Quote:Original post by sit
I might be way of base here, but here some rambling about public key encryption

essentially it only stopps tampering with the data between the client and server. Without it I can get away with an unmodified client and I can have some computer on my network sending additional "attack" packets or have that computer modify packets of things my client would decide not to show to make it always visible . However, it would just be easy enough for me to modify the client to do that myself, particularly if it were open source. <br><br>will the server be open source? or just the client?<!–QUOTE–></td></tr></table></BLOCKQUOTE><!–/QUOTE–><!–ENDQUOTE–><br><br>The purpose of enciphering it is to make it very hard to determine the content of those packets. It has two purposes: obfuscate the communication protocol, or hide the contents, or both.<br><br>If an observer does not know the message format, it is very hard to build an attack packet, or spoof a packet, because you do not have the message structure the system is expecting. The server would get a packet, realize it is not correct and throw it away. It &#111;nly makes sense as closed source to hide the message format. And, very sharp people will figure out a way to make it very unlikely of guessing a valid sequence by random.<br><br>A simple message structure: HDR FORMAT DATA END. If you encrypt it, you have no idea what is what, what is hdr, what is in format, etc. So you have to resort to brute force and try many random guesses until something works. Smarter people will use analysis and mathematics to find the fingerprints and it's all over. Fortunately most people are dumb and will resort to brute force. So you use some sense and devise a scheme where the likelihood of a random guess working is more likley to occur after the universe ends. It will keep out everyone but super spies. I doubt the NSA is really caring much about your game but you never know.<br><br>Encryption in open source would be more useful to hide the client to server from other snoopers. If each client had it's own key than cheaters would not be able to break the encipher from other clients to the server (so that lamers could possibly snoop &#111;n private group messages and use it to their advantage). Apache is a good example, the message format is open (HTTP) but it uses secure sockets to encrypt content (from snoopers).<br>

Actually, smart people will likely just use a disassembler on the running program, which lovingly hand-crafts an enenciphered message, then passes it on to some encryption code to scramble it. Someone using "secure sockets" would just make it easier, because you'd already know where to set the breakpoints to see the cleartext data before it's passed to the encryption.

Quote:Original post by hplus0603
Actually, smart people will likely just use a disassembler on the running program, which lovingly hand-crafts an enenciphered message, then passes it on to some encryption code to scramble it. Someone using "secure sockets" would just make it easier, because you'd already know where to set the breakpoints to see the cleartext data before it's passed to the encryption.

Yeah that is a good point for games. If you have one half of the product you have half the solution.

I was mostly rambling on about the classic 'observer in the middle' scenario.. so very good point indeed.

So, does closed source only buy you time than? I am certainly not a master at reverse engineering/cracking/hacking/crypto... in the end, it has to run in native machine code, and if you softice or whatever, it's all open to you. So even encrypting executable schemes, they only buy you time too?

I wonder, will paladium offer hardware encryption at instruction levels, or is just a way to lock out unauthorized apps? I should do some more research on it. But I am sure there is someone out there who will break it.

Actually, it's gotten harder in a way. How many new CS graduates can understand asm enough to disassemble a mmorpg client and then hack it? I don't know many honestly and then we were doing crap like that before we graduated anyway, because CS was our hobby and we were just going through the motion to get our diploma.

After you come out of uni, you're probably never going to use asm again unless you do it for a personnal project, so you become even less knowledgeable about it. Heck, at my uni we were using "fake" assembly running on a virtual machine.

Don't even get me started on how 90% of the uni students don't know what a packet sniffer or a hex editor is. I'm sure they could learn if they had to, but there's not many profesionnal situations that force you to become proficient with disassembling and hex editors.

On another note, hacking games for creating modding tools, was quite a fun thing to do and a very instructive experience, I recommend it if you have too much free time =).

A little off topic

Quote:2. You could read Game Programming Gems 5, "Secure by Design", on the topic of how to make your game secure, especially if it's an online game. It doesn't tell you how to do encryption etc, but it gives you a framework to let you find out whether it's even worth bothering doing encryption etc. (disclaimer: I wrote that. So, I'm biased. I make something like $ 0.01 if you buy a copy of the book)

Coincidentally, I actually bought that book last week, its got some good stuff in it.

Quote:does closed source only buy you time than?

Pretty much. And not THAT much time, either. The argument is similar to that of copy protection. Copy protection is usually no problem for the cracker pirates, but may annoy real paying customers. You only need enough to keep honest people honest, and then find some other way of dealing with the dishonest people.