[nycphp-talk] Tamperproof URLs and PHP slides posted
John Campbell
jcampbell1 at gmail.com
Wed Dec 12 12:51:46 EST 2007
> Yes there is, John, but you may need to seriously consider whether
> implementation is worth it.
>
> You can use a public/private key pair to perform asymmetric
> encryption. That means that a value encrypted using one key can only
> be decrypted using the other. This is the encryption scheme used for
> SSL, where your browser uses the server's public key (aka Certificate)
> to encrypt the request.
>
> So you would use the game's public key to encrypt hash-of-score:random
> on the client side. And then on the server, you would use the game's
> private key to decrypt the value and check the hash.
>
> Your tasks, should you choose to go this route, are to find an RSA
> implementation in ActionScript to perform the encryption, and to use
> PHP's OpenSSL support to perform the decryption. I'm pretty sure the
> first task is going to be tougher than the second unless Adobe
> provides an api in the Flash player.
>
I don't follow how this is any better than what I have now? The
public key is still stored in the swf, and there is nothing that
prevents the key from being extracted from the swf and the request can
still be forged. This seems to just be better obfuscation.
More information about the talk
mailing list