tags:

views:

1349

answers:

7
+7  Q: 

MMORPG protocol encryption

Anyone know what the trend is with MMORPG developers encryption their client/server protocols these days?

The pro's and con's are as follows.

Encrypting protocol:

  • protects trade secrets regarding client/server protocol to a degree?
  • Botting isn't stopped, it is only changed because people will create bots which read screen states and trigger mouse+keyboard events will then be developed, merely mitigating the development of bots as opposed to stopping them in anyway. Still though bot development is less in supply somewhat, but the demand is still there, they merely get higher bids on rentacoder.com

Regular plain text:

  • more advanced bots since the developers are able to inject their own datagrams into the client/server protocol. (ie: running through walls, teleporting... which the server side has to now check, which in turn leads to a development contest between out patching exploits via injection (time consuming)
A: 

The main reason why developers should add encryption to their protocols is marketing reasons. They simply just need to ensure that their server will be only one (for example if they will (or already) want to make paid membership) and no one will just write his own emulator of server after discovering of protocol and will offer it for free.

Dmitriy Matveev  2009-01-16 04:23:19
1)That would require a lot of development/time.2)The encryption doesn't prevent them from reading what is in memoery before it is encrypted and written out to a socket. They could still emulate a server, again takes a lot of time.
Zombies  2009-01-16 04:30:38
1) writing a free server for mmos has been done in the past.2) yes.Also I'm also not quite sure what you're asking in the original question.
skirmish  2009-01-16 04:38:30
+2  A: 

At the very least, the MMO's login protocol should be encrypted so that people on the player's network can't packet sniff their account information.

This reason can easily be extended to other data the player sends. For example, chat with other players can contain sensitive information. If the game is already going through the trouble of setting up an encryption protocol for the login process, there's probably not a lot of reason to turn it off after you're done.

fastcall  2009-01-16 05:31:58
+3  A: 

Adding encryption to your packets will only slow a person writing a bot by oh, a few seconds. Your client would need to know how to encrypt to send data to the server and how to decrypt data from the server, and so would the bot.

With regards to preventing warping through walls, you should be doing these checks always. Never trust the user's input, even if you've written the client yourself.

As fastcall mentioned, you should still implement encryption of some data. Specifically the ones containing sensitive data, like logins and chat.

Samuel  2009-01-16 05:38:42
A: 

I was under the impression that none of the major MMOs used encrypted data transport. As Samuel said, you don't really get any security out of it since the client has to be able to encrypt and decrypt the data too.

Coxy  2009-01-16 05:43:19
+7  A: 

@Samuel & coxymla:

That's not entirely true. If the protocol uses asynchronous encryption where the server's private key is unknown to the client, then the bot cannot decrypt the client's egress. This means that to modify the outgoing data, the bot actually has to hook the game process and intercept the data before it's encrypted.

It's simple enough in theory, but it can be technically challenging. At least you're raising the bar for attackers.

@Zombies: Beyond initial key exchange, most encryption schemes do not require extra data transfer. Further, while there is extra work to be done when encryption is used, the data transfer will most certainly be limited by the network and not the processor.

Put plainly, encryption does not lead to slower/more data transfer.

Cautionary note: This Wikipedia page contains a story about a common encryption mistake made by the developers of Phantasy Star Online. It's worth a read.

 2009-01-16 06:36:57
Or a hacker could locate the public key used to encrypt the data and use that in a bot to properly communicate with the server.
Andreas Magnusson  2009-01-20 14:56:18
If the client is going to use the encrypted data that the server sent, it's going to have to decrypt it and it's going to have to decrypt it on the client which is in the hands of the enemy.
David Locke  2009-01-20 15:27:04
I suppose that: if the official client can do it, any client can do it. Correct?
Zombies  2009-01-20 15:27:05
A: 

It's pretty irrelevant. I imagine the encrypt the metadata such as the login information, and session information, but then send the gameplay mechanics data in the clear. After all, the server cannot trust the client anyway (not to have been hacked).

Most hack bots will hook into the running game process and poke around with its memory anyway, which is utterly undetectable - they often put in some signature recognition which attempts to detect known hackbots running in memory, but this is essentially useless otherwise.

Another possible technique for spotting hackbots is to spot gameplay patterns from known ones.

Encrypting the data does nothing, as hackbots attack the client, in-memory.

MarkR  2009-01-16 06:57:14
Hm. If you create your own custom cilent (one that doesn't need all of the graphics overhead) then you can easily off-load it to a botnet (incase they dectect and ban multiple clients running from 1 ip source).
Zombies  2009-01-27 18:23:01
They'd ban your account.
Wouter Lievens  2009-02-10 09:58:10
There would be multiple accounts, one for each bot.
Zombies  2009-09-23 19:23:21
A: 

If you have the time, this one+ hour video about netcode has a part about encryption (among other things such as client synchronization and packet compression).

The relevant quote from the video is this: CPU is cheap. Just encrypt it, you have enough CPU time to encypt and the benefit of encrypting is high (clients won't see your client's commands, increases the bar for hacking, etc).

MrValdez  2009-01-20 10:36:27

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords