Archived

This topic is now archived and is closed to further replies.

encryption for my online game - where to start?

This topic is 5525 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hi everyone, Does anyone know where to find information on implementing encryption in an online RPG? I''ve finished writing the client game engine and I''m starting to work on my server and network code, but I''m relatively clueless with regards to encrypting this stuff. Any pointers are appreciated! Ty

Share this post


Link to post
Share on other sites
http://www.faqs.org/faqs/cryptography-faq/part01/
http://www.openssl.org
http://vig.prenhall.com/catalog/academic/product/1,4096,0130914290,00.html

kdIXfA.gamedev.10.coreyh@xoxy.net
www.ipeg.com/~rlfc

Share this post


Link to post
Share on other sites
What do you need encryption for?

I can see the use if you want to encrypt passwords when you send them to the server, but other than that I don''t see how it adds security to an online game.

I you think it will allow you to trust data from the client, you''re mistaken, since it is just as easy to alter data sent before you encript it, by hacking the client application.

Share this post


Link to post
Share on other sites
I''m putting it in mainly because it''s a good project for some Computer Science research that I have to do for college. Research, write a report, implement - yadda yadda

P.S. - Thanks Coreyh!

Ty

Share this post


Link to post
Share on other sites
I think that if you use public key cryptography and digital signatures it would be possible to have players have a verifiable identity. Cheating would be connected a person. A person would blocked instead of a ip address.

It would take some work to set up though. The amount of cpu time taken up by checksumming and cryptography would also be big.

Its just a theory though. I haven't tested it yet.

kdIXfA.gamedev.10.coreyh@xoxy.net
www.ipeg.com/~rlfc

[edited by - coreyh on October 17, 2002 4:13:04 PM]

Share this post


Link to post
Share on other sites
quote:
Original post by Xiol
What do you need encryption for?

I can see the use if you want to encrypt passwords when you send them to the server, but other than that I don''t see how it adds security to an online game.

I you think it will allow you to trust data from the client, you''re mistaken, since it is just as easy to alter data sent before you encript it, by hacking the client application.



Well, Half-Life (and Counter-strike) uses a blowfish encryption on its packets, and its worked fine so far. Halflife had (and still has) its fair share of cheats, but none of them operate by sending / decyphering packets. If the communication protocol was discovered, there would be a huge disaster.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
quote:
Original post by FearedPixel


Well, Half-Life (and Counter-strike) uses a blowfish encryption on its packets, and its worked fine so far. Halflife had (and still has) its fair share of cheats, but none of them operate by sending / decyphering packets. If the communication protocol was discovered, there would be a huge disaster.


Why''s that? People can and do hack the client already. Adding in bogus network packets wouldn''t add any additional capabilities to that.

Share this post


Link to post
Share on other sites
quote:
Original post by Anonymous Poster
Why''s that? People can and do hack the client already...


If you rely on encryption so that you may ''trust the client'', then obviously you''re encrypting for the wrong reason -- one should never trust the client, and I think most of us here agree on that point.

But that doesn''t mean that encrypting the packet stream is useless, or in any way foolish. It keeps the casual hackers out of your face right from the start, and the more determined hackers are going to be hacking your client anyway, whether or not you had encryption in it.

Keeping out the casual hacker isn''t a bad thing.

Think of it this way. A determined snoop will rip open your envelopes and read your mail. Does that make envelopes stupid?
Sure, it''s not a great analogy to encrypting packets, but encrypting the data is akin to wrapping it in an envelope. The casual browser can''t read it.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
I dont know if im actually on the right track here... well this is my version of the problems/solutions.

Even if the datastream between a game server<->client was encrypted it doesnt matter one can easily hack into the application and remove the encrypt function (with a little knowledge of ASM) It can be done both in run-time and in the exec.
Another problem with encryption in games is also time it takes to compute the encryption for packets, a strong algoritm could lower the framerate and make the server slow :/

A way to solve theese problems could be to have the same encrypt function placed several diffirent places in the exec then switch between the functions runtime by using function pointers. Offcourse dynamical memory could used to solve this problem as well.
One could also change/update the encrypt algo once a week or so.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Of course none of that can get rid of the fact that the client computer has to store the key to decrypt the packets so you have access to that anyway...well, changing the encryption algo could help, unless they just call the decryption routine from your own code .

Share this post


Link to post
Share on other sites
As SenseiDragon said, you want to get rid of casual [cr|h]ackers, the real ones you won't fool, only provocate. For the former task, all you really need is a simple XOR algorithms and the kiddies won't have a clue.

A simple and pretty solid scheme could be like this:
- Server sends a random "session string" (argh, what are they called?)
- The client encrypts the "session string" with its unique reg key (or similar).
- The encryption key (= "session string" + reg key) is then used throughout the session for encryption of the traffic.

As for encryption technique to employ? Whatever. Adding, XORing, it won't really matter unless you're going to make banking transactions. Only professionals will be able to decrypt it.

EDIT: Just a note. The encryption key shall be what I think is called a "digest key", so you can't use it together with the "session string" to extract the reg key (which should never leave the client). And of course, the client needs to identify itself somehow before the transaction described above, so the server can know what reg key to use itself.
---------------------------------------------
"VB is a disease"

[edited by - CWizard on October 27, 2002 7:53:42 PM]

Share this post


Link to post
Share on other sites