确保高分数在Flash / PHP的游戏建议(SEMI) [英] Suggestions for (semi) securing high-scores in Flash/PHP game
问题描述
...我已阅读,讨论了各种方法和只是在寻找上,我们提出了一个建议的解决方案的一些反馈对这里的几个线程。在一个线程的评论被张贴建议听起来伟大的公钥/私钥,这就是我们在想...
...I have read a few threads on here that have discussed various methods and was just looking for some feedback on a proposed solution we came up with. In one of the threads a comment was posted recommending a public/private key which sounded great, this is what we were thinking...
客户端 - 1.密钥存储的Flash SWF这是使用第三方工具加密内部。 (:MD5('ourSecretKey'+ 200)EX)2.高得分与高得分值散列 3.该值通过AMF发送到PHP脚本在服务器上,伴随着高得分(200)
Client Side - 1. Key is stored inside of Flash swf which is encrypted using 3rd party tool. 2. High score is hashed along with high-score value (EX: md5 ('ourSecretKey' + 200)) 3. This value is sent via AMF to a PHP script on the server, along with the high-score (200)
服务器端 - 1.服务器接收数据和散列通过高得分(200)+秘密密钥('ourSecretKey'存储在服务器上,以及在闪光),并检查与传入散列值是否匹配它允许高得分要输入,否则失败。
Server Side - 1. Server receives data and hashes the passed high-score (200) + secret key ('ourSecretKey' stored on the server as well as in Flash) and checks against the passed hash if the value is a match it allows the high-score to be entered, else FAIL.
我知道这不是一个简单的解决方案,但这样做是否可以接受?我的意思是这将是一个高得分表上足够的安全性进行一个简单的在线Flash小游戏?思考?
I know this isn't a foolproof solution but would this be acceptable? I mean would this be sufficient security on a high-score form for a simple online Flash game? Thoughts?
感谢你在前进!
推荐答案
对于一个可笑短的值(即:值< 64个字符),MD5作为哈希就失效了,由于彩虹表攻击,因为你的价值重发将通过线路共享,他们所要做的是蛮力共享的秘密(他们有一个已知的产品一起工作)
For a ridiculously short value ( Ie: values < 64 characters ), MD5 as a hash becomes ineffective due to rainbow table attacks, and as the value you're sending will be shared over the wire, all they have to do is brute force the shared secret ( and they have a known product to work with )
这样,那不是公钥私钥。其mererly共享的秘密。
As such, thats not public key private key. its mererly shared secret.
另外,请记住,这共享秘密将在您的Flash文件中发送给用户,而这些天,被平凡拆卸,然后你的秘密已经不是什么秘密了。
Also, keep in mind this shared secret will be in your flash file you send to the user, which these days and be trivially disassembled and then your "secret" is not a secret any more.
您需要适当的加密签名,其中一个新的符号键被分配给从服务器的每一场比赛,并多次得分不能用相同的符号键提交了多挑战 - 响应机制。 (对于额外的保护;))
You want a more challenge-response mechanism with proper crypto signing, where a new sign key is assigned for every game from the server, and multiple scores cannot be submitted with the same sign key. ( For extra protection ;) )
- 在用户启动游戏。注册密钥请求。 (符号键是从另一个关键生产的,他们不能访问)。
- 在得分与符号键签名,然后送到
- 您确认你送他们的主要符号的价值。
- 您放弃您发送符号键。
不过,您的还是的有,你有没有办法prevent实际的评分系统被篡改的问题。有人足够聪明,可以只逆向工程的SWF对象,并注入新的code,它只是设置了比分到他们所选择的价值。
However, you still have the problem where you have no way to prevent the actual scoring system being tampered with. Somebody smart enough could just reverse engineer your SWF object and inject new code that just sets the score to their chosen value.
这篇关于确保高分数在Flash / PHP的游戏建议(SEMI)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
