[MUD-Dev] Trusting the client, encrypting data

Felix A. Croes felix at dworkin.nl
Thu Dec 18 16:31:29 New Zealand Daylight Time 2003

Sean Middleditch <elanthis at awesomeplay.com> wrote:

> The problem is, encrypting is pointless.  Encryption stops the
> data from being read/modify by someone between the two trusted
> parties.  If you're running the client on the user's machine, tho,
> then that machine is one of the trusted parties - but you're
> trying to stop the user of that machine from reading the data;
> i.e., you're automatically assuming that the person you're trying
> to stop from getting the data is a trusted party.

It's funny how everyone (?) has misunderstood Ola's posting.  He was
not talking about creating a secure channel to the client, but about
occlusion.  This has been discussed on the MUD-Dev list before, at
least I think that's where I picked up the idea years ago.

The point is not to have the server encrypt data which the client
immediately decrypts.  Rather, the server sends encrypted data that
even the client does not have the key for.  The idea is not to hide
data from snoopers, but from the client itself.

Example: an invisible player walks up to me and removes his ring of
invisibility.  From my point of view, that player suddenly appears
before me.  But from the client's point of view?  If the player was
already known and just flagged invisible, I could run a little
add-on program to get information about invisible players from
network traffic, or from the memory of the client program.  If the
information is sent only when the invisible player becomes visible,
there will be a sudden burst of network traffic to the client at
that point (if this part of the argument sounds a little weak, let's
just say that there is a large group of invisible players and their
invisibility spell wears off).

Ola's suggestion was to send the information about the invisible
player in advance, but to encrypt it so that even the client itself
does not know what is going on.  When the player becomes visible,
the server does not send all the information about him; instead it
instructs the client to decrypt information that was sent before,
using a key that only now is made available.  This hiding of the
meaning of information to the client is called occlusion.

To decrypt occluded data, client memory or traffic snooping is not
going to help.  Actual cryptanalysis would be required.  And even if
that were to occur, the delay between obtaining the information and
decrypting it (hours, days, weeks) would be quite sufficient to make
it useless.  After all, the server only sends occluded data to the
client when the possibility exists that the meaning will be revealed
a short time after.

Felix Croes
MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list