Piracy Protection and Online Identity Security with Digital Duplicate Detection

Security eBooks

Cryptographic Duplicate Detection

For Access Management, Piracy
Protection, and More

Steven Davis

steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

Security eBooks

Protocols not Players or Computers

That’s all you see
online


Security eBooks

Traditional Identification &
Authentication Methods are very weak
for verifying actual identities

• Name/Password can be shared & compromised
• ID/Key can be shared or compromised
• “Digital Fingerprints” can be duplicated


Security eBooks

• Powerful white list of
good platforms
• Improve association
of players with
platforms
• Identifying problem
platforms
• Can be a very
powerful technique Detecting
to fight server piracy
/ ghost servers
Duplicate
• Support legitimate Identities
sharing and backups


Security eBooks

Core Idea
Why not change identities AND keys at
every session (or more frequently)?


Security eBooks

Active Identity System - General Flow
tic
sta
• Initialization be
to
– Done in a variety of ways ve
ha
– Identity can even be verified retroactively
ot
• Verify Current Identity/Key Pair sn
doe
• Update Identity/Key Pair e
• Verify Update alu
tit yV
• Continue Operations en
Id
• OPTION - use “rolling update” to operate smoothly
during identity changes
• add an “A” or “B” Flag to messages
• Send “rollover” command message


Security eBooks

Server-Push Identity
Player posts ID to server ID(x)
Server returns Challenge Phrase Challenge(IDx))
Player posts encrypted Challenge Phrase ID(x),E(Key(x),Challenge(IDx))
Server validates Response
Server creates updated ID & Key
Server sends updated ID & Key encrypted in old key E(Key(x+1),ID(x+1),SessionID)
Player decrypts new ID & Key
Player sends validation message to Server SessionID,E(Key(x+1),SessionID)

• Client gets new ID/Key pair from server
• Server knows underlying identity of client
• If duplicate made of client info, server can create an “Identity Fork”
or take other action
• You know a duplicate has been made, not which copy is a duplicate
• Can be done with symmetric keys or public (asymmetric) key
systems


Security eBooks

Collaborative Identity Generation 1
Player creates new ID(cx+1), Transform of new ID, and Challenge1
Player creates new DH random z and computes b z mod p
Player posts Challenge Phrase to server
ID(x),E(Key(x),T(ID(cx+1)), b z mod p,Challenge1)
Server decrypts Challenge Phrase
Server creates new ID(sx+1), Transform of new ID, and Challenge2
Server creates new DH random y and computes b y mod p
* Server creates new DH key Key(x+1) = (b z ) y mod p
Server posts Challenge Phrase to Client
ID(x),E(Key(x),T(ID(sx+1)), b y mod p,Challenge1, Challenge2, H(Key(x+1))
Client decrypts Challenge Phrase and validates Challenge1

• Sample using Diffie-Hellman style key generation
• Could easily be adapted to other public key algorithms


Security eBooks

Collaborative Identity Generation 2
(from previous page) Client decrypts Challenge Phrase and validates Challenge1
* Client creates new DH key Key(x+1) = (b z ) y mod p
Client validates new DH key with received hash
Client sends new ID(cx+1) to Server with hash of new Key and Challenge2
ID(x),E(Key(x),ID(cx+1),H(Key(x+1)),Challenge2)
Server validates new ID against previously received Transform and validates Key(x+1) hash
* Server computes new ID ID(x+1) = ID(cx+1)+ ID(sx+1)
Server sends new ID contribution to Client
ID(x),E(Key(x),ID(sx+1)
* Client computes new ID ID(x+1) = ID(cx+1)+ ID(sx+1)
Client and sever use new ID(x+1), Key(x+1) pair

• Active Identity System is really a temporary pairwise identity
with a remote entity
• Does not need to be client-server, could be peer-to-peer


Security eBooks

Active Identity is Part of an Overall Identity &
Access Management Solution

To
Str
en
an gth
d O en
nli Pla
ne tfo
Se rm
• Digital Fingerprints cu i d
rity en
• User Name/Passwords tity
• Security Tokens
• IP Address
• Platform IDs
• Active ID


Security eBooks

Fighting Server
Piracy

• Client can detect server duplicates as server won’t have
current identity/key pair
– Can prevent connection to pirate server
• Even if real server identity/key database gets
compromised, clients will rapidly rekey to new
identity/key pairs
• Can also be used for traditional computer piracy
detection system

Security eBooks

What next?
• Don’t give up!

• More security presentations at:
http://free2secure.com/

• Check out my book “Protecting Games”
– Additional information at http://playnoevil.com/

• You can “win” the security game

Security eBooks

About Me
• Steven Davis
– 25+ Years of Security Expertise
• Worked on everything from online
games and satellite TV to Nuclear
Command and Control and military
communications
• http://www.linkedin.com/in/playnoevil
– Author, “Protecting Games”

• Why Free2Secure?
– Security is too expensive and isn’t working. There has to be a better way.
I’m exploring these issues for IT security, ebooks, games, and whatever
else strikes my fancy at http://free2secure.com/ .
– Join me there, ask questions, challenge assumptions, let’s make things
better.


Piracy Protection and Online Identity Security with Digital Duplicate Detection

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Empfohlen

Empfohlen (20)

Piracy Protection and Online Identity Security with Digital Duplicate Detection

Hinweis der Redaktion