edA-qa mort-ora-y wrote:
Each game would thus register for a name/password and use that in their code to send data to the server.
Seems simple enough.
it seems my problem is exacerbated by the need to distribute full code to make the client (this will be the AGPL so server code is also included).
The general consensus is "The attacker already knows the algorithm" thus revealing the source should not be a problem. Compilation is NOT a secure way of hiding something anyway.
Does anybody have some good references, or good ideas, on how this can be accomplished, such that each game client can uniquely identify itself with the server?
HTTPS? You might want to look at OpenSSL. Some programming languages may have in built libraries for doing the kind of Asymmetric Cryptography you need.
That is, how can I adequately protect some "keys" in a completely AGPL project?
Protect from whom? This is in fact one of the most important questions. If your just trying to protect a users login details then it's unlikely they are going to try to breach their own security (and it's their own fault if they do).
I would doubt you would need to reveal the Decryption key for the AGPL server. Just make sure the key isn't actually *in* the software. Make it a separately key file. For instance Apache doesn't have a users SSL key compiled into it, it is provided separately. (IANAL)
If of course you are putting keys in the client and trying to hide these keys from the person running the game then that isn't technically possible (even with proprietary code).
You should try to answer the following questions: What data needs to be secured? Where is that data is stored? Where is that data is being transferred from/to? Who is that data is being secured from?
Andy