1

I am making a browser card game. Each player has a number of purchased cards out of a big pool of available cards.

I need to make sure a player can not hack the cards he uses from the browser, so the server must authenticate he owns each card he uses and it is indeed the same card.

In order to make the app faster I want to store the cards data in an external JSON file and only say "player x owns cards y and z" and get the info on those cards from the JSON.

Are there any security patterns that can help me here?

Alex K
  • 8,269
  • 9
  • 39
  • 57
ilyo
  • 35,851
  • 46
  • 106
  • 159
  • You will need to track state somehow server side. You could store and then sign a set of cards in the JSON with a [HMAC](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code), timestamped and then validate it server side on each action. In this case you will need to check the timestamp server side to make side to make sure that a previous deck hasn't been used (replay attack). – SilverlightFox Jan 17 '15 at 10:53

1 Answers1

1

You can use openPGP for node in order to create two sets of keys: One public - for your client and one Private for the server.

Using the public key for each client - you'll be able to encrypt the JSON representing the state of each player and prevent its circumvention by manners of hackery.

Make sure you read the dependancy section in order to properly polyfill your game for older browser versions.

silicakes
  • 6,364
  • 3
  • 28
  • 39
  • I'm not sure if the encryption solves the problem: after a player makes his move I collect the state of the game. What if the state was manipulated? For example he took a card and switched all of it's properties with ones of a card he owns, but was not on the board? Or moves a card to an Illegal location? – ilyo Jan 16 '15 at 22:08
  • I thought of giving cards unique IDs, but I'm not sure it will solve everything. – ilyo Jan 16 '15 at 22:09
  • Every state update needs to go through the server in order to prebeng what yiu've mentioned. You can use encrypted random IDs in order to pass the updates and return an 'ok' from the server. – silicakes Jan 17 '15 at 10:07
  • Yes, but the server doesn't know *in advance* what it will receive, because it depends on the actions of the player. It can check if the changes are within the possibility of the rules, but it can be too much calculations for a single user turn. So I am looking for some kind of marker that will say "if you receive this from the client, all is legal. – ilyo Jan 17 '15 at 10:12