最安全的方式更新游戏分数从客户端到服务器数据库？ Javascript [英] Safest way to update game score from client to server database? Javascript

问题描述

所以我有这个游戏是完全运行在客户端。没有服务器交互，所以从下载的初始脚本玩游戏。无论如何，在游戏结束我想要的客户端发送给我回来的分数，应该在服务器数据库中更新。现在我来接受这样的事实，在地球上我可以隐藏这个从黑客和发送分数没有改变。但我想知道，直到什么水平可以修改整个过程，它实际上变得非常不可行的黑客操纵正在发送的数据。肯定我不喜欢从客户端机器发送纯文本的分数，我不希望我的服务器执行复杂的解密算法。什么是最好的方式，因此实现相当大的安全性，每个汤姆和哈里不会破坏分数...我希望有人可以提供一个很好的小方法，我可以工作... :)感谢

So I have this game that is completely run on the client. No server interaction what so ever apart from downloading the initial scripts to play the game. Anyway at the end of the game I would like for the client to send me back the scores which should be updated in the server database. Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered. But I would like to know till what level can I modify the whole process that it virtually becomes pretty infeasible for the hacker manipulate the data which is being sent. For sure I would not like the score to be sent as plain text from client machine and I don't want my server to perform complex decryption algorithm. What is the best way hence to achieve considerable amount of security that every tom dick and harry doesn't hack the scores... I hope someone could provide a nice little way that I could work on... :) Thanks

所以我的理想结果应该是 - >从一个不信任的一方（玩家）的计算（分数）的信任结果！

So my ideal result should be -> have trusted result from a calculation (of score) made by an untrusted party (the player)!

-Edit -

-Edit-

有人告诉我有关隐藏图片获取请求中的数据的事情。喜欢，我在画布上实现这个游戏（html5）。所以他要求我在游戏结束时从我的服务器获取一个游戏的图像，他们的请求应该包含散列的分数。我不完全了解完整的过程，但如果你能解释一下，会真的很高兴！ ：）

Someone told me something about hiding the data in a picture get request. Like, I am implementing this game on canvas (html5). So he asked me at the end of the game to fetch a game over image from my server, and they request should contain the hashed score. I did not exactly understand the complete process but if you could explain it, would be really glad! :)

coda ^以便您可以很好地屏蔽请求

coda^ so you can mask the requests nicely

shouvik如何我这样做吗？

shouvik how do I do it!?

coda ^你可以组成你想提交的校验和。像12312312a12313a232是你的md5，其中包含得分。在画布中加入资源

coda^ you can compose the checksum you want to submit. like 12312312a12313a232 is your md5 which contains the score. bring in an asset into the canvas like

coda ^ server.com/images/md5_hash_of_score/congratulations.png

coda^ server.com/images/md5_hash_of_score/congratulations.png

coda ^您可以通过htaccess重写服务器端

coda^ which you can rewrite server side via htaccess

推荐答案

$ b $

哦，是的，有！

Oh yes, there is!

您可以使用RSA或任何其他公钥加密方法（也称为比对密码术）。

You can use RSA or any other public key encryption method (also called assymetric cryptography).

为服务器创建一组（公共和私有）密钥。
您的客户端代码包含您的服务器的公钥。

Create a set of (public and private) keys for the server. Have your client code include your server's public key.

在游戏结束时，客户端代码加密分数

At the end of the game, the client code, encrypts the score (with this key) and sends both (plain score and encrypted score) to server.

服务器解密并检查普通分数和解密分数是否相同。
如果是，请接受分数。
如果没有，拒绝（中间有一个黑客或网络错误）。

Server decrypts and checks if plain score and decrypted one are same. If yes, accept score. If not, reject (there's a hacker or network error in the middle).

------- UPDATE ----------- CORRECTION ------- -------

-------UPDATE-----------CORRECTION--------------

正如Ambrosia所指出的，我的做法完全失败了。

As Ambrosia, pointed out, my approach fails completely with this kind of attack.

你实际想要的是获得来自不可信方（玩家）计算（计分）的可信结果。没有简单的方法来实现这一点。

What you actually want is to have a trusted result from a calculation (of score) made by an untrusted party (the player). No easy way to achieve this.

请参阅： http://coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdf

也是这个： http：// www。 cse.psu.edu/~snarayan/publications/securecomputation.pdf

而这（需要订阅ACM数字图书馆）： http://portal.acm.org/citation.cfm?id=643477.643479

And this (which needs a subscription to the ACM digital library): http://portal.acm.org/citation.cfm?id=643477.643479

这篇关于最安全的方式更新游戏分数从客户端到服务器数据库？ Javascript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！