open All Channels
seplocked EVE Technology Lab
blankseplocked Proposal: IGB Header Checksum
This thread is older than 90 days and has been locked due to inactivity.

Author Topic

Phoenix Industries
Wicked Nation
Posted - 2011.04.05 11:45:00 - [1]

Edited by: Wollari on 05/04/2011 12:18:10
I know the IGB headers can be faked and are not a trustworthy method to determine the users identity. Yesterday after playing around with paypal ipn (for something totally different), I thought the method used isn't that bad.

The goal:
Add a serverTime + checksum to the IGB headers and create and API call that verifies the integrity of a given header.

The checksum:
The checksum could be created over the given IGB Headers + a (daily/hourly changed) secret/salt. To enhance security the eve server could provide a character specific salt for a specific time period. Example, together when the igb fetches the list of black listed webpages. This way the salt isn't guessable.

The verification:
The 3rd party site sends all received headers to the API server and the api server generate the checksum himself and compares it with the given checksum.

No TQ/database needed:
If you verify only the given header data + checksum there's no actual TQ/Database access required which allows instant verification.

Verification Flow:
// DRAFT SIMPLE IGB VERIFCATION with a header checksum+salt

the use of a secret salt isn't the best way, but it this prevents the api
server to query the database in able to verify the user. The goal is to create
a simple way to verify an ingame browser header for authentication and
location based services.

Idea was based on same method Paypal is using to verify the IPN (Payment
Notification) data.

1) Ingame Browser Header Creation

add all default eve header
add HTTP_EVE_TIME = Current Server Time
add HTTP_EVE_CHECKSUM = HASH( <secretSalt> | HTTP_EVE_CHARID=12345 | HTTP_EVE_SOLARSYSTEMID=32456 | [...] | HTTP_EVE_TIME=(server time) );

2) Deliver Header to 3rd party website

* extract all HTTP_EVE_ headers and build new url string (in the same order)
* send data to API server via GET or POST to /eve/VerifyHeader.xml.aspx

3) API Server validates incoming headers

* HTTP_EVE_TIME must not be older then 5 minutes
prevent use outdated, sniffed, faked headers
* create HASH string of all incoming headers expect HTTP_EVE_CHECKSUM same
way the IGB did
* no database connection needed
* if HASH == HTTP_EVE_CHECKSUM return valid=true or false

4) 3rd party website saves verifcation state in session storage to avoid
verification of every single page request!

Example client implentation:

Sure the browser code could still be reverse hacked and people could be able to fake headers, but the entry level is set higher. So people can trust on positions to a certain degree for simple services.

Sure high level services still will require api access and more.

What do you think?


Before you ask: This method should never replace any kind of real security and user authentication stuff. I just adds checksum to the header for verification.

Phoenix Industries
Wicked Nation
Posted - 2011.04.05 12:18:00 - [2]

Edited by: Wollari on 05/04/2011 12:18:00
forget it ... this will only create a a never ending flame war about the not existing security mechanics or that you never should trust the igb header, the api and the world :-)

well ...

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.04.05 12:28:00 - [3]

Well, the idea behind the proposal is as old as the IGB itself I suppose, as much as flame wars are a part of EVE. So don't give up hope. Smile

CCP Atlas

Posted - 2011.04.06 09:39:00 - [4]

We've tossed something like this around the office from time to time. It's not out of the question that some sort of a simple authentication scheme using the API will be added to the IGB headers in the future.


This thread is older than 90 days and has been locked due to inactivity.


The new forums are live

Please adjust your bookmarks to

These forums are archived and read-only