get a good security for multiplayer game

2019-02-20 14:19发布

问题:

I made a game using eclipse. I have a server program and a client program. The clients communicate with the server using sockets. If the client starts it sends its username and password to the server. If the combination exists, the client can communicate with the server. and the client constantly reads the levels of other people in the game and constantly sends its own level.

my questions: How can i secure the passwords or is it already safe? Can a client not just make his own java program and use an existing username and password to communicate with the server and than send for example that he is 100 levels up. If yes how to solve this? Are there any other things I need to secure?

回答1:

Keep the sensitive state in the server program and have the client request the current value. Then you control it at the server.

If someone has valid credentials, then they are able to do whatever your protocol permits the user to do within their context. This is something you must control from the server program to prevent unintended operations by the client from impacting on overall integrity.



回答2:

... can i know if the client program is an original one i made?

No you can't ... unless you control the execution platform on which the client program is installed and run.

But if you take the approach recommended by Pekka, it doesn't matter. Specifically, if the important state and the actions performed on that state are handled by the server side, then you can implement it in such a way that it doesn't matter if the user has hacked the client.

In practice though, the interactivity of a lot of games depends on fast interactions between the state and the UI. Putting the state on another system is going to cause problems with "lag" unless you can mitigate this.



回答3:

If it is a server driven multi player game, you can design the client apps to request the server to send back a server only decryptable level key and a client readable level number or key. And on a next level change request, make the clients send the previously received level key (i.e. current) and any other parameters as required to identify a client's session state.

With such server only decryptable level key, clients can't modify it and request with a jump in game levels. Server in turn, will send back with next level key and other related info to the client to continue.

Though there may exist many active client sessions but to validate and authenticate them there should exist such service at servers.