniffing. It's not going to make bad code any better. These bases are full of errors... this has nothing to do with the protocol. The protocol stuff is a bandaid. Anyone determined enough will find a way, and as you can tell from RS' past, people will modify the client in order to rip off all your shitty bandaids. Sure, you add more complexity. You can't call it secure because if anyone motivated looked at it they could still create the problem you sought to fix in the first place.
    .
    Reply With Quote  
     

  7. #6  
    Registered Member
    Join Date
    Jul 2016
    Posts
    52
    Thanks given
    1
    Thanks received
    38
    Rep Power
    48
    Quote Originally Posted by Songoty View Post
    I don't know man. I've been here for ages. I've watched the rise and fall of countless empir- i mean servers with what we would consider mediocre developers who were able to figure out how to drop botnets onto computers. Most content is copy and paste, and most content that is being copied from the newer engine requires some protocol modifications (think npc/player sync, messages, login even etc).

    It's just such a non issue man. In addition, any semi-competent developer knows not to trust any information the client sends and will always preform the necessary checks on received packets, so even the threat of someone getting an RSA key and using a 'cheat client' is negligible.

    I know where you're coming from at a security standpoint, but maybe instead focus more so on teaching people to verify all data received from the client.
    Quote Originally Posted by funkE
    No. You're absolutely wrong about how to approach this problem. These are defensive mechanisms designed to stop credential sniffing. It's not going to make bad code any better. These bases are full of errors... this has nothing to do with the protocol.

    Sure, RSA keys should be changed but hiding them somewhere will not stop anyone determined to get them.
    I get what you guys mean really. there are better solutions, and like I said, it doesn't have to deal with RSA AT ALL, it's just the route I chose for the specific exploit I had found. Any kind of handshake would do that deviates from base protocol.
    Reply With Quote  
     

  8. #7  
    ???

    funkE's Avatar
    Join Date
    Feb 2008
    Posts
    2,612
    Thanks given
    255
    Thanks received
    989
    Rep Power
    1366
    Quote Originally Posted by Null_Life View Post
    I get what you guys mean really. there are better solutions, and like I said, it doesn't have to deal with RSA AT ALL, it's just the route I chose for the specific exploit I had found. Any kind of handshake would do that deviates from base protocol.
    I edited my response a bit before you responded. The security situation with rsps is a bit complicated, with many points of failure.
    Last edited by funkE; 10-18-2016 at 10:50 PM. Reason: durr
    .
    Reply With Quote  
     

  9. #8  
    Registered Member
    Join Date
    Jul 2016
    Posts
    52
    Thanks given
    1
    Thanks received
    38
    Rep Power
    48
    Quote Originally Posted by funkE View Post
    I edited my response a bit before you responded. The security situation with rsps is a bit complicated, with no one single point of failure.
    Yes and that is very true, I mean in all honesty, there is a group of people here dedicated to ripping apart jagex's protections and they are pretty quick about it too.
    Reply With Quote  
     

  10. #9  
    Registered Member
    Join Date
    Nov 2015
    Posts
    409
    Thanks given
    122
    Thanks received
    41
    Rep Power
    17
    Quote Originally Posted by Null_Life View Post
    Yes and that is very true, I mean in all honesty, there is a group of people here dedicated to ripping apart jagex's protections and they are pretty quick about it too.
    That is very true. It's an interesting thing to think of. Almost like a game of chess when trying to add security to your client you really have to think of all types of ways to stop them from doing such things. Sometimes got to think out side of the box.
    Reply With Quote  
     

  11. #10  
    Renown Programmer & Respected Member

    Ryley's Avatar
    Join Date
    Aug 2011
    Posts
    596
    Thanks given
    254
    Thanks received
    521
    Rep Power
    1332
    I'm afraid you don't understand RSA...
    Reply With Quote  
     

  12. Thankful users:


Page 1 of 2 12 LastLast

Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. 731 rsa keys
    By deadman536 in forum Help
    Replies: 1
    Last Post: 08-06-2013, 05:05 AM
  2. [742] RSA KEYS - Where Do I Find Them
    By treeman in forum Help
    Replies: 2
    Last Post: 01-07-2013, 03:08 PM
  3. Help please, (rsa keys) uid and stuff
    By mr zipper in forum Help
    Replies: 7
    Last Post: 02-09-2011, 06:26 AM
  4. RSA Key Generation and Decryption for Private Servers
    By blakeman8192 in forum Snippets
    Replies: 16
    Last Post: 01-01-2010, 11:55 AM
  5. Rsa keys?
    By Brown in forum Requests
    Replies: 11
    Last Post: 01-09-2009, 06:06 PM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •