Script security how to
Overview
First, you have to understand that there is no such thing as absolute security. The goal is to make breaking the security so difficult that no one will bother. This means that you should use stronger security measures based on how likely someone will want to break into your system.
The method you use to
communicate will determine how secure it is to start with.
There are two parts to secure authentication, and you may only need one. The first part is preventing others from seeing what you are saying, and the second part is being able to trust that a message is coming from whom you think it's coming from. Often in LSL, the latter is really the only thing that matters. If you can ensure that your objects will only listen to each other, does it matter if the information they're sharing can be heard by a third party? You can get the key of a talking object by using
llGetOwnerKey(key id) provided you are a main agent or child agent to the talking object.
Chat
There are 4 billion possible chat channels for short range communications, however it is possible to set up scripts to scan all possible channels over a relatively short period of time. You can make scanners almost useless by using one encrypted channel that then changes the channel that the data is passed on. This reduces how much one needs to rely on encryption, which is expensive in terms of script time.
Making keys using Math
You can also use "Psuedo-Random Number Generators" to generate new keys, however if someone finds out which equation and starting key you are using they can then predict what key is next.
This is probably the fastest method of encrypting data since you can use the Psuedo-Random Number Generator to create a "one time pad" for use with the
llXorBase64StringsCorrect
Some examples
1)
LibraryPseudoRandomGenerator
2)
x = (x * 2) & 0x3FFFFFF ;
if ( ( ( x & (1<<19) ) == 0 ) ^ ( ( x & (1<<27) ) ) == 0 ) ++X; //Create one Pseudo-random bit in LSB
default
{
state_entry()
{
integer x = 0x12345678;
integer i;
for (i=0; i<100; i++) {
x = (x * 2) & 0x3FFFFFF ;
integer b = x & (1<<27);
llSay(0, "Intermediate state " + (string)x + ", bit 27 is " + (string)b);
if ( ( ( x & (1<<19) ) == 0 ) ^ ( ( x & (1<<27) ) ) == 0 ) ++x;
}
}
}Signing Messages
from Lex Neva
You can also sign messages using llMD5String. This computes a (theoretically) one-way hash on the input, which can be used to "sign" a message. With every message you send, run llMD5String() on the message with the password stuck at the end. The other end will also run llMD5String() on the message it receives with the password it knows about stuck on the end, and if it gets a result that matches yours, it knows that you had the password when you sent the message.
The only problem is that any eavesdropper can get a message that you send, plus the MD5 "signature", and just send that same message again. This can be a security vulnerability in some cases. To mitigate that, you should instead MD5 a string like this: "<my object key>|<password>|<message>". The other end will do the same to check the authenticity of the message. Since (as far as I know), it's impossible in SL to spoof the source of a message that's received in a listen() event, this is much more secure.
I recommend you make use of the nonce, too. With an integer counting upwards and send that nonce, too. At the recieving part just check if the current nonce is higher then the last one used, this really prevents replay of messages. The disadvantage is, once the script is reset you loose the nonce. MD5 can be attacked and somehow calculated backwards if part of the string to the hashes is known. So putting a password at the beginning is insecure, as a state for the partial message "<my object key>|<password>|" can be obtained. This works from the other side, too. For better security use a nested MD5 like:
In this case the outer MD5 hashes unknown data leaving the attacker in the dark -
ThomasShikami
Creating truly random numbers
The
llFrand function will return random numbers; however, the numbers it returns will only be truly random if some other random numbers are generated in between in a random fashon. So grab a random number and then another and discard some based on some other event like a timer if you absolutely have to have a truly random number.
If you don't need a high amount of random numbers, you can use llMD5String to add more randomness, ex. -
ThomasShikami
Functions
Contributors
grumble Loudon, LaserFur Leonov, Lex Neva, Thraxis Epsilon, Hank Ramos, Hewee Zetkin,
AlexanderDaguerre
Threads
http://forums.secondlife.com/showthread.php?t=126143
Notes and To Do
Jasa SEO Murah Jasa SEO Jasa Google Adwords Jasa Adwords Google Adwords Sepatu Safety Sepatu Futsal Cheapes Hostgator Coupon Link Booking Televisori offerte Notebook Offerte Govr Edo Ziedo Portatile Apple RDAnet Lorks Karikatur Bisnis Modal Kecil Bisnis UKM Berita Terbaru Iklan Baris Jasa SEO Murah SEO Indonesia Konsultan SEO SEO Belajar SEO Penumbuh Rambut Kursus SEO Jam Tangan Casio Grosir Baju Bisnis Online Kerupuk Kulit Social Bookmark Kumpulan Puisi WBC Wonogiri Penumbuh Rambut Jam Tangan Murah Jam Tangan Murah Jam Tangan Casio Penumbuh Rambut Kerupuk Kulit Alat Kantor Laku.com Belanja Online Grosir Eceran Murah dan Aman Jasa SEO Model Jilbab Fine Tableware Permanent Hair Removal island investment development professional makeup artist bali private villa sewa mobil jakarta murah Jual rumah Jakarta Contact Lens Technology