Writing a secure client/server with open source

Ben Finney bignose+hates-spam at benfinney.id.au
Sun Apr 20 04:28:04 UTC 2008

edA-qa mort-ora-y <eda-qa at disemia.com> writes:

> I am writing a score server for client/server games such that
> various games can talk to one server. Each game would thus register
> for a name/password and use that in their code to send data to the
> server.
> Now, putting aside all the problems with cheat detection found in
> closed source software, it seems my problem is exacerbated by the
> need to distribute full code to make the client (this will be the
> AGPL so server code is also included).
> Does anybody have some good references, or good ideas, on how this
> can be accomplished, such that each game client can uniquely
> identify itself with the server? That is, how can I adequately
> protect some "keys" in a completely AGPL project?

The first thought that occurs is that the keys should not be part of
the source, i.e. that the programs should be fully functional without
the *specific* keys you will be using for your service.

This is analogous to a client and server that use TLS to communicate:
the client and server both have secret keys, and exchange the
corresponding public keys at the start of the connection. The server
can be configured so that it will refuse connections from clients that
fail to present an already-known (i.e. registered) public key for the

In fact, what is stopping you from simply using public key
cryptography to authenticate both ends of the connection?

 \      "Two rules to success in life: 1. Don't tell people everything |
  `\                                         you know."  -- Sassan Tat |
_o__)                                                                  |
Ben Finney

More information about the Discussion mailing list