so from what i understand
menu connects to blockland over a TCP connection
menu asks for a username
blockland creates an expected hash from the username (if it exists), and the password sha1 hash (which i don't trust. at all. i'd rather use an external script to do all of this over sha256)
and if it works they get in etc etc blah blah, hash is sent with each command
Well, if you read it, it's more that it first hashes the password, then it hashes that with other variables together to make an another hash. To guess the password is almost impossible. Also, this system is only to make sure that you each time you send a request it makes sure that the content haven't been tampered with and that you are what you claim you are. As it says in the wiki:
These enhancements are designed to protect against, for example, chosen-plaintext attack cryptbrown townysis.
Yes, sha-1 is not a secure hash anymore, but when did you care about security in Blockland? It is also worth noting that even if it's insecure as it is broken, you still cannot decrypt it and need to guess what the hash contains by looking in a rainbow table.
For instance, as I mentioned earlier, I made a different way to handle this to add more randomness:
First you get the variables from the server(Please note that I used JSON for communication):
{
"nonce" : "346gw3e6hw3h6se5h6",
"opaque" : "90834g6908w3609g"
}
Then the client responds:
{
"username" : "YourName",
"algorithm" : "sha1",
"nonce" : "346gw3e6hw3h6se5h6",
"nc" : "00000001",
"cnonce" : "8s3498",
"opaque" : "90834g6908w3609g",
"response" : "59e7b54eeef1a5d84aa99d19f3ef5bc6f11f4a8a",
"action" : {"cmd":"dostuff"}
}
So, the client is sending back what the server requested and a bunch of other data that will identify it.
nonce = Random. It is like a token that is used for this connection
cnonce = Random. Issued by the client as an extra hash
response = algorithm(algorithm(username:password):nonce:nc:cnonce:algorithm(action))
The action is hashed directly like so:
algorithm({"cmd":"dostuff"})
On the server, the password is saved hashed with username. It's not perfect, but it will add some sort of security to avoid people to tamper with your server without your credentials. And as mentioned earlier, it's
almost impossible to guess it unless someone have put it into a rainbow table. The only way to actually try to get into the system is to decrypt one of the response hashes and find the hash for the username and password pair.
If you want, try to guess the password.