edA-qa mort-ora-y eda-qa@disemia.com writes:
I am writing a score server for client/server games such that various games can talk to one server. Each game would thus register for a name/password and use that in their code to send data to the server.
Now, putting aside all the problems with cheat detection found in closed source software, it seems my problem is exacerbated by the need to distribute full code to make the client (this will be the AGPL so server code is also included).
Does anybody have some good references, or good ideas, on how this can be accomplished, such that each game client can uniquely identify itself with the server? That is, how can I adequately protect some "keys" in a completely AGPL project?
The first thought that occurs is that the keys should not be part of the source, i.e. that the programs should be fully functional without the *specific* keys you will be using for your service.
This is analogous to a client and server that use TLS to communicate: the client and server both have secret keys, and exchange the corresponding public keys at the start of the connection. The server can be configured so that it will refuse connections from clients that fail to present an already-known (i.e. registered) public key for the session.
In fact, what is stopping you from simply using public key cryptography to authenticate both ends of the connection?