[MUD-Dev] Trusting the client, encrypting data

Mike Shaver shaver at off.net
Mon Dec 15 19:34:26 New Zealand Daylight Time 2003

On Dec 13, Amanda Walker wrote:

> The problem isn't the cipher algorithm--nobody hacks games by using
> cryptanalysis.  The problem is key management and data flow.  If the
> client code is running on a PC, it's running in a wide-open
> environment.  Using Windows as the canonical example, someone with
> good SoftICE chops can and will crack open your client and feed in
> (or siphon off) any data they want on the cleartext side of your
> cipher algorithm.  They're not trying to reverse engineer your data
> stream until after they've reverse engineered your code, at which
> point they can leave the encryption stage as a black box.

I don't see how chopping up the client code helps, necessarily.  I can
stream you (over cheap, high-latency bulk bandwidth) content well ahead
of your actually needing it, encrypted with a key (or, more likely, many
keys) that your client doesn't have.  When the time comes for me to show
you a given room or item or anything else, I just have to send you the
key for those data.  Could they share those data with other people?
Sure, but they can share screenshots as well.  For data that are too
large to stream "on demand" as new content becomes accessible to the
player, and which has a limited lifespan of utility (a maze that changes
every few hours, or the disposition of the enemy's troops while they
rest for the night), I think it's a viable way to "warm the cache"
without giving the player unfettered access to "controlled" content.

MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list