Getting user data to the server is a key part of many online applications, including video games. Encryption alone is not the answer. Here's how you ensure that you get the data you want to your server. There is a lot more that can be done to protect your game. If you are interested, send me an email to steve @ free2secure.com with the subject “Incoming!”. If you are interested in keeping up with the latest books, articles, and tools from me at Free2Secure send me an email steve @ free2secure.com with the subject “Subscribe”. Finally, if you have any security questions, issues, or shoot me a note to steve @ free2secure.com with the subject “Help”.

1. Security eBooks
Authentication
& High Scores
Security with the
Client – Part 3
Steven Davis
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

2. Security eBooks
Why High Scores
• Community
• Engagement
• Game Life
• Virality
• Why High Score Security?
– Actually, the core of many online game security issues
• Moving data from a client to the server
– Techniques are “good enough”…. Unless gambling or a lot of
money is involved!
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

3. Security eBooks
High Score Security Challenges:
•Having Correct Score on Client
•Getting Score to Server
• ASSUMPTION: Your game is (mostly) on the
client, not the server
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

4. Security eBooks
Encryption
Secure
Program Security
Network Library Fallacy
Not Secure
Not Secure
Attack
• People assume encryption is “secure”
• Point and other environments, it is only secure “outside” – away from the
In game,
key
• Hackers attack data before it is encrypted
• This is especially easy for browser based applications or ones that use a
network (and/or encryption) library
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

5. Security eBooks
Correct Score on Client
• Local score data obfuscation
• Building score from components
– How many Lions? Tigers? Bears?
• Deep logging
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

6. Security eBooks
Getting the Score to the Server
• Encrypting within the game application
• Multiple versions of data (including unencrypted)
• Authentication
• Sending score information incrementally
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

7. Security eBooks
Implicit Score Authentication
• Scores or Score Components that are
Impossible to achieve, but easy to check
– Maximum possible score in a level
– Minimum score in a section to complete it
– Time requirements
– Specific actions or achievements or intermediate
milestones or flags
– Score numerical values that are impossible (all
legitimate scores are multiple of a prime)
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

8. Security eBooks
Challenge Response Score Posting
Client sends ID to Server ClientID
Server Sends Challenge Challenge
Client serializes Score Data String = Serialize(Score Data)
Client builds ScoreResponse ScoreResponse = ClientID,StoreString,ClientSecret
Client hashes Challenge Data Authenticator=Hash(Challenge,ScoreResponse,ClientSecret)
Client posts Response ScoreResponse, Authenticator
• Stop Replay of Scores
• Authenticate Data
• Avoid Encrypting Scores if you don’t need to
– Allows faster processing and delayed authentication
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

9. Security eBooks
Server Window
Random & Time
Challenge Response
Client
• Random Events can be • Players can manipulate the
manipulated to favor a player game by accelerating or
in many games slowing time on the client.
• Server can correct for this by • The game client can limit this
providing random or random by sending messages to the
seeds directly server at specific intervals (see
Challenge/Response above)
Exploitation of Random Events and Time Hacks can be managed by shrinking client/server
communication windows
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

10. Security eBooks
Let Cheaters Win (sort of)
• You can choose what you do when you catch a
cheater
– Let them think they’ve won
– Let only them and their friends think they’ve won
• Just don’t tell everybody what you do!
• Sometimes cheaters are good customers...
sometimes they are your best customers
• Banning and punishment may hurt you worse
than them
– Undermining identity and costing you revenue (Xbox
Live)
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

11. Security eBooks
Deep Logging & Deterministic Game Engines
Dus
t Fo
gam rce allo
e p la w
y an s playe
d av r
oid s to see
mos
t ch excellen
eatin t
g
• Log and post game logs down to the individual player action
– Video is possible, but expensive in bandwidth and storage
– Deterministic Game Engines can allow games to be replayed exactly
• A powerful verification strategy that can be used in different ways
– Either game server or other players or observers can verify game play
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

12. Security eBooks
What next?
• Don’t give up!
• More security presentations at:
http://free2secure.com/
• Check out my book “Protecting Games”
– Additional information at http://playnoevil.com/
• You can “win” the security game
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

13. Security eBooks
About Me
• Steven Davis
– 25+ Years of Security Expertise
– I have worked on everything from
online games and satellite TV to
Nuclear Command and Control and
military communications
• http://www.linkedin.com/in/playnoevil
– Author, “Protecting Games”
• Why Free2Secure?
– Security is too expensive and isn’t working. There has to be a better way.
I’m exploring these issues for IT security, ebooks, games, and whatever
else strikes my fancy at http://free2secure.com/
– Join me there, ask questions, challenge assumptions, let’s make things
better
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416