..on or around Sun, Dec 23, 2007 at 02:41:56AM -0800, Brandon Bremen said: > > what are the arguments against using a simple key exchange with the > > game-server to authenticate a client, an md5sum for multi-player > > gaming if you like? both client and server could be free-software, yet > > the client could not be modified without breaking sign-in with that > > particular game-server. > > > > i know this has probably been discussed many times over. if so, it > > would seem i'm not clear on where this theory falls down. > > > > cheers, > > > > julian > > > > The problem with an md5sum on a completely free program is that someone > could simply modify their client to send the correct md5sum. Even if the > server changes how its summed each time, you can simply keep a clean > copy of the binary elsewhere on your disk and sum that instead of the > actual running executable. The server has no way of trusting that the > client didn't lie.
yes i agree, an actual md5sum (perhaps a bad metaphor here) wouldn't work. > > Some games have tried having a secret string or algorithm in the > "official" binary that does not exist in the free source code to achieve > what you are proposing. A client based on the free code would only be > able to connect to servers that allow it. That may work reasonably well > if you ignore how difficult it would be to hide your string/algorithm > from anyone who examines the executable. The problem is that your game > is now non-free. You would need special permission from any contributors > to let you distribute a binary without the source code that was used to > generate it. > right.. but what about a public/private key like exchange, similar to that which we use with SSH? the server generates a unique private key and stores that key in a private database matching it to a public key which it ships with the binary. just as with SSH, the software to generate the key is openly available but the unique public/private key combination itself is not easily reproduceable: the server only allows one current connection from a signed binary client with the correct corresponding, registered public key. in essence each game client would authenticate just as an ssh-agent does. cheers, julian -- http://julianoliver.com http://selectparks.net emails containing HTML will not be read. _______________________________________________ Soya-user mailing list [email protected] https://mail.gna.org/listinfo/soya-user
