Protocol Encryption

From wiki.vg
Jump to navigation Jump to search

As of 12w17a, Minecraft implements SSL-like encryption.

Overview

  1. Client connects to server
  2. C->S 0x02 handshake
  3. S->C 0xFD encryption request - server sends its server id string, public key, and 4 random bytes
  4. Client generates symmetric key (shared secret)
  5. Client authenticates via authserver.mojang.com.
  6. Client encrypts these 4 bytes with the servers public key.
  7. C->S 0xFC encryption response - client encrypts shared secret with server's public key and sends along with encrypted 4 bytes
  8. Server checks that the encrypted bytes match
  9. Server decrypts shared secret with its private key
  10. Server checks player authenticity via session.minecraft.net
  11. S->C 0xFC encryption response - empty payload meaning two zero length byte arrays and two zero shorts
  12. Server enables AES/CFB8 stream encryption
  13. Client enables AES/CFB8 stream encryption
  14. C->S 0xCD - Payload of 0 (byte)
  15. S->C 0x01 login
  16. see Protocol FAQ to get information about what happens next.

Server ID String

The server ID string is a randomly-generated string of characters with a maximum length of 20 code points (the client disconnects with an exception if the length is longer than 20).

The client appears to arrive at incorrect hashes if the server ID string contains certain unprintable characters, so for consistent results only characters with code points in the range U+0021-U+007E (inclusive) should be sent. This range corresponds to all of ASCII with the exception of the space character (U+0020) and all control characters (U+0000-U+001F, U+007F).

The client appears to arrive at incorrect hashes if the server ID string is too short. 15 to 20 (inclusive) length strings have been observed from the Notchian server and confirmed to work as of 1.5.2.

Key Exchange

The server generates a 1024-bit RSA keypair on startup. The key, when packed into a 0xFD packet, is in ASN.1 format as defined by x.509. The ASN.1 structure looks as follows

SubjectPublicKeyInfo ::= SEQUENCE {
  algorithm SEQUENCE {
    algorithm         OBJECT IDENTIFIER
    parameters        ANY OPTIONAL
  }
  subjectPublicKey  BITSTRING
}

SubjectPublicKey ::= SEQUENCE {
  modulus           INTEGER
  publicExponent    INTEGER
}

If you're struggling to import this using a crypto library, you can convert it to common PEM by base64-encoding and wrapping in '-----BEGIN PUBLIC KEY-----' and '-----END PUBLIC KEY-----'.

Symmetric Encryption

On receipt of a 0xFD from the server, the client will generate a 16-byte shared secret, to be used with the AES/CFB8 stream cipher. It then encrypts it with the server's public key (PKCS#1 v1.5 padded), and also encrypts the token received in the 0xFD packet in the same way, then sends both to the server in a 0xFC packet.

The server decrypts the shared secret and token using its private key, and checks if the token is the same. It then sends a 0xFC to the client with an empty payload, and enables AES/CFB8 encryption. For the Initial Vector (IV) and AES setup, both sides use the secret key. Similarly, the client will also enable encryption upon receipt of the empty 0xFC. From this point forward, everything is encrypted.

Authentication

Both server and client need to make a request to session.minecraft.net if the server is in online-mode.

Client

After generating the shared secret, the client generates the following hash:

sha1 := Sha1()
sha1.update(ASCII encoding of the server id string from 0xFD) 
sha1.update(shared secret) 
sha1.update(server's encoded public key from 0xFD) 
hash := sha1.hexdigest()  # String of hex characters

:!: Note that the Sha1.hexdigest() method used by minecraft removes leading zeros and uses the two's-complement of negative numbers prefixed with a minus sign:

sha1(Notch) :  4ed1f46bbe04bc756bcb17c0c7ce3e4632f06a48
sha1(jeb_)  : -7c9d5b0044c130109a5d7b5fb5c317c02b4e28c1
sha1(simon) :  88e16a1019277b15d58faf0541e11910eb756f6

The resulting hash is then sent via an HTTP GET request to

http://session.minecraft.net/game/joinserver.jsp?user=username&sessionId=user_session&serverId=hash

If it returns OK then continue, otherwise stop

Server

After decrypting the shared secret in the second 0xFC, the server generates the login hash as above and sends it to

http://session.minecraft.net/game/checkserver.jsp?user=username&serverId=hash

If the response is YES then the client is authenticated and allowed to join. Otherwise the client will/should be kicked (unencrypted) with "Failed to verify username!"

Sample Code

Examples of generating Java-style hex digests:

Example

A parsed transcript of a successful protocol encryption handshake follows:

127.0.0.1:43733 connected, there is now 1 client connected
====PROTOCOL ANALYSIS====
127.0.0.1:43733 ==> Server - Packet of type 0x02
====50 BYTES====
0x02 0x3D 0x00 0x0B 0x00 0x44 0x00 0x72
0x00 0x61 0x00 0x69 0x00 0x6E 0x00 0x65
0x00 0x64 0x00 0x73 0x00 0x6F 0x00 0x75
0x00 0x6C 0x00 0x09 0x00 0x6C 0x00 0x6F
0x00 0x63 0x00 0x61 0x00 0x6C 0x00 0x68
0x00 0x6F 0x00 0x73 0x00 0x74 0x00 0x00
0x2D 0x85
====PAYLOAD====
#1 - Signed Byte: 61
#2 - Unicode String (11 graphemes, 11 code points): "Drainedsoul"
#3 - Unicode String (9 graphemes, 9 code points): "localhost"
#4 - 32-bit Signed Integer: 11653
====PROTOCOL ANALYSIS====
Server ==> 127.0.0.1:43733 - Packet of type 0xFD
====205 BYTES====
0xFD 0x00 0x10 0x00 0x4E 0x00 0x77 0x00
0x5D 0x00 0x31 0x00 0x51 0x00 0x61 0x00
0x43 0x00 0x3C 0x00 0x6F 0x00 0x3A 0x00
0x6C 0x00 0x2E 0x00 0x5C 0x00 0x65 0x00
0x53 0x00 0x39 0x00 0xA2 0x30 0x81 0x9F
0x30 0x0D 0x06 0x09 0x2A 0x86 0x48 0x86
0xF7 0x0D 0x01 0x01 0x01 0x05 0x00 0x03
0x81 0x8D 0x00 0x30 0x81 0x89 0x02 0x81
0x81 0x00 0x9D 0x09 0x76 0x71 0x45 0x24
0x18 0x53 0x5F 0x32 0x5A 0xD5 0xBB 0x26
0x43 0x2C 0x97 0xBB 0xB3 0xF4 0x03 0x96
0xEA 0xF1 0xAD 0xA6 0xC9 0x41 0x7B 0x01
0x8F 0x66 0xED 0x92 0x4B 0xB7 0x17 0x2C
0x65 0x5C 0xD2 0x42 0x35 0x0C 0x8A 0x8C
0xC3 0xE1 0x5C 0x76 0x0E 0x43 0x97 0x17
0xEE 0x9E 0xEF 0x4F 0x4E 0x2D 0xFC 0x2D
0xE6 0x92 0x0B 0x7E 0xA0 0x56 0xB5 0xB7
0x18 0x59 0x57 0x74 0x28 0x5C 0xA1 0x88
0xC4 0xE6 0x60 0xDF 0x64 0x3A 0x2C 0x0E
0x5C 0x7D 0xB9 0x7C 0xF9 0xFB 0xA2 0x21
0xC5 0x0B 0x36 0x7D 0xDE 0x8A 0xC9 0xC5
0x09 0xA0 0x2F 0xA0 0x25 0x8A 0x26 0xDB
0x0B 0x82 0xC8 0x60 0xCB 0x58 0x02 0xEC
0xBB 0xFE 0xBC 0x35 0x3F 0x40 0x9C 0x96
0xF4 0x5F 0x02 0x03 0x01 0x00 0x01 0x00
0x04 0xED 0x85 0x14 0xD6
====PAYLOAD====
#1 - Unicode String (16 graphemes, 16 code points): "Nw]1QaC<o:l.\eS9"
#2 - Array of bytes (162 bytes):
0x30 0x81 0x9F 0x30 0x0D 0x06 0x09 0x2A
0x86 0x48 0x86 0xF7 0x0D 0x01 0x01 0x01
0x05 0x00 0x03 0x81 0x8D 0x00 0x30 0x81
0x89 0x02 0x81 0x81 0x00 0x9D 0x09 0x76
0x71 0x45 0x24 0x18 0x53 0x5F 0x32 0x5A
0xD5 0xBB 0x26 0x43 0x2C 0x97 0xBB 0xB3
0xF4 0x03 0x96 0xEA 0xF1 0xAD 0xA6 0xC9
0x41 0x7B 0x01 0x8F 0x66 0xED 0x92 0x4B
0xB7 0x17 0x2C 0x65 0x5C 0xD2 0x42 0x35
0x0C 0x8A 0x8C 0xC3 0xE1 0x5C 0x76 0x0E
0x43 0x97 0x17 0xEE 0x9E 0xEF 0x4F 0x4E
0x2D 0xFC 0x2D 0xE6 0x92 0x0B 0x7E 0xA0
0x56 0xB5 0xB7 0x18 0x59 0x57 0x74 0x28
0x5C 0xA1 0x88 0xC4 0xE6 0x60 0xDF 0x64
0x3A 0x2C 0x0E 0x5C 0x7D 0xB9 0x7C 0xF9
0xFB 0xA2 0x21 0xC5 0x0B 0x36 0x7D 0xDE
0x8A 0xC9 0xC5 0x09 0xA0 0x2F 0xA0 0x25
0x8A 0x26 0xDB 0x0B 0x82 0xC8 0x60 0xCB
0x58 0x02 0xEC 0xBB 0xFE 0xBC 0x35 0x3F
0x40 0x9C 0x96 0xF4 0x5F 0x02 0x03 0x01
0x00 0x01
#3 - Array of bytes (4 bytes):
0xED 0x85 0x14 0xD6
====PROTOCOL ANALYSIS====
127.0.0.1:43733 ==> Server - Packet of type 0xFC
====261 BYTES====
0xFC 0x00 0x80 0x9B 0xD1 0xD7 0xA8 0xDB
0x54 0x49 0x8F 0x41 0xD5 0xA3 0x74 0x18
0xBD 0x8D 0x09 0xEA 0x45 0xFC 0x0F 0x3F
0x9B 0xE4 0xF9 0xAC 0xC5 0x7B 0xF6 0x16
0xBB 0xFA 0x36 0x51 0xF9 0x19 0xAB 0x72
0x2B 0xBA 0x46 0x6C 0x8D 0xB0 0x2D 0x53
0x5F 0xA5 0xD4 0x17 0x46 0x0E 0xD7 0xC1
0xAA 0x5D 0xC7 0x73 0x51 0xDA 0x3F 0xD7
0x5E 0xF6 0x96 0xF9 0x10 0xB2 0x1C 0x0D
0xAA 0x1E 0x61 0x37 0xFB 0x3C 0x66 0x77
0x20 0xCB 0xF7 0x3C 0x55 0xE5 0x9E 0xC1
0x28 0x63 0xD1 0xD7 0xF6 0xEE 0x1E 0x2C
0x20 0x72 0x98 0x7E 0xF2 0x7D 0xDF 0xFE
0x5A 0x25 0x3C 0x22 0xC0 0xCF 0x86 0xB3
0x02 0x97 0xB1 0x80 0x97 0xA1 0x92 0xDA
0xD2 0x44 0xB1 0xDA 0x0F 0x1C 0x30 0x96
0x98 0x0B 0xB7 0x00 0x80 0x78 0x85 0x42
0xF7 0xF8 0x2F 0x00 0xDB 0xBF 0x2E 0x22
0x33 0x10 0x6C 0x19 0xE3 0x16 0x8F 0x36
0x16 0xE3 0xD9 0x86 0x67 0x52 0x04 0x57
0xB6 0x4F 0x57 0x8C 0xB4 0x02 0x18 0x6D
0x16 0xC6 0xB5 0x95 0xBC 0xE6 0xEA 0x76
0x10 0x7A 0xB9 0xE3 0xBD 0x3C 0x50 0xEA
0x42 0xDF 0x47 0x05 0x3F 0xCF 0xD5 0x70
0xF4 0xAB 0xB5 0x07 0x90 0xA2 0x84 0x12
0x79 0x65 0x03 0x2A 0xB6 0x6B 0x0A 0xA8
0x90 0x8B 0xFE 0xCC 0x4E 0x04 0x35 0xA2
0xDD 0x08 0xBF 0xDD 0x29 0xAF 0x50 0xFD
0x2B 0x73 0xE1 0x6A 0xED 0xE8 0xE2 0x27
0x8F 0x0B 0xD5 0x0D 0xBC 0x9B 0x47 0x16
0x92 0x7B 0xD2 0xE6 0xD7 0xF1 0x3A 0xAE
0x3D 0x14 0xA9 0xC3 0xF2 0x96 0x8A 0x54
0x24 0x29 0xA3 0x53 0x55
====PAYLOAD====
#1 - Array of bytes (128 bytes):
0x9B 0xD1 0xD7 0xA8 0xDB 0x54 0x49 0x8F
0x41 0xD5 0xA3 0x74 0x18 0xBD 0x8D 0x09
0xEA 0x45 0xFC 0x0F 0x3F 0x9B 0xE4 0xF9
0xAC 0xC5 0x7B 0xF6 0x16 0xBB 0xFA 0x36
0x51 0xF9 0x19 0xAB 0x72 0x2B 0xBA 0x46
0x6C 0x8D 0xB0 0x2D 0x53 0x5F 0xA5 0xD4
0x17 0x46 0x0E 0xD7 0xC1 0xAA 0x5D 0xC7
0x73 0x51 0xDA 0x3F 0xD7 0x5E 0xF6 0x96
0xF9 0x10 0xB2 0x1C 0x0D 0xAA 0x1E 0x61
0x37 0xFB 0x3C 0x66 0x77 0x20 0xCB 0xF7
0x3C 0x55 0xE5 0x9E 0xC1 0x28 0x63 0xD1
0xD7 0xF6 0xEE 0x1E 0x2C 0x20 0x72 0x98
0x7E 0xF2 0x7D 0xDF 0xFE 0x5A 0x25 0x3C
0x22 0xC0 0xCF 0x86 0xB3 0x02 0x97 0xB1
0x80 0x97 0xA1 0x92 0xDA 0xD2 0x44 0xB1
0xDA 0x0F 0x1C 0x30 0x96 0x98 0x0B 0xB7
#2 - Array of bytes (128 bytes):
0x78 0x85 0x42 0xF7 0xF8 0x2F 0x00 0xDB
0xBF 0x2E 0x22 0x33 0x10 0x6C 0x19 0xE3
0x16 0x8F 0x36 0x16 0xE3 0xD9 0x86 0x67
0x52 0x04 0x57 0xB6 0x4F 0x57 0x8C 0xB4
0x02 0x18 0x6D 0x16 0xC6 0xB5 0x95 0xBC
0xE6 0xEA 0x76 0x10 0x7A 0xB9 0xE3 0xBD
0x3C 0x50 0xEA 0x42 0xDF 0x47 0x05 0x3F
0xCF 0xD5 0x70 0xF4 0xAB 0xB5 0x07 0x90
0xA2 0x84 0x12 0x79 0x65 0x03 0x2A 0xB6
0x6B 0x0A 0xA8 0x90 0x8B 0xFE 0xCC 0x4E
0x04 0x35 0xA2 0xDD 0x08 0xBF 0xDD 0x29
0xAF 0x50 0xFD 0x2B 0x73 0xE1 0x6A 0xED
0xE8 0xE2 0x27 0x8F 0x0B 0xD5 0x0D 0xBC
0x9B 0x47 0x16 0x92 0x7B 0xD2 0xE6 0xD7
0xF1 0x3A 0xAE 0x3D 0x14 0xA9 0xC3 0xF2
0x96 0x8A 0x54 0x24 0x29 0xA3 0x53 0x55
====PROTOCOL ANALYSIS====
HTTP request ==> http://session.minecraft.net/game/checkserver.jsp?user=Draineds
oul&serverId=-219245c9f4bce438ee84e84b28514ced1cd2846b
====PROTOCOL ANALYSIS====
HTTP response <== http://session.minecraft.net/game/checkserver.jsp?user=Drained
soul&serverId=-219245c9f4bce438ee84e84b28514ced1cd2846b - Status: 200 - Time ela
psed: 279902765ns - Response body (3 graphemes, 3 code points):
YES
====PROTOCOL ANALYSIS====
Server ==> 127.0.0.1:43733 - Packet of type 0xFC
====5 BYTES====
0xFC 0x00 0x00 0x00 0x00
====PAYLOAD====
#1 - Array of bytes (0 bytes):

#2 - Array of bytes (0 bytes):

====ENCRYPTION ENABLED====
Encryption enabled with key:
0x6C 0xBC 0x2E 0x17 0x45 0xBD 0x65 0xDF
0xA0 0x12 0x85 0x8F 0x00 0x87 0xAA 0x74
Encryption enabled with IV:
0x6C 0xBC 0x2E 0x17 0x45 0xBD 0x65 0xDF
0xA0 0x12 0x85 0x8F 0x00 0x87 0xAA 0x74
127.0.0.1 : 43733 logged in as Drainedsoul
====PROTOCOL ANALYSIS====
127.0.0.1:43733 ==> Server - Packet of type 0xCD
====2 BYTES====
0xCD 0x00

Additional Links

Encrypt shared secret using OpenSSL

Generate RSA-Keys and building the ASN.1v8 structure of the x.509 certificate using Crypto++

Decrypt shared secret using Crypto++

De/Encrypt data via AES using Crypto++

C# AES/CFB support with bouncy castle on Mono