The situation
- Players can’t be trusted, some just like to cheat.
- These cheaters have access to the encryption algorithm via the client executable version of the game.
- Is very important to prevent cheating because otherwise it can ruin the game for thousand of players.
- Ultimate goal is not make it 100% secure but really hard to cheat.
Packets
- Client and servers use packets to communicate between them.
- Packets have a header and a payload
- The header contains administrative information.
- The payload contains the actual data we want to communicate.
Checksums
- We want to detect any changes to packets.
- An easy way is to do a checksum.
- We do a checksum by combining all the bites in the packets.
- So the sender and receiver calculate the checksum of the packet it compares both and rejects the packets if they don’t match.
Packet replay
- Is when an attacker saves a valid packet in order to send it multiple times.
- This allows the cheater to perform game actions much faster than the game actually allows.
- Best solution against packet replay is for each packet to have some state information.
- This causes packets with identical payloads to have different bit patterns.
- It could be as simple as a number that increments but to make it harder to cheaters a random number is better.
Packet tampering Prevention
Problem:
- The meaning of packets can be determined based on their length regardless of encryption.
- This information can be used to figure out the packet protocol. Then a malicious user could attempt to filter, modify or craft packets.
Solution 1:
- We pad the data with a random amount of junk bits.
- The number of random bits are determined by a synchronized state machine that both the client and the server have.
Solution 2
- We XOR the payload with a random number of bits. The random number is determined by a synchronized state machine that both client and server have.
- Both sender and receiver will perform this process in order to send and read the packet payload.
Final Remarks
- The hardest problem to address is that the client has the entire encryption algorithm, so it can always be reversed engineered.
- So our ultimate goal isn’t to make our game 100% secure but make it really hard for a player to cheat.
We can follow these general guidelines to make it harder: - Remove all debugging information from any release to the public.
- Don’t isolate encryption and decryption algorithms in their own functions. This makes it too easy to detect. Instead combine them with some of the network code.
- Include good encryption in every client version of the game, even early betas.
ps.原本是个PPT,我图看着方便贴一起了。