Author |
Message |
k0zy Server Help Squatter
Gender: Joined: Jan 11 2003 Posts: 571 Location: Germany Offline
|
Posted: Sat Aug 09, 2008 5:02 am Post subject: Open source client-server security |
|
|
|
|
Okay, I know this has been discussed a million times here now without any outcome.
Anyways, I'm coding a game that can be played over the internet.
The game will go open-source once it's playable.
If the server and the client are entirely open-source, how do I keep modified clients from connecting?
I thought about asymmetric encryption, would that solve the problem?
(I don't plan to protect it against a man-in-the-middle-attack)
If asymmetric encryption is the solution, how would I best hide the private key of the client in the binary distribution?
For those interested, I already have the boiler-plate code done.
I'm using SDL, Box2D for physics (that already works, it's fun ^^) and ENet for networking stuff. _________________ It's a shark! Oh my god! Unbelievable! |
|
Back to top |
|
|
Doc Flabby Server Help Squatter
Joined: Feb 26 2006 Posts: 636 Offline
|
Posted: Sat Aug 09, 2008 7:06 am Post subject: |
|
|
|
|
There isnt really any solution. Apart from to run the simulation entirely on the server and have dumb clients, but that tends to suck for lag.
All you can do it make it difficult. Closed source games have the same problem, and tend to get hacked just as easily...
On solution that works pretty well is in TASpring http://spring.clan-sy.com/ (a RTS based on Total Annhilation) it runs the simulation on all the clients which means if one client deviates from allowed behaviour the other client will be able to detect it...
Another solution is to use a closed source part of the game for internet games. This will probably get hacked and have to be continually updated as hackers get smarter (much like continuum)
You could use asymmetric encryption to verify the integrity of the EXE, the server could request a hash of the exe from client, and this could be transmitted using encryption, which means it would be undetectable over the wire. It wouldn't stop the code being changed however to give the correct answer which is why you would still need the closed source module.
Really your best hope is to have a good set of banning tools for the server and allow players to vote off people who are cheating. _________________ Rediscover online gaming. Get Subspace | STF The future...prehaps |
|
Back to top |
|
|
k0zy Server Help Squatter
Gender: Joined: Jan 11 2003 Posts: 571 Location: Germany Offline
|
Posted: Sat Aug 09, 2008 8:23 am Post subject: |
|
|
|
|
Yah, the closed-source module is definitely an option.
How did Cont for example hide it's encryption key in the binary?
If I chose a diffrent key for the encryption in a official binary distribution, change it between versions and hide it someway. It would be fine, wouldn't it?
Modified clients wouldn't know the key and couldn't connect...
I plan having banning and kicking available in the game. |
|
Back to top |
|
|
grazzhoppa Novice
Joined: Jan 03 2007 Posts: 29 Offline
|
Posted: Sat Aug 09, 2008 6:59 pm Post subject: |
|
|
|
|
When the online game Quake went open source, the lead programmer proposed the same thing you've come up with: a closed source module that does all the communication between client and server with an encrypted protocol. This was almost 9 years ago:
http://www.bluesnews.com/cgi-bin/finger.pl?id=1&time=19991226003141 |
|
Back to top |
|
|
Bak ?ls -s 0 in
Age:25 Gender: Joined: Jun 11 2004 Posts: 1826 Location: USA Offline
|
|
Back to top |
|
|
k0zy Server Help Squatter
Gender: Joined: Jan 11 2003 Posts: 571 Location: Germany Offline
|
Posted: Mon Aug 11, 2008 4:27 am Post subject: |
|
|
|
|
If I settle for the closed source security module:
How do I keep modified clients from simply linking/using it? I don't get it... |
|
Back to top |
|
|
doc-flabby-no-logged-in Guest
Offline
|
Posted: Mon Aug 11, 2008 5:22 am Post subject: |
|
|
|
|
Bob Dole.. Bob Dole... Bob Dole...... bob dole.... bob... dole.... wrote: | If I settle for the closed source security module:
How do I keep modified clients from simply linking/using it? I don't get it... |
You have a piece of code in the loader of the module (that has to be run before module can be used that checks the exe is the unmodified one. The module can either refuse to run, or more usefully silently report the user to the server. By not providing immeidate feedback its less clear how there hack is being detected |
|
Back to top |
|
|
k0zy Server Help Squatter
Gender: Joined: Jan 11 2003 Posts: 571 Location: Germany Offline
|
Posted: Mon Aug 11, 2008 6:25 am Post subject: |
|
|
|
|
Thanks!
I'll go for the closed-source security module. |
|
Back to top |
|
|
|