• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Better customer verification tokens

Kent

Active member
#1
The customer verification requires only a token and optionally a domain.
It's up to whoever is asking for the token to keep it safe and check the domain by having a unique file uploaded. This may not always happen.

If tokens are instead generated using a secret salt and a message they could become purposeful tokens.

Example:
Code:
$purposefulToken = md5($salt . $message);
$salt is retrieved from the server using the associated license ID/token which is then hashed with a $message. This creates a token which the server can re-generate without having to store the $message. The $purposefulToken is given to the customer along with their license ID/token.

The $message can be something like... "XenForo license verification for XenForo forum user SomeDeveloper on 26 May 2013. Not intended for any other purpose."
The developer can additionally request that a message of their own is appended in case the $message is too generic to trust.

It's worth noting that given an output, the $salt could be brute forced if it is not long enough or random enough.
 

Slavik

XenForo moderator
Staff member
#2
What purpose does having a custom message provide?

It's worth noting that given an output, the $salt could be brute forced if it is not long enough or random enough.

It is for this very reason the current token system is done as it is done, the variables going into creating the tokens are 100% random, so there is no possibility of bruteforcing them.
 

Kent

Active member
#3
What purpose does having a custom message provide?
It prevents malicious reuse of tokens, as the message must also be provided with the token to validate it.
It is for this very reason the current token system is done as it is done, the variables going into creating the tokens are 100% random, so there is no possibility of bruteforcing them.
It is highly unlikely that one would successfully brute force a good $salt within our sun's lifetime.
 

Biker

Well-known member
#4
You're also overlooking the point that a token can be generated at any time, thereby invalidating the previous token.
 

Kent

Active member
#5
You're also overlooking the point that a token can be generated at any time, thereby invalidating the previous token.
That doesn't prevent the token being misused while it is valid, and a developer may request that the token remain valid for extended periods for their convenience.
 

Biker

Well-known member
#6
Tokens aren't meant to be used as a constant verification and should never be used as such. Considering the length and randomness of the token, creating a salt hash is overkill for the designed purpose of the token itself.
 

Slavik

XenForo moderator
Staff member
#8
It prevents malicious reuse of tokens, as the message must also be provided with the token to validate it.
It is highly unlikely that one would successfully brute force a good $salt within our sun's lifetime.
I honestly don't see what this achieves sorry.
 

Kent

Active member
#9
I honestly don't see what this achieves sorry.
  • Generate as many tokens for as many people as desired
  • Tokens do not need to be secret, no need to re-generate
  • Tokens cannot be misused for other purposes
  • No need to have a file uploaded to the associated domain, faster confirmation with less hassle
  • Developers can implement custom verification methods by requesting a specific string be included with the message
 

Slavik

XenForo moderator
Staff member
#10
  • Generate as many tokens for as many people as desired
  • Tokens do not need to be secret, no need to re-generate
  • Tokens cannot be misused for other purposes
  • No need to have a file uploaded to the associated domain, faster confirmation with less hassle
  • Developers can implement custom verification methods by requesting a specific string be included with the message

  1. Tokens can be re-generated many times as is.
  2. You don't need to ever re-generate a token if you don't want to. The re-generation is there for that exact reason to prevent miss use.
  3. Does no point 2 negate the point of this one?
  4. You don't need to upload a file as is?
  5. The system isn't designed to be used as a crude type of "DRM" of continuous validation.
 

Kent

Active member
#11
  1. Tokens can be re-generated many times as is.
  2. You don't need to ever re-generate a token if you don't want to. The re-generation is there for that exact reason to prevent miss use.
  3. Does no point 2 negate the point of this one?
  4. You don't need to upload a file as is?
  5. The system isn't designed to be used as a crude type of "DRM" of continuous validation.
Multiple tokens can be generated for different purposes at the same time without invalidating previous tokens. None of the information needs to be stored as the server can re-generate it on its own later.
When sending your token/domain to anyone, you're fully trusting them not to misuse that information before replying that they have confirmed it so you can generate a new token.
Uploading a file is required to confirm that the person you're speaking to is in fact the owner of the site which the license is associated with. The token and domain alone aren't enough because more than just the owner will know this information.
 

Adam Howard

Well-known member
#13
The tokens sometimes do repeat

b47cdea474f42af54dc4eb532158f589
24ac4f3489f000f71226661b137db7e3
b47cdea474f42af54dc4eb532158f589
f44fa7732bac9d1103602a5821d8de33
27d5a442d792f0bf693c42aad8fb1811
c3c5deec45485b11da35af0aa692d6d5
24ac4f3489f000f71226661b137db7e3

These are tokens which I generated one after the other.

They're not as random as you would believe.

Attached is me doing it again, but with a clock to show the difference in time.

To repeat this process, don't simply click on "generate token" or "cancel". Simply click somewhere else on screen to dismiss the overlay. You'll get a mix of new and re-used tokens.

There is a weakness in your token system

(quick, someone find DRE so he can quote me as being, right again :p )
 

Attachments

Kent

Active member
#15
How?

Who is going to figure out my domain and token?
Anyone you send it to for validation, and anyone who has access to the medium in which it is sent, not limited to the intended recipient. The token can be misused during this time until it is re-generated.

@Adam Howard
Uh, that is an unexpected development. Wonder what is being used to generate it.
Nevermind, misread.
 

Shelley

Well-known member
#16
The tokens sometimes do repeat

b47cdea474f42af54dc4eb532158f589
24ac4f3489f000f71226661b137db7e3
b47cdea474f42af54dc4eb532158f589
f44fa7732bac9d1103602a5821d8de33
27d5a442d792f0bf693c42aad8fb1811
c3c5deec45485b11da35af0aa692d6d5
24ac4f3489f000f71226661b137db7e3

These are tokens which I generated one after the other.

They're not as random as you would believe.

Attached is me doing it again, but with a clock to show the difference in time.

To repeat this process, don't simply click on "generate token" or "cancel". Simply click somewhere else on screen to dismiss the overlay. You'll get a mix of new and re-used tokens.

There is a weakness in your token system

(quick, someone find DRE so he can quote me as being, right again :p )
Since I generated a token the other day to download an add-on I'll ask anyway. What is the flaw in the token system? Once you generate you pass it to add-on maker to get your download and re-generate to null the previous token you sent to the add-on maker. Care to explain further? My understanding is the token is useless and won't return me as the one generating the token right?
 

Adam Howard

Well-known member
#18
Since I generated a token the other day to download an add-on I'll ask anyway. What is the flaw in the token system? Once you generate you pass it to add-on maker to get your download and re-generate to null the previous token you sent to the add-on maker. Care to explain further? My understanding is the token is useless and won't return me as the one generating the token right?
Short answer:

If the tokens repeat, they're not exactly useless once used.
 

Slavik

XenForo moderator
Staff member
#19
I would argue the fail is yours.

View attachment 46898

^ Every time you click that link, you should get a new token (according to Mike). That's not the case.
Everytime you click that link, it will open an overlay to show you the last generated token.

It will show you the same token every time, until such time as you re-generate it clicking the regenerate token button.