In my last post, I talked about how to secure a Flash high score board. One of the steps included SSL. Several people immediately mentioned that they don't have access to SSL. To that end, I'm putting together this little post to explain how it can be done without it.
In the case of a high score board entry the data itself isn't secure. You just need to make sure it hasn't been modified. It doesn't matter if someone sniffs the HTTP data as long as they can't change it, right? To that end, there is no need to go overboard with a true encryption system when you can simply use a "digital signature" to get the same result. Basically, the client will "sign" the data and the server will verify that the signature and data match.
Most digital signature techniques can get pretty complicated and involve using public/private key pairs. In our case, we are going to get the same effect with a ghetto approach. We are going to use a "cryptographic hash" to do this. A cryptographic hash function will take a block of data and turn it into a fixed length "fingerprint". The results of a hash function are reproducible. This means that it's output will always be the same for a given input. Another property of a good hash function is that a tiny change in the input will produce a dramatic change in the output.
For the sake of this discussion, we will use MD5 as the hash of choice. There are better ones (like SHA1) but MD5 is supported by just about every language out there and is pretty simple. For example, PHP, JavaScript, ActionScript 1, ActionScript 3, and Java.
Now we need to apply our hash function to the data itself. Say you need to submit a new score for user "Mike" with a value of "12345". The easiest approach is to simply concatenate those together and run the hash, IE "Mike12345" results in "3658279626b5ed3cd137bef212640144". Then you take the name, score, and hash and send it all to the server. The server duplicates the process to generate a hash and compares them. If the hash from the client matches the hash on the server then the data came across unmodified. If the hashes fail to match, you fail the submission. Nice and simple.
You're not quite done though. If you stop here, you are still vulnerable to someone hacking the data. They could look and guess what you are doing (or inspect the SWF code) and duplicate the hash by hand, submitting a fake score. The way to prevent this is to append one more piece of data before you generate the hash. Specifically, a pass phrase or key.
For the sake of argument, lets say you pass phrase is "password". You take the name, score and pass phrase and come up with this "Mike12345password". When you hash it, you get "a0501c5f1276af9b5be999b980a1e18a". Notice how this is totally different then the previous hash? Then, you send the same data to the server as before; name, score, and hash. The server knows the password already and attempts to duplicate the hash. If it can, the score submission is good.
If you obfuscate your SWF, this might be good enough. The problem is that the password itself is contained in your SWF file and the enterprising hacker might decompile the SWF to figure it out. If this occurs, that will be able to easily duplicate the process and create the hash. The solution to this is for another blog post I'll do in a day or two.
As you can see, each layer of security makes things that much harder for the hacker. While some of this seems complicated, much of it only needs to be created once and then reused as needed. A little library could be created that hides all these details from the developer and makes things nice and clean. If someone is interested in doing this, post a comment. I'd be willing to help out if there is interest. Have fun!
Subscribe to:
Post Comments (Atom)
14 comments:
Remember the movie "The Core"? In movie that wirey kid hacked the planet. Would this technique have protected the planet?
it turns out there is a reliable md5 for classic asp
http://rossm.net/Electronics/Computers/Software/ASP/MD5.htm
Hi there Mike
Assuming that obfuscation fails to cover up my "special word" used to create the signature and that someone gets around it's construction process, will SSL still be a better choice to maintain integrity of data?
Cheers
SSL is the best choice in general. If you have it available, you should always use it when communicating with the server. It adds a very powerful layer of protection against all packet-sniffing attacks - which are some of the most common.
faking the hash is easy
Hi mike,
I really enjoyed reading this article.
i have a question if i may. i have a little arcade community site and would like to give my guests a chance to win little prizes. but of course i can't because then the cheaters will go crazy and hack my site to the ground :).
if i can afford the ssl, could you elaborate a little about how do i implement it? do i have to edit each and every flash game?
thanks,
Yandos.
The rossm.net link no longer works, but the code there was just a copy of the work released by frez.co.uk with the attribution comments removed anyway. The original can be found at www.frez.co.uk/freecode.htm
Now do you worried about that in the game do not had enough Archlord gold to play the game, now you can not worried, my friend told me a website, in here you can buy a lot Archlord money and only spend a little money, do not hesitate, it was really, in here we had much archlord online Gold, we can sure that you will get the cheap Archlord gold, quick to come here to buy Archlord gold.
Now do you worried about that in the game do not had enough Atlantica online Gold to play the game, now you can not worried, my friend told me a website, in here you can buy a lot Atlantica Gold and only spend a little money, do not hesitate, it was really, in here we had much Atlantica online money, we can sure that you will get the cheap Atlantica online Gold , quick to come here to buy Atlantica online Gold .
Now do you worried about that in the game do not had enough aion kina to play the game, now you can not worried, my friend told me a website, in here you can buy a lot aion online kina and only spend a little money, do not hesitate, it was really, in here we had much aion gold, we can sure that you will get the cheap aion kina, quick to come here to buy aion kina.
Now do you worried about that in the game do not had enough aion kina to play the game, now you can not worried, my friend told me a website, in here you can buy a lot aion online kina and only spend a little money, do not hesitate, it was really, in here we had much aion gold, we can sure that you will get the cheap aion kina, quick to come here to buy aion kina.
I like play online game, I also buy Aion gold and Aion gold, the Aion china gold is very cheap, and use the Aion China kina can buy many things, I like Aion chinese gold, thanks, it is very good.
29047126483369175 I play dofus Replica Watches for one year, I Replica Rolex Watches want to get some Replica Watch kamas to buy Replica Chanel Watches item for my character. So, I search "Replica Swiss Watches" on google and found many website. As Exact Replica Graham Watch the tips from the forum, I just review the Swiss Replica Watches websites and choose some Replica Montblanc Watches quality sites to Replica Cartier Watches compare the price, and go to their Replica Breguet Watches online support to make Replica Breitling Watches the test. And Last Chaos Gold I decide to use Replica BRM Watch at the end. And Tag Heuer Replica Watch that is the Replica IWC Watch beginning..
Buy Kamagra
Earn Google
Viagra Cialis
Cheap Kamagra
Cheap Viagra
Cheap Cialis
Make Money on Google
M65 Jacket
M65 Field Jacket
Airline Dog Carrier
Airline Dog Carriers
Viagra Cialis
Earn Google
Airline Dog Carrier
Airline Dog Carriers
Airline Approved Dog Carriers
ED Hardy Wholesale
Copy DVD Software
How to Send Fax
14k Yellow Gold
Redneck Costume
14k Gold Heart
Tandem Baby Stroller
You have made some good points in this post, nicely done!
Here useful link:Runescape gold Tera Gold Tera account cheap wow gold
Post a Comment