[MUD-Dev] Star Wars Galaxies: 1 character per server

[Amanda Walker]

Daniel.Harman at barclayscapital.com <Daniel.Harman at barclayscapital.com> wrote:

> How about storing some kind of checksum on the server on a per
> character basis. If you keep the algorithm secret, the chances of
> them being able to hack the encryption, modify their character,
> and then satisfy your top secret checksum are beyond negligable.

I hope JC doesn't mind if I put on my "information security
professional" hat on for a moment, since while MUDs are a sideline,
information and network security is how I make my living.

A good rule of thumb is that if your information security depends on
an algorithm remaining secret, your security architecture is
vulnerable.  This is the infosec version of "never trust the client"
:).

What you've described is called a "Message Authenticity Code" (MAC).
Rather than keep the algorithm secret, most implementations use a
publicly available algorithm along with secret key material.  For
example, "compute a hash value for the message and encrypt it with
your private key" is what a digital signature amounts to--anyone
(with the corresponding public key) can verify that the message has
not been changed, but only the holder of the secret key can generate
a new MAC.  There is a lot of information (and code) in the public
domain for using cryptography for MACs, encryption, and so on.

Managing key material is a whole barrel of monkeys of its own, of
course.

Amanda Walker


_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev