Quote:
Originally Posted by sdtuasrt, MD
The Login Server, be it the public or the minilogin, has to transmit certain information. It absolutely has to. The Server Name being one of those pieces of information. Unless it is transmitted unencrypted, in plain text, then you have a huge cryptographical advantage -- you know what some of the content of the message already is. On top of that, one should easily be able to discern what the preambles and/or postables of the messages are using the opcodes listed, and indeed, minilogin itself.
|
This may seem a little off topic, but it should help to explain why minilogin has to use an IP address and doesn't have anything to do with the account name (at least in the Titanium client).
I personally was curious about the cryptography, so for the heck of it, I started sniffing some packets. From what I was able to gather, the login packet that is sent from the client to the server is 56 bytes total, 48 of which are the actual data. From that, there is a 24 byte hash of the username + password. If you're using Ethereal (looking at the entire packet), it starts at 0x4A and ends at 0x55. The last 16 bytes of the packet are apparently a checksum for the data.
Since we know where to look, we can put in what we know to be the username & password, and see what it puts out. Using a lot of math, I'm sure it wouldn't be impossible to reverse engineer the algorithm used, but I'm sure my brain would explode if I tried to figure it out by hand (and cryptography is definitely not my forte).
Because the username is encrypted as part of the hash, minilogin isn't able to decipher it, unless it included the cryptography algorithm (which it doesn't look like it does, because of its limitations). As a result, minilogin doesn't even know what your username is, it just forwards you onto the server itself (including your IP address, which it can detect very easily). So, in essence, your IP address becomes your "username", which is then references back to the actual username in the accounts table.