Topic awaiting preservation: Encrypting GET/POST data $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12911" title="Pages that link to Topic awaiting preservation: Encrypting GET/POST data" rel="nofollow" >Topic awaiting preservation: Encrypting GET/POST data\$

Author	Thread
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 09-30-2003 18:59 hey all, So here's the deal, for work we're developing game with a flash client where multiple users will be able to play a game in real time synchronized using a flash socket connection. Now where I have some issues is that the scores sent back and forth will be used to award prizes for the game. My concern is that if I'm just sending raw data back and forth using a GET or POST method that someone could use a packet sniffer, figure out the data and then use that and script to cheat at the game. You will be able to play the same quiz several times at seperate time periods, so I don't want them to be able to just play once, get the answers and then submit the correct answers via a script. Or actually worse, just be able to fake the score data without even knowing the answers. There is also a time based element so even if you know the answers, you score better by answering more quickly. So I'm trying to find a decent solution that I can script in the flash client for encrypting the data sent back and forth to the scoring cgi. I've thought of using a checksum via MD5 and a secret string to validate the submitted data and I think that's a decent solution, but I'm wondering if a flash app can be reverse engineered to get the string. Does anyone have any experience with this? (I'm by no means a security expert ) Ideas? Links? Advice? Brainstorming ideas freely accepted. I can take this portion of the project out of house to an "expert" but I think it's something I would like to learn. .:[ Never resist a perfect moment ]:. [This message has been edited by bitdamaged (edited 09-30-2003).]
Rhino Bipolar (III) Inmate From: New Jersey, USA Insane since: Jul 2003	posted 10-01-2003 22:52 I have done something like this but for different reasons. I worked on a web site that was mainly built in Java except a few pieces of the web site (bulletin boards and forum) which were built in PHP and hosted at a completely different ISP. In order to use the PHP side of the site we had to make sure you were logged in and also wanted to know who you were logged in as. What we decided to do was encrypt a string of data that contained certain information like the ID of the user, First Name, Last Name and a timestamp. This would allow us to make sure the request was made recently and also keep users from easily deciphering what exactly we were sending. The cipher we decided on was DES since it was shared between the two different languages and was also tough to decrypt. If you would like, I would be happy to post up the code I used to encrypt the data on the Java side.
dl748 Obsessive-Compulsive (I) Inmate From: Michigan Insane since: Oct 2003	posted 10-02-2003 07:34 why don't you just use SSL, a packetsniffer wouldn't be able to sniff that, then you would have to change 0 of your code.
trib Paranoid (IV) Inmate From: Den Haag, Netherlands Insane since: Sep 2002	posted 10-08-2003 09:19 If you're using PHP as your server-side scripting you could look at sessions. All the data is stored at the server-side and only the session ID ispassed back and forth ... you can also rewrite your session handler routines (very simply) to use a database as the session data store, or set the TTL of your sessions to very long periods ... hence making the whole thing persistent over multiple visits if that's what you want. OTOH - if you aren't using PHP ... I just wasted 5 minutes of your time Bug-free software only exisits in two places A programmer's mind and a salesman's lips

POST data\$

Author

Thread

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 09-30-2003 18:59

hey all,

So here's the deal, for work we're developing game with a flash client where multiple users will be able to play a game in real time synchronized using a flash socket connection.

Now where I have some issues is that the scores sent back and forth will be used to award prizes for the game. My concern is that if I'm just sending raw data back and forth using a GET or POST method that someone could use a packet sniffer, figure out the data and then use that and script to cheat at the game. You will be able to play the same quiz several times at seperate time periods, so I don't want them to be able to just play once, get the answers and then submit the correct answers via a script. Or actually worse, just be able to fake the score data without even knowing the answers. There is also a time based element so even if you know the answers, you score better by answering more quickly.

So I'm trying to find a decent solution that I can script in the flash client for encrypting the data sent back and forth to the scoring cgi. I've thought of using a checksum via MD5 and a secret string to validate the submitted data and I think that's a decent solution, but I'm wondering if a flash app can be reverse engineered to get the string.

Does anyone have any experience with this? (I'm by no means a security expert ) Ideas? Links? Advice? Brainstorming ideas freely accepted. I can take this portion of the project out of house to an "expert" but I think it's something I would like to learn.

.:[ Never resist a perfect moment ]:.

[This message has been edited by bitdamaged (edited 09-30-2003).]

Rhino
Bipolar (III) Inmate

From: New Jersey, USA
Insane since: Jul 2003

posted 10-01-2003 22:52

I have done something like this but for different reasons. I worked on a web site that was mainly built in Java except a few pieces of the web site (bulletin boards and forum) which were built in PHP and hosted at a completely different ISP. In order to use the PHP side of the site we had to make sure you were logged in and also wanted to know who you were logged in as. What we decided to do was encrypt a string of data that contained certain information like the ID of the user, First Name, Last Name and a timestamp. This would allow us to make sure the request was made recently and also keep users from easily deciphering what exactly we were sending.
The cipher we decided on was DES since it was shared between the two different languages and was also tough to decrypt. If you would like, I would be happy to post up the code I used to encrypt the data on the Java side.

dl748
Obsessive-Compulsive (I) Inmate

From: Michigan
Insane since: Oct 2003

posted 10-02-2003 07:34

why don't you just use SSL, a packetsniffer wouldn't be able to sniff that, then you would have to change 0 of your code.

trib
Paranoid (IV) Inmate

From: Den Haag, Netherlands
Insane since: Sep 2002

posted 10-08-2003 09:19

If you're using PHP as your server-side scripting you could look at sessions. All the data is stored at the server-side and only the session ID ispassed back and forth ... you can also rewrite your session handler routines (very simply) to use a database as the session data store, or set the TTL of your sessions to very long periods ... hence making the whole thing persistent over multiple visits if that's what you want.

OTOH - if you aren't using PHP ... I just wasted 5 minutes of your time

Bug-free software only exisits in two places
A programmer's mind and a salesman's lips