Server Help

Non-Subspace Related Coding - Open source client-server security
k0zy - Sat Aug 09, 2008 5:02 am
Post subject: Open source client-server security
Okay, I know this has been discussed a million times here now without any outcome.

Anyways, I'm coding a game that can be played over the internet.
The game will go open-source once it's playable.

If the server and the client are entirely open-source, how do I keep modified clients from connecting?

I thought about asymmetric encryption, would that solve the problem?
(I don't plan to protect it against a man-in-the-middle-attack)

If asymmetric encryption is the solution, how would I best hide the private key of the client in the binary distribution?

For those interested, I already have the boiler-plate code done.
I'm using SDL, Box2D for physics (that already works, it's fun ^^) and ENet for networking stuff.
Doc Flabby - Sat Aug 09, 2008 7:06 am
Post subject:
There isnt really any solution. Apart from to run the simulation entirely on the server and have dumb clients, but that tends to suck for lag.

All you can do it make it difficult. Closed source games have the same problem, and tend to get hacked just as easily...

On solution that works pretty well is in TASpring http://spring.clan-sy.com/ (a RTS based on Total Annhilation) it runs the simulation on all the clients which means if one client deviates from allowed behaviour the other client will be able to detect it...

Another solution is to use a closed source part of the game for internet games. This will probably get hacked and have to be continually updated as hackers get smarter (much like continuum)

You could use asymmetric encryption to verify the integrity of the EXE, the server could request a hash of the exe from client, and this could be transmitted using encryption, which means it would be undetectable over the wire. It wouldn't stop the code being changed however to give the correct answer which is why you would still need the closed source module.

Really your best hope is to have a good set of banning tools for the server and allow players to vote off people who are cheating.
k0zy - Sat Aug 09, 2008 8:23 am
Post subject:
Yah, the closed-source module is definitely an option.

How did Cont for example hide it's encryption key in the binary?

If I chose a diffrent key for the encryption in a official binary distribution, change it between versions and hide it someway. It would be fine, wouldn't it?

Modified clients wouldn't know the key and couldn't connect...

I plan having banning and kicking available in the game. icon_smile.gif
grazzhoppa - Sat Aug 09, 2008 6:59 pm
Post subject:
When the online game Quake went open source, the lead programmer proposed the same thing you've come up with: a closed source module that does all the communication between client and server with an encrypted protocol. This was almost 9 years ago:
http://www.bluesnews.com/cgi-bin/finger.pl?id=1&time=19991226003141
Bak - Sun Aug 10, 2008 5:16 pm
Post subject:
just have the server double check all client actions
k0zy - Mon Aug 11, 2008 4:27 am
Post subject:
If I settle for the closed source security module:

How do I keep modified clients from simply linking/using it? I don't get it...
Anonymous - Mon Aug 11, 2008 5:22 am
Post subject:
Bob Dole.. Bob Dole... Bob Dole...... bob dole.... bob... dole.... wrote:
If I settle for the closed source security module:

How do I keep modified clients from simply linking/using it? I don't get it...

You have a piece of code in the loader of the module (that has to be run before module can be used that checks the exe is the unmodified one. The module can either refuse to run, or more usefully silently report the user to the server. By not providing immeidate feedback its less clear how there hack is being detected icon_smile.gif
k0zy - Mon Aug 11, 2008 6:25 am
Post subject:
Thanks!
I'll go for the closed-source security module. icon_biggrin.gif
All times are -5 GMT
View topic
Powered by phpBB 2.0 .0.11 © 2001 phpBB Group