Writing a secure client/server with open source

Fri Apr 18 22:05:24 UTC 2008

edA-qa mort-ora-y wrote:
> Each game would thus register for a
> name/password and use that in their code to send data to the server.

Seems simple enough.

> it seems my problem is exacerbated by the need to
> distribute full code to make the client (this will be the AGPL so server
> code is also included).

The general consensus is "The attacker already knows the algorithm" thus
revealing the source should not be a problem. Compilation is NOT a
secure way of hiding something anyway.

> Does anybody have some good references, or good ideas, on how this can
> be accomplished, such that each game client can uniquely identify itself
> with the server?

HTTPS? You might want to look at OpenSSL. Some programming languages may
have in built libraries for doing the kind of Asymmetric Cryptography
you need.

> That is, how can I adequately protect some "keys" in a
> completely AGPL project?

Protect from whom? This is in fact one of the most important questions.
If your just trying to protect a users login details then it's unlikely
they are going to try to breach their own security (and it's their own
fault if they do).

I would doubt you would need to reveal the Decryption key for the AGPL
server. Just make sure the key isn't actually *in* the software. Make it
a separately key file. For instance Apache doesn't have a users SSL key
compiled into it, it is provided separately. (IANAL)

If of course you are putting keys in the client and trying to hide these
keys from the person running the game then that isn't technically
possible (even with proprietary code).

You should try to answer the following questions:
What data needs to be secured?
Where is that data is stored?
Where is that data is being transferred from/to?
Who is that data is being secured from?

Andy