Login/Register
Safest way to update game score from client to server database? Javascript
Asked Answered
Solved javascriptdatabaseclient-servercryptographyscoring
H

5

14

So I have this game that is completely run on the client. No server interaction what so ever apart from downloading the initial scripts to play the game. Anyway at the end of the game I would like for the client to send me back the scores which should be updated in the server database. Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered. But I would like to know till what level can I modify the whole process that it virtually becomes pretty infeasible for the hacker manipulate the data which is being sent. For sure I would not like the score to be sent as plain text from client machine and I don't want my server to perform complex decryption algorithm. What is the best way hence to achieve considerable amount of security that every tom dick and harry doesn't hack the scores... I hope someone could provide a nice little way that I could work on... :) Thanks

So my ideal result should be -> have trusted result from a calculation (of score) made by an untrusted party (the player)!

-Edit-

Someone told me something about hiding the data in a picture get request. Like, I am implementing this game on canvas (html5). So he asked me at the end of the game to fetch a game over image from my server, and they request should contain the hashed score. I did not exactly understand the complete process but if you could explain it, would be really glad! :)

coda^ so you can mask the requests nicely

shouvik how do I do it!?

coda^ you can compose the checksum you want to submit. like 12312312a12313a232 is your md5 which contains the score. bring in an asset into the canvas like

coda^ server.com/images/md5_hash_of_score/congratulations.png

coda^ which you can rewrite server side via htaccess

Heathendom answered 19/1, 2011 at 8:32 Comment(2)
This is more or less the same problem as #1901852Lemar
@David, no this is pretty different! I have no problems with him trying to screw with my game as he plays it alone.. So let him do whatever the hell he would like to. If he messed with the scoring, I have an adaptive algo on my server which checks if the score can be reasonably achieved, if not USER IS BANNED! But I would not like it to be to easy, like just modding the ajax post...Heathendom
N
1

"Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered."

Oh yes, there is!

You can use RSA or any other public key encryption method (also called assymetric cryptography).

Create a set of (public and private) keys for the server. Have your client code include your server's public key.

At the end of the game, the client code, encrypts the score (with this key) and sends both (plain score and encrypted score) to server.

Server decrypts and checks if plain score and decrypted one are same. If yes, accept score. If not, reject (there's a hacker or network error in the middle).

-------UPDATE-----------CORRECTION--------------

As Ambrosia, pointed out, my approach fails completely with this kind of attack.

What you actually want is to have a trusted result from a calculation (of score) made by an untrusted party (the player). No easy way to achieve this.

See this: http://coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdf

Also this one: http://www.cse.psu.edu/~snarayan/publications/securecomputation.pdf

And this (which needs a subscription to the ACM digital library): http://portal.acm.org/citation.cfm?id=643477.643479

Nertie answered 19/1, 2011 at 9:17 Comment(15)
"don't want my server to perform complex decryption algorithm"Heathendom
Yes, right. And "achieve considerable amount of security" on the same sentence. Pretty contradicting, aren't they?Danube
Plus don't I have to pay like money to use RSA? I though you needed to purchase those keys?Heathendom
It is still possible for a person to see the public key and generate their own encrypted version of a score, then send this along with the plaintext score which will match perfectly, no? A thought along this line is that you could use a mapping of codes to scores, such as Pumpkin = 1 point, Tomato = 2, etc and only the server has those mappings to determine the score. Of course if you are still showing the score back to the user and they can see the ajax in firebug it could be determined what words (or codes) map to which values.Capriole
@ypercube Well yeah! The point is not to prevent advanced hackers from changing game scores. they might just beat the score adding algo and send me a reasonably large score that my filter would allow! I want some sort of simple evasive algo that is not very complex and should be able to baffle the "not such a hacker but moron who thinks he can hack" dude...Heathendom
Ambrosia, thinking again, yes, you are right. I have to modify my answer, it doesn't work in preventing this kind of attack at all.Danube
@Ambrosia - That is actually not a bad idea! Well why words I will interchange the numbers with numbers. Maybe at first glance most will miss it and well maybe this can be one of the measures I adopt. :)Heathendom
@ypercube - Ambrosia is right! The hacker can just modify the value I am feeding to the encryption algo! Why bother with such a complicated process if the hack is that simple...??Heathendom
RSA is much more secure than other algos coz the private key is just with one dude! It still depends heavily on the authenticity of the data being received and whether you trust the data provider! In this case I don't...!!!Heathendom
@ypercude - Thanks for the paper link! I think you may want to append the full paper link to ur answer! :) I am going through it now... coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdfHeathendom
Appended. Also added one more survey regarding "secure computing" or "cryptographic computing". As a last comment, you were right, no easy way to do this without some complex cryptographic protocols.Danube
+1 for the research material :) Nice place to get started on this :) Seems like I can make a doctoral thesis out of this material alone :P But for now I guess a half baked solution should work :D Thanks a lot again. Enjoyed the healthy discussion of ideas on this post a lot!Heathendom
Me too! You might also want to seacrh for "cryptocounter". See this: See this: cryptovirology.com/cryptovfiles/newbook/Chapter6.pdfDanube
My game is a canvas game hence its gonna screw big time with users CPU! If I put in complex algos with that, I am half sure :-D his computer will blow up... Also, I am confident if I end up putting any one of these algos in my game it might actually become one of the most secure pansy applications on fb hence attracting more research people to dig through my source to find out what I am doing! Certainly not the kind of crowd my application is targeted too :PHeathendom
huh, the cryptocounter thing seems to be pretty cool, but can it be applied to javascript? I ask this because, js is single threaded and it might actually have a bad effect on the UX, along with the plausibility of how exactly do I manipulate my code to work in this fashion =/Heathendom
B
6

You seem to know this already, but just to stress; you cannot stop someone doing this; you can only make it as hard as possible!

Assume you currently submit the score as:

/submit_score.php?score=5

Someone watching in Firebug can easily distinguish where the score is submitted, and to alter it. submit_score.php gives it away, as does the name of the parameter. The score is a easily distinguishable integer.

  1. Change the end point: /interaction.php?score=5
  2. Change the parameter name: /interaction.php?a=5

It's getting harder for the user to work out what is going on.

Now you can make the score harder (again, harder, not impossible), to change. First, you can encrypt it (obviously you'll need to be able to decrpt it later).

  1. Base 64 encode it.
  2. Numbers -> Letters (1=a, 2=b, etc).
  3. Reverse the order of the score representation.

You name it, you do it. So you now have interaction.php?a=e.

The next thing you can do is hash the score with something else. Send the hash with the score, and recalculate it on the server. For example, md5() the score with a random string, and send the score (encoded), the string, and the hash in the request:

/interaction.php?a=e&str=abcde&hash=123456789abcefbc

When the request hits the server, do:

if (md5($_GET['a'] . $_GET['str']) !== $_GET['hash']) exit;

Obviously people can (relatively) easily go through your JavaScript code and see what's going on; so make it harder for them there. Minify and Obfuscate the code.

If you make it hard enough for someone, they're going to try understand your JavaScript, try using Firebug, not understand what's going on, and not bother; for the sake of getting a few extra points on your game.

Bebel answered 19/1, 2011 at 11:53 Comment(1)
Thanks for the answer. Yeah I am pretty much aware of the stuff you mentioned. :) I am going to obfuscate the code obviously to a point beyond recognition :D What I am more interested though is in know basically a hide and seek pattern to really irritate the person who is playing the scoring mechanism to an extent it becomes infeasible to him. I posted this question over here in the hopes that I could accumulate varied ideas from here and then mix them up to cook up my own answer though the paper link given by @ypercube seems to be something that might help me a great deal :) Thanks again!Heathendom
R
2

Use something like OAuth to authorize the request from client to server. The header contains a token which matches to the body of the request. if these two doesn't match, then discard the request. Don't need to decrypt at server side, instead encrypt the body and check if the result obtained at server side and the token matches the same to find if the body was modified

Revocable answered 5/1, 2019 at 6:28 Comment(0)
N
1

"Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered."

Oh yes, there is!

You can use RSA or any other public key encryption method (also called assymetric cryptography).

Create a set of (public and private) keys for the server. Have your client code include your server's public key.

At the end of the game, the client code, encrypts the score (with this key) and sends both (plain score and encrypted score) to server.

Server decrypts and checks if plain score and decrypted one are same. If yes, accept score. If not, reject (there's a hacker or network error in the middle).

-------UPDATE-----------CORRECTION--------------

As Ambrosia, pointed out, my approach fails completely with this kind of attack.

What you actually want is to have a trusted result from a calculation (of score) made by an untrusted party (the player). No easy way to achieve this.

See this: http://coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdf

Also this one: http://www.cse.psu.edu/~snarayan/publications/securecomputation.pdf

And this (which needs a subscription to the ACM digital library): http://portal.acm.org/citation.cfm?id=643477.643479

Nertie answered 19/1, 2011 at 9:17 Comment(15)
"don't want my server to perform complex decryption algorithm"Heathendom
Yes, right. And "achieve considerable amount of security" on the same sentence. Pretty contradicting, aren't they?Danube
Plus don't I have to pay like money to use RSA? I though you needed to purchase those keys?Heathendom
It is still possible for a person to see the public key and generate their own encrypted version of a score, then send this along with the plaintext score which will match perfectly, no? A thought along this line is that you could use a mapping of codes to scores, such as Pumpkin = 1 point, Tomato = 2, etc and only the server has those mappings to determine the score. Of course if you are still showing the score back to the user and they can see the ajax in firebug it could be determined what words (or codes) map to which values.Capriole
@ypercube Well yeah! The point is not to prevent advanced hackers from changing game scores. they might just beat the score adding algo and send me a reasonably large score that my filter would allow! I want some sort of simple evasive algo that is not very complex and should be able to baffle the "not such a hacker but moron who thinks he can hack" dude...Heathendom
Ambrosia, thinking again, yes, you are right. I have to modify my answer, it doesn't work in preventing this kind of attack at all.Danube
@Ambrosia - That is actually not a bad idea! Well why words I will interchange the numbers with numbers. Maybe at first glance most will miss it and well maybe this can be one of the measures I adopt. :)Heathendom
@ypercube - Ambrosia is right! The hacker can just modify the value I am feeding to the encryption algo! Why bother with such a complicated process if the hack is that simple...??Heathendom
RSA is much more secure than other algos coz the private key is just with one dude! It still depends heavily on the authenticity of the data being received and whether you trust the data provider! In this case I don't...!!!Heathendom
@ypercude - Thanks for the paper link! I think you may want to append the full paper link to ur answer! :) I am going through it now... coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdfHeathendom
Appended. Also added one more survey regarding "secure computing" or "cryptographic computing". As a last comment, you were right, no easy way to do this without some complex cryptographic protocols.Danube
+1 for the research material :) Nice place to get started on this :) Seems like I can make a doctoral thesis out of this material alone :P But for now I guess a half baked solution should work :D Thanks a lot again. Enjoyed the healthy discussion of ideas on this post a lot!Heathendom
Me too! You might also want to seacrh for "cryptocounter". See this: See this: cryptovirology.com/cryptovfiles/newbook/Chapter6.pdfDanube
My game is a canvas game hence its gonna screw big time with users CPU! If I put in complex algos with that, I am half sure :-D his computer will blow up... Also, I am confident if I end up putting any one of these algos in my game it might actually become one of the most secure pansy applications on fb hence attracting more research people to dig through my source to find out what I am doing! Certainly not the kind of crowd my application is targeted too :PHeathendom
huh, the cryptocounter thing seems to be pretty cool, but can it be applied to javascript? I ask this because, js is single threaded and it might actually have a bad effect on the UX, along with the plausibility of how exactly do I manipulate my code to work in this fashion =/Heathendom
L
0

Can you use ajax to send the score (and any identifiers) to the server? Unless they have something like firebug open they won't see it happening.

var url = '/savescores.asp?userID=fredsmith&score=1098';
createRequest();
request.open('GET', url, true);
etc
Langobard answered 19/1, 2011 at 8:48 Comment(1)
Yeah I figured the ajax bit. But I am assuming they have console open. Its just a matter of changing the url parameters from console when updating score so there is no way that I would want that to become too easy for the hacker. Maybe a little more complicated than this, like using some kind of manipulation tactics which are not very process intensive are basically are elementary puzzles that can be solved by the server without problem.Heathendom
C
0

Make the client send you the credentials (or some sort of session information in case you don't have logon credentials) and do that over SSL (https). This way you have both authentication and integrity control. Very easy and extremely lightweight for both server and client.

Crossley answered 19/1, 2011 at 8:54 Comment(9)
Maybe I missed adding, but this will eventually end up on Facebook :)Heathendom
I am sending the users FB id with the score. I don't think sending it via ssl will make any difference because I am not trying to prevent a man in the middle attack. Its more like, I am preventing a man who is sending attack :DHeathendom
they got this address ssl.facebook.com but I have absolutely no experience with it. I wouldn't be surprised if SSL wouldn't work for Facebook. Which in turn makes me very angry, because they transfer all that personal info and never care about protecting it grrrrrrr!Crossley
Well, man in the middle attack appears as soon as you fix the sender attack. It's sort of next step, to try to alter the message that your application generates and carry on sending it.Crossley
@Elijah - Anyone of my game players should be more than honoured if someone tries attacking their scores mid way to my sever. Who the hell wold wanna modify someone elses score on it way to pansy game anyway!? but I get ur point! maybe I will send the score via ssl. Also since its an iframe so I guess the ssl.facebook.com thingy should not bother me :)Heathendom
I was talking about the player himself actually. Put yourself in that position: you try to just send a random score to the server, but you realize that there's a session token that you have no idea about, so what you basically do, you intercept the message, alter it and send.Crossley
@Elijah I am sorry, I don't get it! =S what do you mean by session token!? I did not add any to my application, and if there is a session token should not the client be able to access it because there is no intermediary server which is forwarding the client data to me. The client machine directly sends it to my server... =/Heathendom
Also it will be big help if you could like me to some documentation on sender attack. Never heard of it b4 and googles not throwing up interesting results...Heathendom
No, the sender attack is what I opposed to the man-in-the-middle attack. Your player is always the one who wants to cheat, what changes is where he substitutes the score. The "session token" is anything you use to authenticate the request, that it comes really from the browser session. SSL is there just to guarantee integrity of your data.Crossley

© 2022 - 2024 — McMap. All rights reserved.