Protecting data sent over GET

Hi,

I am developing an online highscoreboard system using PHP and MySQL. I need a way for scores to be sent from the game to the highscoreboard over HTTP. My first thought was to simple open a webpage:
http://my-server/my-script.php?score=42

However, this is clearly open to abuse once people work out the name of the script.

So, I need a way of protecting the score data, or some kind of checksum which allows the server to verify that the data actually came from the game (ie. the game computes a checksum from the score and sends it with the score to the server, which checks whether the checksum is correct). I hope this is clear enough.

Any suggestions for a reasonably secure system, and how to implement it in PHP?

Oh, the highscoreboard system will be an open-source general system that can be dropped into any game.

TIA,
- QS Computing.

 

I'd suggest you to look into mcrypt extension and 'shared secrets' message protection. You encrypt your data on one end (game) using some secret key, send it over network to another end (scoreboard), which knows the secret key and can decrypt the data. Good luck.

 

besides that, maybe you can check that the referrer is a valid referrer... e.g. the referrer must be from another page from your site...

this way, if someone tries to key in the url directly into the browser or codes the url into one of their own webpages, you'd not process the request...

 

Oh, referer info can be faked easily. Or turned off. Not a reliable source I'd say.

 

is chance to first of all secure send decode key. After all GET data will be encoded and decoded by recipient.

 

Why not just use a $_POST instead?

 

Because that can be spoofed as well.

Why not just use a form to submit the scores that requires a password.

if($_POST['password'] == 'somepassword')
{
       //update scores
}

Code (markup):

Using GET would just be a pain in my opinion.

*edit*

If you must use GET, I would add a unique field for a key on every game/score in your table something like:

table games
team1_id
team2_id
team1_score
team2_score
key (unique)
score_locked (enum yes/no)

So after passing your script something like ?team1_score=30&team2_score=50&key=jkjkjkjkjk and checking them for garbage you would use this query

"select key from games where key = '$key' and score_locked = 'no' limit 1";

If it found a match, you would then update as necessary.

-the mole

 

If you have access to the game server why would you trust the client to pass it to you? When the game's over, check the HighScores table, and update it if needed.

Otherwise, about your only option is to trust the client. (Well, the suggestions about encrypting/signing work, but why bother, if you have access to the game server?)

Or maybe I'm missing an important point.

 

hmm how about using https?

 

Why don't you sent the data in http headers? It's possible to hack this for sure, but quite a lot less obvious than using get...

Maybe you should check how trackbacks (used on blogs) work exactly, something with xmlrpc I believe? You could use that I guess.

Otherwise, there are quite some standard encryption functions in php I believe.

 

if he is talking about implementing this with flash games then his only option is to send it via a get or post.

Encrypting your data is definitely a good idea and possibly with a rotating key that changes daily or weekly.

 

Actually, it's most probably going to be offline games, probably made with a tool like Game Maker (www.gamemaker.nl). The reason I say GET is that I know that that system has a command to open a web browser to a given page, which can of course include GET. Although it can use DLLs so I could use a more powerful language like Delphi or C++ to code something more sophisticated.

I think the encryption is probably the best idea; does anyone know of a reasonable encryption module that can be implemented in both PHP and Delphi?

Thanks,
- QS Computing.

 

I think you should look for whatever supports the encryption algorithm you are going to use, not for the same libs.. mcrypt for PHP. Don't know about delphi, but I'm sure there are plenty.

I just got this idea.. Don't expect to be 100% secure even with encryption. You'd need to store the key on the users machine, probably in the game binary itself. Strings from binaries can be seen using such tool as 'strings' which is available on *nix like OS'es. Haven't tested it yet, but I'm pretty sure you could find the key if you wanted to. Of course you could retrieve the key in encrypted form from your server, but we'd encounter same problems as we would when we'd be sending our data.. Just brain storming. Howerer, don't give up on security thinking 'no one will bother cracking it'. Be sure, someone will. It's nice you've asked this question in the first place though.

 

hmm why dont u either

*remotely connect to the database
or
*use webservices

 

Remote database connections are out because of the way my server is set up.
and
Sorry, I don't know much about webservices, can you point me to some more information?

Thanks,
- QS Computing.

 

How about a socket connection to your server? One could still intercept the data though, but that problem will last forever.

 

lets say you have a field called highScore
why not auto generate another field within your game called scoreCheck using some secret clientside function.

Then, use a GET as normal, and in your server side script, perform the same function server side on highScore and see if you end up with scoreCheck again.

If you do, then you know the highScore sent is legit. If not, then the user has modified either highScore or scoreCheck.

Of course, you wanna be careful about hiding the function that generated scoreCheck, maybe obfuscating it in some way.

Sham.

 

The most secure way is to generate a public key on your game server, then send the public key to the client, possibly with an additional known value attached. The client would use javascript to encrypt the answer and the known value and the server would decrypt the data using the private key. The known value should be a match when decrypted and the answer should be a numeric answer.

The problem is that I do not know of any way to encrypt data with javascript. It can be done but requires math of a higher level of precision than javascript supports. I did find some code that does high precision math in javascript and would like to apply it to some other applications but I have yet to figure out how to get javascript to encrypt/decrypt using a public/private key system.

 

I'm looking at using mcrypt to decrypt the data and using a Delphi implementation of the same functions to encrypt and then send over HTTP. However, I know little about encryption so can somebody please tell me which algorithms are the best for my purposes?

Thanks,
- QS Computing.

 

A pretty good attempt, with minimal effort or learning, would be to do something simple, like divide the highsore by 53, add 16 and reverse the numbers, or something like that.

Then do the opposite on the server end to get the score back?...

Obviously, if someone REALLY really wanted to, they could experiement with changing the numbers - and may get lucky and end up with a big highscore by pure chance...