在 Flash/PHP 游戏中(半)确保高分的建议 [英] Suggestions for (semi) securing high-scores in Flash/PHP game
问题描述
...我在这里阅读了一些讨论各种方法的主题,只是想就我们提出的建议解决方案寻找一些反馈.在其中一个帖子中发布了一条评论,推荐了一个听起来很棒的公钥/私钥,这就是我们的想法......
...I have read a few threads on here that have discussed various methods and was just looking for some feedback on a proposed solution we came up with. In one of the threads a comment was posted recommending a public/private key which sounded great, this is what we were thinking...
客户端 -1. 密钥存储在使用第三方工具加密的 Flash swf 中.2. 高分与高分值一起散列(例如:md5 ('ourSecretKey' + 200))3.这个值通过AMF发送到服务器上的一个PHP脚本,连同高分(200)
Client Side - 1. Key is stored inside of Flash swf which is encrypted using 3rd party tool. 2. High score is hashed along with high-score value (EX: md5 ('ourSecretKey' + 200)) 3. This value is sent via AMF to a PHP script on the server, along with the high-score (200)
服务器端 -1. 服务器接收数据并散列传递的高分 (200) + 密钥('ourSecretKey' 存储在服务器和 Flash 中)并检查传递的散列值是否匹配它允许高分必须输入,否则失败.
Server Side - 1. Server receives data and hashes the passed high-score (200) + secret key ('ourSecretKey' stored on the server as well as in Flash) and checks against the passed hash if the value is a match it allows the high-score to be entered, else FAIL.
我知道这不是一个万无一失的解决方案,但这可以接受吗?我的意思是,对于一个简单的在线 Flash 游戏来说,这对于高分形式的安全性是否足够?想法?
I know this isn't a foolproof solution but would this be acceptable? I mean would this be sufficient security on a high-score form for a simple online Flash game? Thoughts?
先谢谢你!
推荐答案
对于短得可笑的值(即:值 <64 个字符),MD5 作为散列由于彩虹表攻击而变得无效,而作为值你'重新发送将通过网络共享,他们所要做的就是暴力破解共享的秘密(并且他们有一个已知的产品可以使用)
For a ridiculously short value ( Ie: values < 64 characters ), MD5 as a hash becomes ineffective due to rainbow table attacks, and as the value you're sending will be shared over the wire, all they have to do is brute force the shared secret ( and they have a known product to work with )
因此,那不是公钥私钥.它只是共享的秘密.
As such, thats not public key private key. its mererly shared secret.
另外,请记住,这个共享的秘密将在您发送给用户的 Flash 文件中,这些天这些文件被简单地分解,然后您的秘密"不再是秘密.
Also, keep in mind this shared secret will be in your flash file you send to the user, which these days and be trivially disassembled and then your "secret" is not a secret any more.
您需要一种具有适当加密签名的更具挑战性的响应机制,其中从服务器为每个游戏分配一个新的签名密钥,并且不能使用相同的签名密钥提交多个分数.(为了额外的保护;))
You want a more challenge-response mechanism with proper crypto signing, where a new sign key is assigned for every game from the server, and multiple scores cannot be submitted with the same sign key. ( For extra protection ;) )
- 用户开始游戏.要求签名密钥.(签名密钥是从他们无法访问的另一个密钥生成的).
- 分数用签名密钥签名,然后发送
- 您使用发送给他们的密钥验证该标志的值.
- 您丢弃了发送给他们的签名密钥.
然而,您仍然面临着无法防止实际评分系统被篡改的问题.足够聪明的人可以对您的 SWF 对象进行逆向工程并注入新代码,将分数设置为他们选择的值.
However, you still have the problem where you have no way to prevent the actual scoring system being tampered with. Somebody smart enough could just reverse engineer your SWF object and inject new code that just sets the score to their chosen value.
这篇关于在 Flash/PHP 游戏中(半)确保高分的建议的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
