On Wed, Apr 04, 2007 at 04:51:20AM -0400, Zach wrote: > Thanks for explaining further that was interesting. Do you know how > commercial games which use a client-server model handle this problem? If we are talking about PC games: For the most part - they are just as weak. Almost any game out there that people want to play has been 'cracked'. Now, they are into the realm of subscription fees, and regular software update requirements. In World of Warcraft, Blizzard specifically reserves the right within the user agreement to scan your system for any third party plug-ins, enhancements, or cracks. Renewal accounts, and the online requirement that only one person use the account at a time means that a key cannot be abused without it being linked to a credit card that can be charged. If we are talking about console games: The modern ones have built in hardware to do its best to 'control the software and hardware of the client'. The Microsoft X-Box has cryptographic control of the major hardware components, including the hard drive. Nintendo and a few others have preferred to use custom media formats that are difficult for end users to duplicate. They do their best, but even they are still cracked. > And how about more sensitive data such as those financial > institutions, the military, for profit R&D, govt. R&D would handle. In most areas, a password is sufficient. The client software does not need to be controlled. A standard web browser might be acceptable. The user enters a password. The authenticated account grants accounts to resources. To protect the password and body from eavesdropping, one of several algorithms are used to encrypt the transmissions between client and server (SSL/TLS being common). However, attempts are still made to control software. For example, when I connect to work using Contivity, they now require that software known as TunnelGuard is active. TunnelGuard ensures that my computer meets the configured requirements in terms of anti-virus and firewall software on my PC before allowing me to use the connection. This software would have the same problem, though. It could be cracked, because the algorithm and secret key is distributed widely to all clients. I don't know how it is included - whether it is more sophisticated than RES-RSA or not - and I won't, because cracking the software would be a violation of some agreement I'm sure. :-) Cheers, mark -- mark at mielke.cc / markm at ncf.ca / markm at nortel.com __________________________ . . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder |\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ | | | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada One ring to rule them all, one ring to find them, one ring to bring them all and in the darkness bind them... http://mark.mielke.cc/