NYCPHP Meetup

[csnyder]

On Dec 12, 2007 10:32 AM, John Campbell <jcampbell1 at gmail.com> wrote:

> Initially the scores were send as a simple post request, e.g.
> name=john&score=1000.  This is a problem because it is trivial to
> forge the request.  So my solution was to create the post request as
> follows:
>
> name=john&score=1000&checksum= . md5(md5("My secret") . name . score)
>
> on the server side, I can verify the checksum.
>
> This works well enough, but an enterprising hacker can download my swf
> file and run `strings game.swf` to extract "My secret", and then they
> can forge the request. Is there any cryptography method that
> guarantees the request is coming from my code?
>

Yes there is, John, but you may need to seriously consider whether
implementation is worth it.

You can use a public/private key pair to perform asymmetric
encryption. That means that a value encrypted using one key can only
be decrypted using the other. This is the encryption scheme used for
SSL, where your browser uses the server's public key (aka Certificate)
to encrypt the request.

So you would use the game's public key to encrypt hash-of-score:random
on the client side. And then on the server, you would use the game's
private key to decrypt the value and check the hash.

Your tasks, should you choose to go this route, are to find an RSA
implementation in ActionScript to perform the encryption, and to use
PHP's OpenSSL support to perform the decryption. I'm pretty sure the
first task is going to be tougher than the second unless Adobe
provides an api in the Flash player.

-- 
Chris Snyder
http://chxo.com/