問題描述

所以我有這個完全在客戶端上運行的游戲.除了下載初始腳本來玩游戲之外，沒有任何服務器交互.無論如何，在游戲結束時，我希望客戶端將分數發回給我，這些分數應該在服務器數據庫中更新.現在我已經開始接受這樣一個事實，即在地球上我無法向黑客隱藏這一點并原封不動地發送分數.但我想知道我可以修改整個過程到什么級別，這對于黑客操縱正在發送的數據來說實際上變得非常不可行.當然，我不希望從客戶端機器以純文本形式發送分數，也不希望我的服務器執行復雜的解密算法.因此，實現相當大的安全性的最佳方法是什么，每個湯姆迪克和哈利都不會破壞分數......我希望有人可以提供一個不錯的小方法，我可以繼續工作...... :) 謝謝

So I have this game that is completely run on the client. No server interaction what so ever apart from downloading the initial scripts to play the game. Anyway at the end of the game I would like for the client to send me back the scores which should be updated in the server database. Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered. But I would like to know till what level can I modify the whole process that it virtually becomes pretty infeasible for the hacker manipulate the data which is being sent. For sure I would not like the score to be sent as plain text from client machine and I don't want my server to perform complex decryption algorithm. What is the best way hence to achieve considerable amount of security that every tom dick and harry doesn't hack the scores... I hope someone could provide a nice little way that I could work on... :) Thanks

所以我的理想結果應該是 ->由不受信任的一方(玩家)進行的(得分)計算得出可信的結果！

So my ideal result should be -> have trusted result from a calculation (of score) made by an untrusted party (the player)!

-編輯-

有人告訴我有關將數據隱藏在圖片獲取請求中的信息.就像，我正在畫布(html5)上實現這個游戲.所以他在游戲結束時讓我從我的服務器獲取游戲結束圖像，他們請求應該包含散列分數.我沒有完全理解完整的過程，但如果你能解釋一下，我會很高興！:)

Someone told me something about hiding the data in a picture get request. Like, I am implementing this game on canvas (html5). So he asked me at the end of the game to fetch a game over image from my server, and they request should contain the hashed score. I did not exactly understand the complete process but if you could explain it, would be really glad! :)

coda^ 這樣你就可以很好地屏蔽請求

coda^ so you can mask the requests nicely

shouvik 我該怎么做！?

shouvik how do I do it!?

尾聲^ 您可以編寫您要提交的校驗和.像 12312312a12313a232 是你的 md5，其中包含分數.將資產引入到畫布中，例如

coda^ you can compose the checksum you want to submit. like 12312312a12313a232 is your md5 which contains the score. bring in an asset into the canvas like

尾聲^ server.com/images/md5_hash_of_score/congratulations.png

coda^ server.com/images/md5_hash_of_score/congratulations.png

coda^ 可以通過 htaccess 重寫服務器端

coda^ which you can rewrite server side via htaccess

推薦答案

現在我已經開始接受這樣一個事實，即我根本無法向黑客隱瞞這一點，也無法原封不動地發送分數."

"Now I have come to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered."

<罷工>哦，是的，有！

Oh yes, there is!

服務器解密并檢查普通分數和解密分數是否相同.如果是，接受分數.如果不是，則拒絕(中間有黑客或網絡錯誤).

Server decrypts and checks if plain score and decrypted one are same. If yes, accept score. If not, reject (there's a hacker or network error in the middle).

-------更新------------更正-------------

-------UPDATE-----------CORRECTION--------------

正如 Ambrosia 所指出的，我的方法在這種攻擊下完全失敗了.

As Ambrosia, pointed out, my approach fails completely with this kind of attack.

您真正想要的是從不受信任的一方(玩家)進行的(得分)計算中獲得可信的結果.沒有簡單的方法來實現這一點.

What you actually want is to have a trusted result from a calculation (of score) made by an untrusted party (the player). No easy way to achieve this.

請參閱:http://coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdf

還有這個:http://www.cse.psu.edu/~snarayan/publications/securecomputation.pdf

還有這個(需要訂閱 ACM 數字圖書館):http://portal.acm.org/citation.cfm?id=643477.643479

And this (which needs a subscription to the ACM digital library): http://portal.acm.org/citation.cfm?id=643477.643479

這篇關于將游戲分數從客戶端更新到服務器數據庫的最安全方法?Javascript的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！