"Software clients can't be secured" is an axiom of computer security. True, but not helpful. How do you incorporate security into a client and address the key issues of Identity. For the more information or if you need any security help, visit http://free2secure.com/.
Protect Your Client Software and Identification Security
1. Security eBooks
Client
Anatomy and
Identification
Security Inside the Client –
Part 1
Steven Davis
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
2. Security eBooks
Most Useless
Security
Axiom:
You Can’t Secure
the Client
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
3. Security eBooks
… but you need the
Client to be part of your
security…
so, how do
you build a
secure
system with
unsecure
components?
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
4. Security eBooks
• Security
decisions are
built on different
forms of identity
– Service account
– Person
– Platform
– Payment account
– Email
Uniqueness and Identity
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
5. Security eBooks
REMEMBER: People are not Accounts
Neither are
Computers
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
6. Security eBooks
Identity and Uniqueness are
Tenuous Online
• Online Identity is simply pieces of data presented over a
network
• The connection between the data and the underlying entity is
weak
• Bits are bits
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
7. Security eBooks
Client Components
• Computer (tablet, cell
phone)
– Hardware Components
• (Game) Application
– Program
– Persistent Data
– State & Session Information
• Operating System
• Other Programs
• Other Data
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
8. Security eBooks
Device Fingerprinting
ord
g aw
tr on
os
a r to
g is f
n tin
r pri
ge
Fin
• Collection of a large number of hardware and software
identities to create a “fingerprint”
• getXXXXID() is just a program that can be spoofed
• Better as a “white list” than a “black list”… maybe
• Questionable in a world of active adversaries
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
9. Security eBooks
Basic Identity Toolkit
Multiple platform identity sources
Hardware Extracted
Platform Serial Number
Other Applications
Player Identity Information Input
Stored Application Data Stored
Registration Keys Input Once
Hashes & Splits & Passwords Tools
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
10. Security eBooks
Registering a Platform
1. Collect Platform ID
information License Key
Local IDs Local Data
2. Server Seed or Local
Seed (optional)
3. Hash (optional) Seed (optional)
4. Split (optional)
5. Build Platform ID
6. Build Platform Platform ID
Authentication Data
7. Store Locally
Platform Authentication Data
8. Exchange with Server
Local
Split
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
11. Security eBooks
Essential Platform Identification & Authentication
• Retrieve Platform ID
• Reconstruct or Retrieve Platform Authentication Data
• Verify (Locally or Remotely)
Verification can be bypassed,
spoofed, etc., of course, as can IDs
and authentication data
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
12. Security eBooks
Security Tokens
• Can be effective
• Identify themselves, not
people • Need to be linked with
platform identity
• Only as strong as
registration process • PART of a security
solution – a Node of trust,
not a trusted system
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
13. Security eBooks
Platform Identity is “Polite” Identity
• Useful, if you understand its
limitations
• Can be used for basic fraud detection
and white listing
• Black listing limited by virtualization
and effort of foes
• Challenge – Design Your System
using weak identity
• Do you need identity at all?
– Gratuitous Strong Passwords
• Use external channels for positive
identification
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
14. Security eBooks
What next?
• Don’t give up!
• More security presentations at:
http://free2secure.com/
• Check out my book “Protecting Games”
– Additional information at http://playnoevil.com/
• You can “win” the security game
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416
15. Security eBooks
About Me
• Steven Davis
– 25+ Years of Security Expertise
– I have worked on everything from
online games and satellite TV to
Nuclear Command and Control and
military communications
• http://www.linkedin.com/in/playnoevil
– Author, “Protecting Games”
• Why Free2Secure?
– Security is too expensive and isn’t working. There has to be a better way.
I’m exploring these issues for IT security, ebooks, games, and whatever
else strikes my fancy at http://free2secure.com/
– Join me there, ask questions, challenge assumptions, let’s make things
better
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416