HTML5 多人游戏安全解决方案
现在已经有几个经典平台的简洁画布演示,甚至还有 HTML5 中的 3D fps 游戏,下一步可能是尝试开发多人 HTML5 游戏。 HTML5 套接字支持使这一过程相对简单,但由于任何人都可以在浏览器中查看客户端源代码,针对 HTML5 前端多用户游戏的基本游戏安全功能有哪些解决方案 -- < em>比如能够防止伪造的高分提交?
Now that there are a couple of neat canvas demo's of both classic platform and even 3D fps games in HTML5, the next step might be to try developing a multiplayer HTML5 game. HTML5 socket support makes this relatively straight-forward, but with client-side source being viewable by anyone in the browser, what are some solutions for basic game security features for a HTML5-frontend multiuser game -- such as being able to prevent a faked high-score submit?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
简单的答案是:你不能相信来自客户端的数据,这意味着高分提交不可能来自客户端。
由于代码客户端可供任何人检查,因此无法信任客户端发送给服务器的数据。即使您使用每个用户的加密密钥加密数据(这是可能的),用户也可以简单地在浏览器中更改您的代码并更改它发送到服务器的值。
由于您的游戏是多人游戏,因此如果服务器生成所有得分事件,则这可能是可能的。如果服务器生成所有评分事件,则客户端永远不会向服务器发送评分数据,这意味着高分数据无法伪造。
你仍然需要面对作弊问题,这更具挑战性,但这是另一个问题......
The simple answer is: You can't trust the data from client, which means that the high score submit can't come from the client.
Since the code client is available for anyone to inspect, there's no way of trusting the data that the client sends your server. Even if you encrypt the data with a per-user encryption key (which is possible), the user can simply alter your code within the browser and change the values it's sending to the server.
Since your game is multiplayer, this might be possible IF the server generates all the scoring events. If the server generates all the scoring events, the client never sends score data to the server which means that the high score data can't be faked.
You'll still have to deal with cheating, which is even more challenging, but that's another issue...
添加拉里所说的内容,您肯定必须在后端处理评分,以真正防止作弊/虚假分数发布。
举个实践中的例子...Word Wars 游戏是一款令人难以置信的游戏,您可以在其中找到尽可能多的单词4x4 字母网格中的单词。
每场比赛开始时,服务器端都会生成一个 4x4 棋盘。生成该板的可能单词列表,并将每个单词的散列版本(带有随机盐的 md5)以及盐传递给客户端。
在客户端,当输入字母并按下回车键时,我们对输入的单词进行 md5(使用来自服务器的 salt),并根据服务器提供的哈希单词列表进行检查。如果匹配,我们会使用新分数更新客户端(有一个基于所使用的字母及其分值的函数)。
游戏结束后,客户端将他们想出的单词列表发送到服务器(而不是分数),服务器会仔细检查这些单词是否存在于棋盘中,并处理评分。
这就是我工作的公司 Clay.io 的用武之地。Clay.io 为高级 HTML5 游戏功能(如排行榜、成就、支付处理等)提供了 API。不用说,我们需要一个解决方案具有后端的游戏可以使某些事情(例如高分)更加安全。
解决方案是使用 JWT(JSON Web 令牌)对后端的 JavaScript 对象(node.js、php 等)进行加密,并传递该加密对象而不是分数本身。这让我们能够以两种方式进行交流(游戏 -> Clay.io 和 Clay.io -> 游戏),而且做起来非常轻松。有关此内容的完整文档位于:clay.io/docs/encryption(此答案上点击的最大链接数)
回到 Word Wars...从服务器我们使用用户的分数生成 JWT 并通过将其发送到 Clay.io 以发布分数。瞧 :)
当然,这会随着您开发的游戏类型的不同而有所不同,但故事的寓意是您必须发挥创造力 :)
我写了一篇博客文章,更详细地介绍了 HTML5 游戏安全性。 HTML5 游戏开发技巧系列的第 3 部分。
Adding on to what Larry said, you're definitely going to have to handle the scoring on the backend to really prevent cheating/fake score posting.
For an example of this in practice... The game Word Wars is a boggle-esque game where you find as many words as you can from a 4x4 grid of letters.
At the start of each game, a 4x4 board is generated server side. A list of possible words for that board is generated and a hashed version (md5'd with a random salt) of each word as well as the salt are passed to the client.
On the client side, when the letters are typed and the enter key is pressed, we md5 (with the salt from the server) the word that was entered and check that against the list of hashed words provided by the server. If it's a match, we update the client with the new score (there's a function based on letters used and their point values).
Once the game is over, the client sends the list of words they came up with to the server (NOT the score), and the server double-checks that those words existed in the board, and handles the scoring.
This is where Clay.io, the company I'm working in comes in. Clay.io offers an API for high level HTML5 game features like leaderboards, achievements, payment processing, etc... Needless to say, we needed a solution for games that have a backend to make certain things like high scores more secure.
The solution was to encrypt JavaScript objects on the backend (node.js, php, whatever) using JWT (JSON Web Token), and pass that encrypted object rather than the score itself. This lets us communicate both ways (game -> Clay.io and Clay.io -> game), and is pretty painless to do. The full docs on this are here: clay.io/docs/encryption (max links hit on this answer)
Back to Word Wars... from the server we generate that JWT with the user's score and pass that on to Clay.io to post the score. Voila :)
Of course, this will differ as the type of game you're developing differs, but the moral of the story is you have to get creative :)
I wrote a blog post that covers HTML5 game security in greater detail. Part 3 of a series on HTML5 Game Development Tips.