How would... double encryption fare?
Author
Currently working on a little diddy of an MORPG with my friend. And well, we want to keep it macro-proof. Seems one of the more popular styles of macros these days is proxy style where it'd obviously intercept packets, and change them as needed. So I'd like to encrypt the packets before they're sent out. But since this is with *all* packets (it's TCP, btw) I figured using something like RSA would be too slow. Doing it X-OR style would prove faster... but then the key would be saved in the memory. I figured... what if we encrypted it once with X-OR... and then again with a different key? It doesn't seem that slow and it'd sure as heck confuse people trying to decrypt the packets. Either way, some advice with what would be recommended for encryption would be nice here. :)
Thanks!
-Aternus
Edit by Fruny: fixed title.
[Edited by - Aternus on August 13, 2006 3:30:12 AM]
Quote:Original post by Aternus
So I'd like to encrypt the packets before they're sent out.
If there is an un-inlined encryption function in your program, they can call it too and encrypt their own packets.
Quote:
I figured using something like RSA would be too slow.
RSA is typically only used to encrypt and transmit a key that is then used with a faster, symmetric encryption algorithm.
Quote: Doing it X-OR style would prove faster... but then the key would be saved in the memory. I figured... what if we encrypted it once with X-OR... and then again with a different key?
That would only amount to a single XOR with a key that is the XOR of the two other keys repeated to a length that is their common least product.
e.g. key 1 "ABC" and key 2 "DEFG" would result in an effective key of "ABCABCABCABC" XOR "DEFGDEFGDEFG".
That ain't any more secure.
Quote:Either way, some advice with what would be recommended for encryption would be nice here.
Look for a library with encryption routines, carefully read up on how they should be used, then just use them. XOR encryption is crap.
While I'm not an expert on encryption, I don't recommend it. For starters, XOR encryption is very weak and it's easily crackable (unless you're using it in a One-Time Pad fashion, but that's not very practical). Anyone with some reverse engineering know-how and a good grasp of cryptography & statistics will break your system relatively quickly.
Also, just because you encrypt "plain text" twice in succession, it does not mean it will be more secure. This is especially true if you do a 2-pass XOR operation like you described, because there is a way to decypher the message with just a single XOR operation.
The problem you're trying to solve is quite complex, and the issue goes probably beyond cryptography as well. Security in over-the-wire communication doesn't depend entirely on concealing the message (i.e.. cryptography), they also depend on various "hand-shaking" algorithms which ensures that communication is only estabilished with a trusted sources or clients.
Before you dig in, I'd suggest you to do some background research on Information Theory in general, on topic related to crypto-analysis (i.e.. study the strenghts and weaknesses of popular crypto-systems), and topics on secure protocols.
Could start here:
http://www.cacr.math.uwaterloo.ca/hac/
Also, just because you encrypt "plain text" twice in succession, it does not mean it will be more secure. This is especially true if you do a 2-pass XOR operation like you described, because there is a way to decypher the message with just a single XOR operation.
The problem you're trying to solve is quite complex, and the issue goes probably beyond cryptography as well. Security in over-the-wire communication doesn't depend entirely on concealing the message (i.e.. cryptography), they also depend on various "hand-shaking" algorithms which ensures that communication is only estabilished with a trusted sources or clients.
Before you dig in, I'd suggest you to do some background research on Information Theory in general, on topic related to crypto-analysis (i.e.. study the strenghts and weaknesses of popular crypto-systems), and topics on secure protocols.
Could start here:
http://www.cacr.math.uwaterloo.ca/hac/
IMHO, no FAQ for beginner programmers is complete without:
Quote:
Q. Blah blah blah encryption blah blah blah?
A. Forget about it. If you do it yourself, it won't be secure. If you use an off the shelf solution, you'll probably end up using it in a way that defeats the purpose. Properly secure encryption is (a) really hard to get right, even for people who should know better; and (b) highly unlikely to be that useful, because encryption isn't the whole story of security, and because there often isn't anything worth securing anyway.
Q. Blah blah blah MMORPG blah blah blah?
A. Are you insane? A real MMORPG is a project for hundreds of very talented people working for years with millions of dollars of funding. If your project actually is of a scope you can handle, stop using those letters. Seriously, what's with the addiction to the term 'MMORPG'? Do you hear beginning composers saying they want to write an opera?
Author
Alright. Thank you Fruny and Tachi for actually helping. I'll look into the subject, and do what I can. And yes, I was already aware security isn't all in the packets.
Zahlman... geez. Way to be polite. Never once did I say it was a serious project. It's more of a learning experience for me and my friend, and so far it's going very well. As the GUI is working 100%, winsock wrapper class is faring (doesn't seem right, Fruny >_>) well, and it even works on Mac OSX and Linux. So far I have learned a LOT on OpenGL, networking, AND porting to other OS'. I decided I should try and learn a bit on encryption, too. How can this not be good for me? Also, if I'd called it an "RPG" you would assume it's offline. What am I supposed to call it? Oh, and I lowered your user rating due to your unpolite behaviour. And one last mention... about your signature. Shouldn't that be char*? Regular characters are very useful for holding numbers that you know will never go over 256. Also can hold 8 booleans in 1 byte, which is the same size as a regular boolean (for flags and such). Useful it be. Bug it be not.
Edit: Oh, and as for your MMORPG budget... what about Tibia? Was originally made by a team of 4 people and only one of which I believe knew how to program. They're not very good at it... their solution to macros was to give everyone else one (yes, they actually implemented it into the client last update). 'Least I'm trying to find ways around. Although it's not that great of a game, it has 4 million characters created to date.
-Aternus
Zahlman... geez. Way to be polite. Never once did I say it was a serious project. It's more of a learning experience for me and my friend, and so far it's going very well. As the GUI is working 100%, winsock wrapper class is faring (doesn't seem right, Fruny >_>) well, and it even works on Mac OSX and Linux. So far I have learned a LOT on OpenGL, networking, AND porting to other OS'. I decided I should try and learn a bit on encryption, too. How can this not be good for me? Also, if I'd called it an "RPG" you would assume it's offline. What am I supposed to call it? Oh, and I lowered your user rating due to your unpolite behaviour. And one last mention... about your signature. Shouldn't that be char*? Regular characters are very useful for holding numbers that you know will never go over 256. Also can hold 8 booleans in 1 byte, which is the same size as a regular boolean (for flags and such). Useful it be. Bug it be not.
Edit: Oh, and as for your MMORPG budget... what about Tibia? Was originally made by a team of 4 people and only one of which I believe knew how to program. They're not very good at it... their solution to macros was to give everyone else one (yes, they actually implemented it into the client last update). 'Least I'm trying to find ways around. Although it's not that great of a game, it has 4 million characters created to date.
-Aternus
Quote:Original post by Aternus
winsock wrapper class is faring (doesn't seem right, Fruny >_>) well
And yet that's the right verb. In fact, if you just take the aside out of your sentence, you almost get "fare well". Looks familiar? [smile] It isn't a coincidence, you know.
Quote:Also, if I'd called it an "RPG" you would assume it's offline. What am I supposed to call it?
Online RPG? Graphical MUD?
Author
Hrm, you're right... I've always said "farewell". I guess I'm just tired and mixing up the fair adjective with the fare verb. Ah, well. Also, I took out the "M" representing "Massive" in the original post to satisfy Zahlman. :d
-Aternus
-Aternus
Please don't be too offended by Zahlman's comments Aternus. If you have a search around the forums you'll find that MMORPG has become almost a running joke around here.
I note you at least had the decency to call yours a MORPG instead of a MMORPG.
[EDIT] Oh - you just took the M out just now.
I note you at least had the decency to call yours a MORPG instead of a MMORPG.
[EDIT] Oh - you just took the M out just now.
#1 encrypted packets are the same no matter what.
If the hacker is using a sniffer and has a methodology of determining what actions create what packets then you're encryption is cracked.
You must be able to base your encryption on timing so that a "Move Forward" packet changes according to time. Even then, hackers can 'figure it out.'
Ultimately, to get a good(but NOT un-crackable) game is to have both client and server validation routines.
Your best bet is to figure out the hackers and ban them when you can.
Happy coding!
If the hacker is using a sniffer and has a methodology of determining what actions create what packets then you're encryption is cracked.
You must be able to base your encryption on timing so that a "Move Forward" packet changes according to time. Even then, hackers can 'figure it out.'
Ultimately, to get a good(but NOT un-crackable) game is to have both client and server validation routines.
Your best bet is to figure out the hackers and ban them when you can.
Happy coding!
The truth is, the big comapanies cannot make hack proof games, and yes they try but the second one person discovers a hole, it spreads. So I think the only thing you can do is try your hardest but ultimately be prepared for macros to eventually get used.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
