C2 Ajax request encrypt values

Discuss game development design and post your game ideas

Post » Fri Dec 16, 2016 5:41 am

I'm using CB.Hash for this encrypt values. I want to need to know this method is correct or not.

Declare var
Image

Encrypt data and assign to var verify
Image

Ajax request submission. Here I'm sending poings (xxxsdf), encrypted values (verify)
Image

On server side. I'm encrypting points with secret key and compare with verify (include in ajax request). If comparison true. Insert into database. is this enough?
Image

Still is this easily hack-able?
B
4
Posts: 4
Reputation: 208

Post » Mon Dec 19, 2016 5:35 pm

CB Hash is a hash, not encryption. The only encryption that works on browsers is SSL, and that is seated in the browser, not the web application.

You cannot encrypt in JavaScript because the source is 100% available to any user of your website. So, people can just remove your encryption in the source.

Hashing is a one way process though, you cannot get the original data back out of it on the server.

You can hash it and have a comparison library on the server. I use something similar for the authentication on our website, but the server needs to have complete information or your comparison will fail.

As long as your secret is sufficiently complex, it will not be hackable.

Also, It is not entirely clear what you are trying to protect? Or are you just doing a non-repudiation scheme? The security will also depend very heavily on how you transmit your secret or the lifetime of the secret. Anyone with a wire shark and knowledge of which algorithm you are using can guess at your original information.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,414
Reputation: 4,822

Post » Tue Dec 20, 2016 11:43 am

gumshoe2029 wrote:CB Hash is a hash, not encryption. The only encryption that works on browsers is SSL, and that is seated in the browser, not the web application.

You cannot encrypt in JavaScript because the source is 100% available to any user of your website. So, people can just remove your encryption in the source.

Hashing is a one way process though, you cannot get the original data back out of it on the server.

You can hash it and have a comparison library on the server. I use something similar for the authentication on our website, but the server needs to have complete information or your comparison will fail.

As long as your secret is sufficiently complex, it will not be hackable.

Also, It is not entirely clear what you are trying to protect? Or are you just doing a non-repudiation scheme? The security will also depend very heavily on how you transmit your secret or the lifetime of the secret. Anyone with a wire shark and knowledge of which algorithm you are using can guess at your original information.


I need how to pass the scores/ points from C2 game to server? I'm using ajax to submit scores from C2 game to server.
I used hash values to comparison in server. I have uploaded screenshot of my code. I'm comparing hash value come from game. Again i'm generating a hash value from my secret and score coming from game. This value and value come from game should be equal. If not data not update.

Someone has cheat on my game. using cheat engine.
B
4
Posts: 4
Reputation: 208

Post » Tue Dec 20, 2016 1:37 pm

If you want to encrypt data sent with AJAX, the easiest thing to do is just host the AJAX URL on HTTPS. Then everything you send and receive is encrypted by TLS, using modern and secure algorithms. However that does not stop users posting fake scores.

It is ultimately impossible to identify fake score submissions from real ones. Even if you have some kind of password and protection mechanism using a hash, an "attacker" only need to figure out how to activate the event that posts a score with a fake value, and it will still send a value that is accepted. So you can make it harder, but not rule it out.
Scirra Founder
B
387
S
229
G
87
Posts: 24,245
Reputation: 192,160

Post » Thu Dec 22, 2016 8:34 am

Yes.. Its use HTTPS.

tobyr.wtfgamesgroup.com/how-to-secure-construct-2-ajax-connections/

Will this helpful?
B
4
Posts: 4
Reputation: 208

Post » Thu Dec 22, 2016 8:54 am

As I wrote in the tutorial
... after all if security is a serious point in your project you obviously would like to use SSL.


SSL is the proper way to secure your data. But SSL certificates are not free and if you can't afford it for now or simply security is not that crucial in your case, then adding this kind of hash token is better than nothing as
Digging in minified JS to crack it is much harder then


This protects you from low-skilled hackers who sniffed the data. So all the kids who just installed some sniffer... and from those who are not familiar with JS or lazy enough to dig in minified JS to find the algorythm to reproduce the token.

I personally use it in several apps where security is not my big concern and it works pretty well.

Up to that, I have figured out another non-ssl security trick for sending data which contains not only the hashing API key but also the encryption. I called this method a Super64encode (/decode) as it is based on Base64 algorythm but salted with two keys. I will be releasing it to public soon with TR_System plugin which is an extention to the native System. Not sure if I'll remember to post it here, but you may want to follow me on Twitter or just check my blog from time to time. I should post it within two weeks or so.
ImageImage
B
27
S
16
G
67
Posts: 930
Reputation: 38,064

Post » Thu Dec 22, 2016 5:29 pm

malinga91 wrote:Someone has cheat on my game. using cheat engine.
You don't need a cheat engine to hack HTML5 games. A simple debugger like Firebug will do fine.

So your main goal is non-repudiation of the scores. SSL/TLS is not going to help with non-repudiation.
Because the SSL certificates are handled by the browser, and so the web application (and the corresponding debuggers) is technically behind the SSL security wall, so people will still be able to submit false scores, and your server will continue accepting them.

The only way that you are going to achieve this is to move all of your scoring logic onto a server application. Then the only power the client has is the power to submit requests for an action to happen. Then you can do all of your checks server-side, and if the score is illegitimate, then you can just send them back a nice error message.

Rule Number One of game development: "Never trust the client; it is in enemy hands."
Last edited by gumshoe2029 on Thu Dec 22, 2016 5:52 pm, edited 3 times in total.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,414
Reputation: 4,822

Post » Thu Dec 22, 2016 5:31 pm

BackendFreak wrote:But SSL certificates are not free

They are now:
https://letsencrypt.org/

Our web portal and game client are secured via SSL/TLS with certificates from Let's Encrypt.

BackendFreak wrote:Up to that, I have figured out another non-ssl security trick for sending data which contains not only the hashing API key but also the encryption. I called this method a Super64encode (/decode) as it is based on Base64 algorythm but salted with two keys. I will be releasing it to public soon with TR_System plugin which is an extention to the native System. Not sure if I'll remember to post it here, but you may want to follow me on Twitter or just check my blog from time to time. I should post it within two weeks or so.


I use a scheme like this too, but that does not protect against falsified data. The problem with all of these schemes is that the protections can simply be removed on the client side.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,414
Reputation: 4,822

Post » Fri Dec 23, 2016 12:19 am

gumshoe2029 wrote:
BackendFreak wrote:But SSL certificates are not free

They are now:
https://letsencrypt.org/

Oh... I'll take a look on that - thanks for sharing!

gumshoe2029 wrote:The problem with all of these schemes is that the protections can simply be removed on the client side.


What do you mean? Yes you can edit client side code and remove all hashing and encoding but it would lose the functionality then because backend expects to receive hashed/encoded data. So the only way to cheat is to dive into client side JS, read and understand the algorythm of how the security is generated and then the "hacky" is able to generate false requests. But if you use salted hashing + salted encoding + JS minifying, then you really make their life harder.
ImageImage
B
27
S
16
G
67
Posts: 930
Reputation: 38,064

Post » Thu Dec 29, 2016 6:13 pm

Yea, it will not work. But people can still scrape usernames/passwords/scores/etc. from the data streams, therefore it is inherently insecure.

And when it comes to non-repudiation, they can just submit a hashed score of whatever they choose, because hashing algorithms are publicly uniform.

That was what I meant when I said:
Anyone with a wire shark and knowledge of which algorithm you are using can guess at your original information.


In @malinga91 's original post, if I wanted to submit a false score to his hashed system, I would use the URL:
https : // www. domain . com / endpoint / ajax.php?xxxsdf=92323&verify=fda64db2c94f9b96ad316a858f1fac3974059d07ebf244fb01b5e53e9c87eb76

and because I have access to all of the JavaScript variables, including his "secret," I can submit a false score still, and his server will still accept it because it is not secure.
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,414
Reputation: 4,822

Next

Return to Game Development, Design & Ideas

Who is online

Users browsing this forum: No registered users and 1 guest