[MUD-Dev] Trusting the client, encrypting data

Ola Fosheim Grøstad <olag@ifi.uio.no> Ola Fosheim Grøstad <olag@ifi.uio.no>
Tue Dec 16 13:19:00 New Zealand Daylight Time 2003

Jessica Mulligan <jessica at mm3d.com> writes:

> one person has a method down, everyone will know it.  I remember
> once on UO we spent several weeks rewriting the encryption; it was
> pretty damn good, too.  It was broken in less than three days,
> sending something like a man-month of engineering time down in
> flames.  I'm sure we can all repeat stories similar stories.

I don't have any course on crypto, but I can't see how the
encryption itself could fail provided that you design for it. If
common headers are a problem, then avoid them. For instance
huffman-encode them and put them in a dictionary, which is a good
idea anyway, (make every single bit count) and send the packets in
random order making predictions about content useless. (or possibly
prefix with a random length string of noise)

What went technically wrong in the UO case?

> If you do come up with a method that works reliably and stays
> unbroken, you'll be a very rich and sought-after man and American
> women will want to have your babies.

Unbroken is relative though. If it takes 1 year to break the key on
one PC then you pretty much have what you want.

(Not sure I would trust a team recruited for doing games with crypto
stuff though. You have to nitpick and take the time required...)

Ola - http://folk.uio.no/olag/
MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list