保护客户端 API
[英]Securing a client-side API
问题描述
I'm building a server-side API and client-side library for a JavaScript-based game where two very important features must be secured.
我正在为基于 JavaScript 的游戏构建服务器端 API 和客户端库,其中必须保护两个非常重要的功能。
- A user must be debited for each play每次播放都必须向用户借记
- We must ensure that the score that gets submitted is the actual earned score by the player.我们必须确保提交的分数是玩家实际获得的分数。
Solving the first problem seems simple;解决第一个问题似乎很简单; at the beginning of each play we hit the API, debit the user's account and return a unique Play ID.在每次播放开始时,我们点击 API,借记用户帐户并返回唯一的播放 ID。 When we submit the user's score for that play, we pass the ID issued at the beginning.当我们提交用户对该游戏的评分时,我们传递了开始时发布的 ID。
The second one has me a little stumped.第二个让我有点难过。 Initially I considered a client-side hashing algorithm based on the ID and the score, but quickly realized that the Javascript that produces the hash could easily be reverse-engineered, even if it was obfuscated.最初我考虑了基于 ID 和分数的客户端哈希算法,但很快意识到生成 hash 的 Javascript 很容易被逆向工程,即使它被混淆了。 At this point I considered a small flash component that generates the hash, but I've heard that even compiled flash can be decompiled.此时我考虑了一个小的 flash 组件,它生成 hash,但我听说即使编译的 flash 也可以反编译。
For added context, I plan to build the server side API in Ruby.为了增加上下文,我计划在 Ruby 中构建服务器端 API。
I'd love to hear any suggestions the clever programmers of Stack Overflow have to offer.我很想听听 Stack Overflow 的聪明程序员提供的任何建议。 Thanks for your time!谢谢你的时间!
Edit: The answer by Homer6 below is a very good solution for more sophisticated games, but unfortunately the simplicity of this game doesn't merit a method like that.编辑:下面 Homer6 的答案对于更复杂的游戏来说是一个非常好的解决方案,但不幸的是,这款游戏的简单性并不值得采用这样的方法。 It's a very short-play time based game, so the score is just the time it takes you to complete a level.这是一款基于游戏时间非常短的游戏,因此分数只是您完成一个关卡所需的时间。
5 个解决方案
解决方案1
6 2011-04-27 06:44:03
Make the server-side part of the game.使服务器端成为游戏的一部分。
You could make the API only receive actions in the game.你可以让 API 只接收游戏中的动作。 So the scoring is done server-side.所以评分是在服务器端完成的。 While this will be more intensive, it's harder to fake.虽然这将更加密集,但更难伪造。
Of course, people could still write bots for it if they're clever.当然,如果他们很聪明,人们仍然可以为它编写机器人。 This also adds the latency of server interactions to the gameplay.这也增加了游戏中服务器交互的延迟。 If there's a way to make the requests non-blocking, it may work.如果有办法使请求不阻塞,它可能会起作用。
HTH高温高压
解决方案2
4 已采纳 2011-04-27 09:04:52
As a rule of thumb just assume that anything in the client side can be faked.根据经验,只需假设客户端中的任何内容都可以伪造。
解决方案3
2 2011-04-27 20:03:02
Download as3corelib library下载 as3corelib 库
Have the server generate a key让服务器生成密钥
The key will be session based and will also expire X amount of minutes密钥将基于 session 并且还将过期 X 分钟
All data to and from the server will be encrypted with this key进出服务器的所有数据都将使用此密钥加密
The fact that data is encrypted with a key that depreciates it makes it much more secure.数据使用会贬值的密钥进行加密这一事实使其更加安全。
解决方案4
1 2011-04-27 06:49:19
I would suggest you go ahead with your flash component, and use a good flash swf encrypter to make it more secure against decompiling.我建议您在 go 之前使用您的 flash 组件,并使用良好的 flash swf 加密器以使其更安全地防止反编译。 This might help: http://asgamer.com/2009/why-how-to-encrypt-your-flash-swf这可能会有所帮助: http://asgamer.com/2009/why-how-to-encrypt-your-flash-swf
解决方案5
0 2011-04-27 12:21:22
expand user score to a data structure like a kind of log:将用户评分扩展为类似日志的数据结构:
<action type="1" score="+3" totalscore="3" gamestate="depends on the game"/>
<action type="4" score="+1" totalscore="4" gamestate="depends on the game"/>
and create a server-side verification algorithm.并创建服务器端验证算法。 however, taking all game logic to the server is much more secure但是,将所有游戏逻辑传送到服务器会更加安全
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.