安全地提供了一个独特的秘密code到Flash游戏的赢家？ [英] Securely provide a unique secret code to winner of flash game?

问题描述

这就是我想做的事：当玩家赢得游戏（闪光灯/动作codeD），它们被赋予了个性化的密钥，他们可以换取奖品发邮件给我。那么我就可以使用专用算法验证我的结束键。

Here's what I want to do: when a player wins a game (coded in flash/actionscript), they are given a personalized secret key, which they can email to me in exchange for a prize. I can then validate the key on my end using a private algorithm.

我要设计它，以便它几乎是不可能的黑客产生没有赢得本场比赛的有效奖金关键。这甚至可能？

I need to design it so that it is practically impossible for hackers to generate a valid prize key without winning the game. Is this even possible?

我认为任何SWF文件基本上是容易受到反编译，但我不知道他们究竟是多么脆弱。也许任何算法生成一个有效的密钥将可让黑客？

I assume that any SWF file is basically vulnerable to decompilation, but I don't know exactly how vulnerable they are. Perhaps any algorithm for generating a valid key will be accessible to hackers?

我在我的处置在ActionScript 3中的所有方法，以及一个PHP / MySQL服务器，而我控制那里的比赛将被托管的服务器。

I have at my disposal all the methods in actionscript 3, as well as a PHP/MySQL server, and I control the server where the game will be hosted.

推荐答案

首先，不给用户一个秘密code来验证。

First off, don't give the user a "secret" code to validate.

在页面上提供给客户营造一个秘密code。大概一个base64连接codeD GUID会的工作。记录GUID，生成时，在数据库中的浏览器指纹。

When delivering the page to the client create a "secret" code. Probably a base64 encoded GUID would work. Record the guid, when it was generated, and the browser fingerprint in your database.

在游戏结束有动作脚本得到他们的细节奖金交付。发布这回您的服务器一起code。再次记录完成和所述浏览器的指纹的日期时间

Once the game is over have the action script get their details for prize delivery. Post this back to your server along with the code. Again record the date time of completion and the browser fingerprint.

要验证，检查时间GUID代之间传递的量。也期待在浏览器的指纹。

To validate, check the amount of time that passed between guid generation. Also look at the browser fingerprint.

骗子会站出来在三个方面。首先，将日期/时间增量将是非常短。你应该知道它通常花费多长时间玩。第二，你可能会看到许多帖子到您的网页无效codeS。第三，在浏览器的指纹，甚至可能会告诉你谁是使用自动化工具。

Cheaters will stand out in three ways. First, the date/time delta will be extremely short. You should know how long it normally takes to play. Second, you might see a host of posts to your page with invalid codes. Third, the browser fingerprint might even tell you who was using automated tools.

更新
我只是想指出的几件事情，你会想包括。首先，@aaz有大约询问玩家关于游戏在他们填写的赢家信息点问题，一个伟大的想法。这应该是一些元素是随机的。也许不只是颜色因人谁是色盲的数量;但肯定是可以控制和交付动作脚本之前记录的服务器端。至少是张贴结果时，这将需要人为干预的某一水平。

UPDATE
I just wanted to point out a couple things you will want to include. First, @aaz had a great idea about asking the player a question about the game at the point they are filling out the winner information. This should be some element that is randomized. Probably not color simply due to the number of people who are color blind; but certainly something you can control and record server side prior to delivering the action script. At the very least this would require some level of human intervention when posting results.

二，@约翰刘易斯有大约记录他们在游戏中的行动和提交的一个好主意。也许任何点击的坐标可以被保存并立即发送回服务器并保存与日期/时间戳记。你可以比较多个游戏的坐标寻找模式。智能分析将是非常重要的。

Second, @John Lewis had a good idea about recording their in game actions and submitting those. Perhaps any click coordinates could be saved and immediately sent back to the server and saved with a date/time stamp. You could compare those coordinates across multiple games to look for patterns. Intelligent analysis will be important.

这篇关于安全地提供了一个独特的秘密code到Flash游戏的赢家？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！