Verification Of Authenticity

Objects in Second Life can now be easily copied, and I’m pretty sure the cat’s out of the bag now. The source has been sold and distributed around, so even if development on it by the libsecondlife people ceased, somebody else could continue it.

One thing that can be tried is verifying whether an avatar/object/etc is authentic or not. This can be done by a script in the original object, as scripts can’t be duplicated.

The idea is to implement a CRAM-MD5 authentication mechanism. Basically, we have the authentic object prove it knows a secret without disclosing what the secret is. This is done by sending it a challenge, having the object calculate the response and answer. If the answer is correct, then the object is authentic.

CRAM-MD5 Auth

The idea is very simple: Make a script that knows a password. The password should be something long and random, such as “BotDlMVM3fpnK6wU”, so that it can’t be broken by brute force. The script listens on a channel, and when a message comes in, it calculates llMD5String(message + password,0), then spits out the reply on some other channel. The resulting script is very small and easy to use.

Here’s my auth script.

Verification

To verify, we need another script. This script knows the same password. It sends a random (important!) message to the script in the object, gets a response and checks whether it’s correct.

A very important thing is to generate a random string. This is needed to ensure the response can’t be captured and reused. The challenge will be different every time, so the reply will also be different. Fortunately that’s easy enough to do. For the challenge, we can use various things added together, such as: object key, owner key, UNIX time, object position, script running time, and a random number thrown in for good measure. This ensures that a challenge made by one object would never be repeated by another, as the time, position, etc will have changed. Optionally, we can also run all that through llMD5String so that the output is more compact and easier to work with (no spaces, etc).

We send this string to the object being verified. The object calculates llMD5String(message + password) and returns the result. We do the same calculation, and verify whether it matches. If it does, the object is authentic.

Here’s my auth script.

Verifier object

The code linked above is all that’s needed to get this to work. Here’s how to use it:

  • Edit the auth script and set the channels and password.
  • Edit the verifier script and set the channels to the same value. Add the password to the g_passwords list.
  • Place the auth script in the objects you’re going to sell.
  • Place the verifier script into an object. You can give copies to other people, but make sure they never see the source, as then they’d get the password and security would be lost.

The verifier object is used as follows: Click the object and say an avatar name or “all”. If you say a name, it will run a scan and try to run a check against a specific avatar. If you say “all” it’ll run a check on everybody around.

Possible results:

  • The check is successful. Everything is fine!
  • The check fails. This may be somebody trying to work around it. Make sure you have the password in the verifier.
  • Timeout. This is what would happen with a cloned script, as the script wouldn’t be copied. Make sure that all your objects have an auth script in them and you’re using the same channels. If you’re sure it should have one, but it doesn’t, it’s a copy.

Note that in global scan mode, it checks everybody around. You’ll have to check the output, and see who are the people who are using the object, but from who there was no reply. Those are the ones using copies.

Advertisements

3 Responses to Verification Of Authenticity

  1. Arachnid Baxter says:

    You need to have the object being challenged add something unique like the challenger key to the value to be hashed. Otherwise, when challenged, a fake object could simply scan around to find a real one, forward the challenge to that, and reply to the original scanner with the response it gets!

  2. Mark L says:

    Heya…

    Love that yahoo, cool site. Thank you….

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: