On Wed, Apr 04, 2007 at 04:51:20AM -0400, Zach wrote:
> Thanks for explaining further that was interesting. Do you know how
> commercial games which use a client-server model handle this problem?

If we are talking about PC games:

For the most part - they are just as weak. Almost any game out there
that people want to play has been 'cracked'.

Now, they are into the realm of subscription fees, and regular
software update requirements. In World of Warcraft, Blizzard
specifically reserves the right within the user agreement to scan your
system for any third party plug-ins, enhancements, or cracks. Renewal
accounts, and the online requirement that only one person use the
account at a time means that a key cannot be abused without it being
linked to a credit card that can be charged.

If we are talking about console games:

The modern ones have built in hardware to do its best to 'control the
software and hardware of the client'. The Microsoft X-Box has
cryptographic control of the major hardware components, including the
hard drive. Nintendo and a few others have preferred to use custom
media formats that are difficult for end users to duplicate. They do
their best, but even they are still cracked.

> And how about more sensitive data such as those financial
> institutions, the military, for profit R&D, govt. R&D would handle.

In most areas, a password is sufficient. The client software does not
need to be controlled. A standard web browser might be acceptable. The
user enters a password. The authenticated account grants accounts to
resources. To protect the password and body from eavesdropping, one of
several algorithms are used to encrypt the transmissions between
client and server (SSL/TLS being common).

However, attempts are still made to control software. For example,
when I connect to work using Contivity, they now require that software
known as TunnelGuard is active. TunnelGuard ensures that my computer
meets the configured requirements in terms of anti-virus and firewall
software on my PC before allowing me to use the connection. This software
would have the same problem, though. It could be cracked, because the
algorithm and secret key is distributed widely to all clients. I don't
know how it is included - whether it is more sophisticated than RES-RSA
or not - and I won't, because cracking the software would be a violation
of some agreement I'm sure. :-)


mark at mielke.cc / markm at ncf.ca / markm at nortel.com     __________________________
.  .  _  ._  . .   .__    .  . ._. .__ .   . . .__  | Neighbourhood Coder
|\/| |_| |_| |/    |_     |\/|  |  |_  |   |/  |_   | 
|  | | | | \ | \   |__ .  |  | .|. |__ |__ | \ |__  | Ottawa, Ontario, Canada

  One ring to rule them all, one ring to find them, one ring to bring them all
                       and in the darkness bind them...