Download
1 / 21
210 likes | 365 Views
Signature Protocol for Peer-to-peer Massively Multiplayer Online Games. Speaker: Shu-Fen Chiou ( 邱淑芬 ). Server. player1. player2. player3. ‧‧ ‧. Introduction- MMOGs. Massively multiplayer online games (MMOGs). server. server. server. player1. player2. player3. ‧‧ ‧. Client-server.
E N D
Signature Protocol for Peer-to-peer Massively Multiplayer Online Games Speaker: Shu-Fen Chiou (邱淑芬)
Server player1 player2 player3 ‧‧ ‧ Introduction-MMOGs • Massively multiplayer online games (MMOGs) server server server player1 player2 player3 ‧‧ ‧ Client-server Server-cluster
Server player1 player2 player3 ‧‧ ‧ Introduction-MMOGs • In client-server and server-cluster • Server maintains game states. • Users send event to server. • Server sends information to users. round time
Introduction-P2P virtual environment • Game state is maintained by peers in P2P environments. • Some players may gain advantages unfairly. A CA B C A C B
Protocols • NEO (New-Event Ordering) protocol (GauthierDickey et al., 2004) • SEA (Secure Event Agreement) protocol (Corman et al., 2006) • EASES (Efficient And Secure Event Signature) protocol (Chan et al., 2008)
Requirements • Security • Prevent cheats • Fixed-delay Cheat (NEO, SEA) • Timestamp Cheat (NEO, SEA) • Suppressed Update Cheat (NEO, SEA) • Inconsistency Cheat (SEA) • Collusion Cheat (NEO, SEA)
A B C Requirements • Replay attack (SEA) • Spoofing attack (SEA) • Unforgeability (EASES) • Verifiability (EASES) • Communication • All connect communication • Performance • Low computation (NEO, SEA, EASES)
NEO (New-Event Ordering) protocol MrA=E(SA(UrA)), KAr-1, SA(VAr-1) r: The rth round E(): Encrypt key SA: A’s signature UrA: Update message KAr-1: previous round’s key VAr-1: previous round’s vote vector B Round 1: M1A=E(SA(U1A, t)) Round 2: M2A=E(SA(U2A, t)), KA1, SA(VA1) , VA1= 1,1,1 A C
B A C Attacks for NEO protocol • Corman et al. claim the NEO has three attacks: • Replay attack • Spoofing attack Round 1: M1A=E(SA(U1A, t)) Round 2: M2A=E(SA(U2A, t)), KA1, SA(VA1) , VA1= 1,1,1 Round 3: M3A=E(SA(U3A, t)), KA2, SA(VA2) , VA2= 1,1,1 Attacker: M3A=E(SA(U2A, t)), KA2, SA(VA2) , VA2= 0,0,0
B A C SEA (Secure Event Agreement) protocol CommitrA=H(UrA, nr, SessID, IDA) MrA=SA(CommitrA, UAr-1, Vhr-1A, nr-1, r) r: The rth round H(): Encrypt hash function UrA: Update message nr: A nouce SessID: Session ID IDA: A’s ID SA: A’s signature Vhr-1A: vote vector with hash function Round 1: Commit1A=H(U1A, n1, N1, IDA) M1A=SA(Commit1A, 1) Round 2: Commit2A=H(U2A, n2, N2, IDA) M2A=SA(Commit2A, U1A, Vh1A, N1, 2)
EASES – Initialization phase • Use a random number as the master key MKi • Generate one-time signature keys EX: KA10=H(MKA) KA9=H(KA10) KA8=H(KA9) KA7=H(KA8) ‧ ‧ ‧ KA2=H(KA3) KA1=H(KA2) KA0=H(KA1) △A=Ssk(KA0)
B A C EASES – Signing phase • Mi1 = H(Ki1|Ui1), △i, Ki0 • Min = H(Kin|Uin), Uin-1, Kin-1 first round subsequent round EX: MA1 = H(KA1|UA1), △A, KA0 MA2 = H(KA2|UA2), KA1, UA1 MA3 = H(KA3|UA3), KA2,UA2 ‧ ‧ ‧ MA9 = H(KA9|UA9), UA8, KA8 MA10 = H(KA10|UA10), UA9, KA9
In first round Decrypts △i=Ssk(Ki0), with playeri’s public-key and Verifies In subsequent round Kin-2=H(Kin-1) ? Min-1=H(Kin-1|Uin-1) ? MA1 = H(KA1|UA1), △A, KA0 1st A B 2nd MA2 = H(KA2|UA2), KA1, UA1 EASES – Verification phase B uses A’s pk to decrypt △A verity KA0 legitimate? B computes Hash(KA1)=KA0 Hash(KA1|UA1) = MA1 not tamper?
10th: MA10=H(KA10|UA10|NewKA0), UA9, KA9 11th: MA11=H(NewKA1|UA11), UA10, KA10, NewKA0 A B 12th: MKA EASES – Re-initialization phase • IN n round, re-generated new one-time signature NewKi0, NewKi1, ‧‧‧‧‧NewKim 11th: B computes Hash(KA10|UA10|NewKA0) = MA10, authenticate NewKA0 ? 12th: B computes Hash(MKA) = KA10 ? MnewA1=H(NewKA1|UA12), △NewA, NewKA0 MnewA2=H(NewKA2|UA13), UA12, NewKA1 MnewA3=H(NewKA3|UA14), UA13, NewKA2 ‧ ‧ New rounds
Join in 2nd C 3rd MA3 = H(KA3|UA3), KA2, UA2 EASES –Late joining △A=Ssk(KA0), KA0, KA1 MA2 = H(KA2|UA2) Authenticate Key 1st MA1 = H(KA1|UA1), △A, KA0 A B 2nd MA2 = H(KA2|UA2), KA1, UA1
Dynamic EASES –Signing phase • Like EASES-based authentication • Don’t prepare generation hash-chain keys 1st: Ssk(H(UA1|KA1) 2nd: Ssk(H(UA2|KA2|KA1)) 3rd: H(UA3|KA3|KA2)), KA1, UA1 4th: H(UA4|KA4|KA3)), KA2, UA2 ‧ ‧ ‧ nth: H(UAn|KAn|KAn-1), KAn-2, UAn-2
Dynamic EASES –Verification phase • In 1st & 2nd , B verifies the signatures • In 3rd, authenticity H(UA1|KA1) • In subsequent, authenticity H(UAn-2|KAn-2|KAn-3) 1st:Ssk(H(UA1|KA1))& 2nd: Ssk(H(UA2|KA2|KA1)) 1st & 2nd: decrypts and stores A B 3rd: H(UA3|KA3|KA2)), KA1, UA1 4th: H(UA4|KA4|KA3)), KA2, UA2 Subsequent round: verifies the message of (n-2) round In n round
B A C Comment – Signing phase • Add timestamp t, and user’s id • Mi1 = H(Ki1|Ui1|t), △i, Ki0, IDi • Min = H(Kin|Uin|t), Uin-1, Kin-1, first round subsequent round EX: MA1 = H(KA1|UA1|t), △A, KA0, IDA MA2 = H(KA2|UA2|t), KA1, UA1 MA3 = H(KA3|UA3|t), KA2,UA2 ‧ ‧ ‧ MA9 = H(KA9|UA9|t), UA8, KA8 MA10 = H(KA10|UA10|t), UA9, KA9
Communication method • Broadcast communication C A B E G D F
Reference • C. Dickey, D. Zappala, V. Lo, J. Marr, Low latency and cheat-proof event ordering for peer-to-peer games, in: Proceedings of the ACM International Workshop on Network and Operating System Support for Digital Audio and Video (NOSSDAV), Kinsale, County Cork, Ireland, 2004, pp. 134–139. • A. Corman, S. Douglas, P. Schachte, V. Teague, A secure event agreement (SEA) protocol for peer-to-peer games, in: Proceedings of the First International Conference on Availability, Reliability and Security, 2006. • M. C. Chan, S. Y. Hu, and J. R. Jiang, An efficient and secure event signature (EASES) protocol for peer-to-peer massively multiplayer online games, Computer Networks, vol. 52, pp. 1838–1845, 2008.
