问题描述

所以我有这个完全在客户端上运行的游戏.除了下载初始脚本来玩游戏之外，没有任何服务器交互.无论如何，在游戏结束时，我希望客户端将分数发回给我，这些分数应该在服务器数据库中更新.现在我已经开始接受这样一个事实，即在地球上我无法向黑客隐藏这一点并原封不动地发送分数.但我想知道我可以修改整个过程到什么级别，这对于黑客操纵正在发送的数据来说实际上变得非常不可行.当然，我不希望从客户端机器以纯文本形式发送分数，也不希望我的服务器执行复杂的解密算法.因此，实现相当大的安全性的最佳方法是什么，每个汤姆迪克和哈利都不会破坏分数......我希望有人可以提供一个不错的小方法，我可以继续工作...... :) 谢谢

So I have this game that is completely run on the client. No server interaction what so ever apart from downloading the initial scripts to play the game. Anyway at the end of the game I would like for the client to send me back the scores which should be updated in the server database. Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered. But I would like to know till what level can I modify the whole process that it virtually becomes pretty infeasible for the hacker manipulate the data which is being sent. For sure I would not like the score to be sent as plain text from client machine and I don't want my server to perform complex decryption algorithm. What is the best way hence to achieve considerable amount of security that every tom dick and harry doesn't hack the scores... I hope someone could provide a nice little way that I could work on... :) Thanks

所以我的理想结果应该是 ->由不受信任的一方(玩家)进行的(得分)计算得出可信的结果！

So my ideal result should be -> have trusted result from a calculation (of score) made by an untrusted party (the player)!

-编辑-

有人告诉我有关将数据隐藏在图片获取请求中的信息.就像，我正在画布(html5)上实现这个游戏.所以他在游戏结束时让我从我的服务器获取游戏结束图像，他们请求应该包含散列分数.我没有完全理解完整的过程，但如果你能解释一下，我会很高兴！:)

Someone told me something about hiding the data in a picture get request. Like, I am implementing this game on canvas (html5). So he asked me at the end of the game to fetch a game over image from my server, and they request should contain the hashed score. I did not exactly understand the complete process but if you could explain it, would be really glad! :)

coda^ 这样你就可以很好地屏蔽请求

coda^ so you can mask the requests nicely

shouvik 我该怎么做！?

shouvik how do I do it!?

尾声^ 您可以编写您要提交的校验和.像 12312312a12313a232 是你的 md5，其中包含分数.将资产引入到画布中，例如

coda^ you can compose the checksum you want to submit. like 12312312a12313a232 is your md5 which contains the score. bring in an asset into the canvas like

尾声^ server.com/images/md5_hash_of_score/congratulations.png

coda^ server.com/images/md5_hash_of_score/congratulations.png

coda^ 可以通过 htaccess 重写服务器端

coda^ which you can rewrite server side via htaccess

推荐答案

现在我已经开始接受这样一个事实，即我根本无法向黑客隐瞒这一点，也无法原封不动地发送分数."

"Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered."

<罢工>哦，是的，有！

Oh yes, there is!

服务器解密并检查普通分数和解密分数是否相同.如果是，接受分数.如果不是，则拒绝(中间有黑客或网络错误).

Server decrypts and checks if plain score and decrypted one are same. If yes, accept score. If not, reject (there's a hacker or network error in the middle).

-------更新------------更正-------------

-------UPDATE-----------CORRECTION--------------

正如 Ambrosia 所指出的，我的方法在这种攻击下完全失败了.

As Ambrosia, pointed out, my approach fails completely with this kind of attack.

您真正想要的是从不受信任的一方(玩家)进行的(得分)计算中获得可信的结果.没有简单的方法来实现这一点.

What you actually want is to have a trusted result from a calculation (of score) made by an untrusted party (the player). No easy way to achieve this.

请参阅:http://coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdf

还有这个:http://www.cse.psu.edu/~snarayan/publications/securecomputation.pdf

还有这个(需要订阅 ACM 数字图书馆):http://portal.acm.org/citation.cfm?id=643477.643479

And this (which needs a subscription to the ACM digital library): http://portal.acm.org/citation.cfm?id=643477.643479

这篇关于将游戏分数从客户端更新到服务器数据库的最安全方法?Javascript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！