問題描述
所以我有這個完全在客戶端上運(yùn)行的游戲.除了下載初始腳本來玩游戲之外,沒有任何服務(wù)器交互.無論如何,在游戲結(jié)束時,我希望客戶端將分?jǐn)?shù)發(fā)回給我,這些分?jǐn)?shù)應(yīng)該在服務(wù)器數(shù)據(jù)庫中更新.現(xiàn)在我已經(jīng)開始接受這樣一個事實(shí),即在地球上我無法向黑客隱藏這一點(diǎn)并原封不動地發(fā)送分?jǐn)?shù).但我想知道我可以修改整個過程到什么級別,這對于黑客操縱正在發(fā)送的數(shù)據(jù)來說實(shí)際上變得非常不可行.當(dāng)然,我不希望從客戶端機(jī)器以純文本形式發(fā)送分?jǐn)?shù),也不希望我的服務(wù)器執(zhí)行復(fù)雜的解密算法.因此,實(shí)現(xiàn)相當(dāng)大的安全性的最佳方法是什么,每個湯姆迪克和哈利都不會破壞分?jǐn)?shù)......我希望有人可以提供一個不錯的小方法,我可以繼續(xù)工作...... :) 謝謝
So I have this game that is completely run on the client. No server interaction what so ever apart from downloading the initial scripts to play the game. Anyway at the end of the game I would like for the client to send me back the scores which should be updated in the server database. Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered. But I would like to know till what level can I modify the whole process that it virtually becomes pretty infeasible for the hacker manipulate the data which is being sent. For sure I would not like the score to be sent as plain text from client machine and I don't want my server to perform complex decryption algorithm. What is the best way hence to achieve considerable amount of security that every tom dick and harry doesn't hack the scores... I hope someone could provide a nice little way that I could work on... :) Thanks
所以我的理想結(jié)果應(yīng)該是 ->由不受信任的一方(玩家)進(jìn)行的(得分)計(jì)算得出可信的結(jié)果!
So my ideal result should be -> have trusted result from a calculation (of score) made by an untrusted party (the player)!
-編輯-
有人告訴我有關(guān)將數(shù)據(jù)隱藏在圖片獲取請求中的信息.就像,我正在畫布(html5)上實(shí)現(xiàn)這個游戲.所以他在游戲結(jié)束時讓我從我的服務(wù)器獲取游戲結(jié)束圖像,他們請求應(yīng)該包含散列分?jǐn)?shù).我沒有完全理解完整的過程,但如果你能解釋一下,我會很高興!:)
Someone told me something about hiding the data in a picture get request. Like, I am implementing this game on canvas (html5). So he asked me at the end of the game to fetch a game over image from my server, and they request should contain the hashed score. I did not exactly understand the complete process but if you could explain it, would be really glad! :)
coda^ 這樣你就可以很好地屏蔽請求
coda^ so you can mask the requests nicely
shouvik 我該怎么做!?
shouvik how do I do it!?
尾聲^ 您可以編寫您要提交的校驗(yàn)和.像 12312312a12313a232 是你的 md5,其中包含分?jǐn)?shù).將資產(chǎn)引入到畫布中,例如
coda^ you can compose the checksum you want to submit. like 12312312a12313a232 is your md5 which contains the score. bring in an asset into the canvas like
尾聲^ server.com/images/md5_hash_of_score/congratulations.png
coda^ server.com/images/md5_hash_of_score/congratulations.png
coda^ 可以通過 htaccess 重寫服務(wù)器端
coda^ which you can rewrite server side via htaccess
推薦答案
現(xiàn)在我已經(jīng)開始接受這樣一個事實(shí),即我根本無法向黑客隱瞞這一點(diǎn),也無法原封不動地發(fā)送分?jǐn)?shù)."
"Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered."
<罷工>哦,是的,有!
Oh yes, there is!
您可以使用 RSA 或任何其他公鑰加密方法(也稱為非對稱加密).
You can use RSA or any other public key encryption method (also called assymetric cryptography).
為服務(wù)器創(chuàng)建一組(公鑰和私鑰)密鑰.讓您的客戶端代碼包含您的服務(wù)器的公鑰.
Create a set of (public and private) keys for the server. Have your client code include your server's public key.
在游戲結(jié)束時,客戶端代碼加密分?jǐn)?shù)(使用此密鑰)并將兩者(普通分?jǐn)?shù)和加密分?jǐn)?shù))發(fā)送到服務(wù)器.
At the end of the game, the client code, encrypts the score (with this key) and sends both (plain score and encrypted score) to server.
服務(wù)器解密并檢查普通分?jǐn)?shù)和解密分?jǐn)?shù)是否相同.如果是,接受分?jǐn)?shù).如果不是,則拒絕(中間有黑客或網(wǎng)絡(luò)錯誤).
Server decrypts and checks if plain score and decrypted one are same. If yes, accept score. If not, reject (there's a hacker or network error in the middle).
-------更新------------更正-------------
-------UPDATE-----------CORRECTION--------------
正如 Ambrosia 所指出的,我的方法在這種攻擊下完全失敗了.
As Ambrosia, pointed out, my approach fails completely with this kind of attack.
您真正想要的是從不受信任的一方(玩家)進(jìn)行的(得分)計(jì)算中獲得可信的結(jié)果.沒有簡單的方法來實(shí)現(xiàn)這一點(diǎn).
What you actually want is to have a trusted result from a calculation (of score) made by an untrusted party (the player). No easy way to achieve this.
請參閱:http://coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdf
還有這個:http://www.cse.psu.edu/~snarayan/publications/securecomputation.pdf
還有這個(需要訂閱 ACM 數(shù)字圖書館):http://portal.acm.org/citation.cfm?id=643477.643479
And this (which needs a subscription to the ACM digital library): http://portal.acm.org/citation.cfm?id=643477.643479
這篇關(guān)于將游戲分?jǐn)?shù)從客戶端更新到服務(wù)器數(shù)據(jù)庫的最安全方法?Javascript的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!