I’m working on the backend for a Flash game and I need to secure the data going into the scoreboard.
The game is going to be hosted on many sites in a banner ad, the user will play the game in the advert then click through to the main site to save their details.
At the moment I am thinking along the lines of this
- User plays the game and clicks to submit their score
- In the background, the banner sends the score and the originating domain to a script on the main site.
- The script check the domain is one of the valid domains the ad is being hosted on.
- If everything is right, the script creates a hash of this score and domain and stores it in the database along side the score.
- The script returns the hash to Flash which cobbles it onto the querystring of a getURL which opens the main scoreboard
- The scoreboard page checks the referer to make sure it is one of the valid domains.
- If it is it then checks the database for the hash to if it’s a valid token
- the user then fills in their details and the record is updated based on the hash
Last time I checked FLash doesn’t send referer info, which kinda throws a spanner into my plan. So, is there an already established pattern for this kind of Flash/Database interaction?
What sort of Hashing/Checksuming should I use in step 4? What is the correct name for this kind of operation, is it a hash, a checksum or something else?
I understand that being a clientside technology, Flash will never actually be THAT secure, but in my mind, something like the above is about as dificult as you’re going to make it to hack this kind of application.
UPDATE: My main objective is to make it harder for people to find the URL of the script that adds the score to the database and simply spam it with fake scores.
Thanks, Greg
I have previously worked in the game industry, and did something along these lines. To my knowledge, no one ever bothered cracking the score submitting part.
The way it was done was :
Note : The hashing / checksuming was made using a custom function. Did not need something very secure. It was made using a computation on the salt and the score. Some simple math operations like sums, multiplications and subtractions.
Edit: a simple algorithm / maths for the checksum
Lets say your user has a score of 5885.
You generate a random number as a salt of 134789 (constant length, pad with 0)
cryptedScore = Score * Salt (you should use something a bit more complex here, but it is just an exemple)
In our example, the crypted score would be : 793233265
Now for the checksum, lets say you want to have a value of 253 as a checksum.
You add all the numbers of your crypted score 7+9+3+2+3+3+2+6+5 = 40
Now, you calculate the value of your checksum for this score
253 – (Sum of crypted score numbers % 253)
Now, we have the following numbers:
the salt = 134789
the crypted score = 793233265
the checksum = 40
You make a request to the server, sending 134789793233265040 as a score.
On score server, you can divide 793233265 by 134789 giving 5885 and validate the checksum using the same function as before.
If the checksum fails, then numbers have been tampered.
you could probably end up with something much more secure, but it should do the trick.