Retrieving/Finding Password

So,

I'm a little confused on how to retrieve the password that TN automatically creates...

I found the "store" files with the random (or are they?) letters and numbers, but I dunno what they mean.

Any advice? (please don't post random shit here, thx)

Comments

  • I plan to post a full technical overview of the system soon, but to shortly answer your question: there is no real method of retrieving the password that you used to encrypt the private portion of the account, short of brute force.

    The contents of the store file are very high entropy, but are not entirely random.

    The public.store file contains your account certificates. None of the information in that file is secret, and whenever you connect to a server, the entire public line for an account is sent to the server. The first field is the account name, the second field is the assigned GUID, the third field is the account's RSA public exponent (3, 5, or 7), the fourth field is the account's RSA modulus (512, 768, or 1024-bits), and the fifth field is a digital signature from the authentication server that verifies all of the information in the first four fields.

    The idea is that none of the information about an account can be changed without invalidating the digital signature, and it is a very easy process for a game server to verify the digital signature matches the rest of the data. It is computationally intractable to forge one of those digital signatures, so the idea works very well in practice.

    The private.store file contains encrypted versions of account RSA private exponents. These are the same length as the modulus for the account (512, 768, or 1024-bits). In addition to storing the encrypted private exponent, a 160-bit SHA1 hash is stored of the unencrypted exponent. When you enter your password in the log-in screen, that password is processed with the username to create a symmetric encryption key, which is then used to decrypt the RSA private key. That SHA1 hash is then computed on the decrypted private key, and if it matches the one stored in the file, you must have entered the correct password. The decrypted version of the key is then securely stored in the Ruby interpreter, and cannot be accessed again without reentering the password.

    It's designed this way so brute forcing the password is excruciatingly slow, even with fairly short passwords. It also means that not even the administrator of the authentication server (which would be me, right now) has the ability to use your account, or recover your password.
  • I plan to post a full technical overview of the system soon...

    Do you still plan to? I'm actually very interested in the technical side of TN.
Sign In or Register to comment.