Signature Protocol for Peertopeer Massively Multiplayer Online Games

Signature Protocol for Peer-topeer Massively Multiplayer Online Games Speaker: Shu-Fen Chiou (邱淑芬) 1

Introduction-MMOGs n Massively multiplayer online games (MMOGs) server Server player 1 player 2 player 3 Client-server ‧‧ ‧ server player 1 player 2 player 3 ‧‧ ‧ Server-cluster 2

Introduction-MMOGs n In client-server and server-cluster n n n Server maintains game states. Users send event to server. Server sends information to users. round Server time player 1 player 2 player 3 ‧‧ ‧ 3

Introduction-P 2 P virtual environment n n Game state is maintained by peers in P 2 P environments. Some players may gain advantages unfairly. A CA A B C 4

Protocols n n n NEO (New-Event Ordering) protocol (Gauthier. Dickey et al. , 2004) SEA (Secure Event Agreement) protocol (Corman et al. , 2006) EASES (Efficient And Secure Event Signature) protocol (Chan et al. , 2008) 5

Requirements n Security n Prevent cheats n n n Fixed-delay Cheat (NEO, SEA) Timestamp Cheat (NEO, SEA) Suppressed Update Cheat (NEO, SEA) Inconsistency Cheat (SEA) Collusion Cheat (NEO, SEA) 6

Requirements n n n A Communication n n Replay attack (SEA) Spoofing attack (SEA) Unforgeability (EASES) Verifiability (EASES) All connect communication Performance n B C Low computation (NEO, SEA, EASES) 7

NEO (New-Event Ordering) protocol Mr. A=E(SA(Ur. A)), KAr-1, SA(VAr-1) r: The rth round E(): Encrypt key SA: A’s signature Ur. A: Update message KAr-1: previous round’s key VAr-1: previous round’s vote vector Round 1: M 1 A=E(SA(U 1 A, t)) A Round 2: M 2 A=E(SA(U 2 A, t)), KA 1, SA(VA 1) , VA 1= 1, 1, 1 B C 8

Attacks for NEO protocol n Corman et al. claim the NEO has three attacks: B n Replay attack Spoofing attack Round 1: n M 1 A=E(SA(U 1 A, t)) Round 2: M 2 A=E(SA(U 2 A, t)), KA 1, SA(VA 1) , VA 1= 1, 1, 1 Round 3: M 3 A=E(SA(U 3 A, t)), KA 2, SA(VA 2) , VA 2= 1, 1, 1 Attacker: M 3 A=E(SA(U 2 A, t)), KA 2, SA(VA 2) , VA 2= 0, 0, 0 A C 9

SEA (Secure Event Agreement) protocol Commitr. A=H(Ur. A, nr, Sess. ID, IDA) Mr. A=SA(Commitr. A, UAr-1, Vhr-1 A, nr-1, r) r: The rth round H(): Encrypt hash function Ur. A: Update message nr: A nouce Sess. ID: Session ID IDA: A’s ID SA: A’s signature Vhr-1 A: vote vector with hash function Round 1: Commit 1 A=H(U 1 A, n 1, N 1, IDA) M 1 A=SA(Commit 1 A, 1) Round 2: Commit 2 A=H(U 2 A, n 2, N 2, IDA) M 2 A=SA(Commit 2 A, U 1 A, Vh 1 A, N 1, 2) B A C 10

EASES – Initialization phase n n Use a random number as the master key MKi Generate one-time signature keys EX: KA 10=H(MKA) KA 9=H(KA 10) KA 8=H(KA 9) KA 7=H(KA 8) ‧ ‧ ‧ KA 2=H(KA 3) KA 1=H(KA 2) KA 0=H(KA 1) △A=Ssk(KA 0)11

EASES – Signing phase n n Mi 1 = H(Ki 1|Ui 1), △i, Ki 0 Min = H(Kin|Uin), Uin-1, Kin-1 EX: MA 1 = H(KA 1|UA 1), △A, KA 0 MA 2 = H(KA 2|UA 2), KA 1, UA 1 MA 3 = H(KA 3|UA 3), KA 2, UA 2 ‧ ‧ ‧ MA 9 = H(KA 9|UA 9), UA 8, KA 8 MA 10 = H(KA 10|UA 10), UA 9, KA 9 first round subsequent round B A C 12

EASES – Verification phase n In first round n n Decrypts △i=Ssk(Ki 0), with playeri’s publickey and Verifies n n A 2 nd Kin-2=H(Kin-1) ? Min-1=H(Kin-1|Uin-1) ? B uses A’s pk to decrypt △A verity KA 0 legitimate? MA 1 = H(KA 1|UA 1), △A, KA 0 1 st In subsequent round B MA 2 = H(KA 2|UA 2), KA 1, UA 1 B computes Hash(KA 1)=KA 0 Hash(KA 1|UA 1) = MA 1 not tamper? 13

EASES – Re-initialization phase n IN n round, re-generated new one-time signature New. Ki 0, New. Ki 1, ‧ ‧ ‧New. Kim 10 th: MA 10=H(KA 10|UA 10|New. KA 0), UA 9, KA 9 A 11 th: MA 11=H(New. KA 1|UA 11), UA 10, KA 10, New. KA 0 B 12 th: MKA 11 th: B computes Hash(KA 10|UA 10|New. KA 0) = MA 10, authenticate New. KA 0 ? 12 th: B computes Hash(MKA) = KA 10 ? Mnew. A 1=H(New. KA 1|UA 12), △New. A, New. KA 0 Mnew. A 2=H(New. KA 2|UA 13), UA 12, New. KA 1 New rounds Mnew. A 3=H(New. KA 3|UA 14), UA 13, New. KA 2 ‧ ‧ 14

EASES –Late joining △A=Ssk(KA 0), KA 0, KA 1 MA 2 = H(KA 2|UA 2) Authenticate Key Join in 2 nd C 1 st MA 1 = H(KA 1|UA 1), △A, KA 0 A 2 nd MA 2 = H(KA 2|UA 2), KA 1, UA 1 B 3 rd MA 3 = H(KA 3|UA 3), KA 2, UA 2 15

Dynamic EASES –Signing phase n n Like EASES-based authentication Don’t prepare generation hash-chain keys 1 st: Ssk(H(UA 1|KA 1) 2 nd: Ssk(H(UA 2|KA 1)) 3 rd: H(UA 3|KA 2)), KA 1, UA 1 4 th: H(UA 4|KA 3)), KA 2, UA 2 ‧ ‧ ‧ nth: H(UAn|KAn-1), KAn-2, UAn-2 16

Dynamic EASES –Verification phase n n n In 1 st & 2 nd , B verifies the signatures In 3 rd, authenticity H(UA 1|KA 1) In subsequent, authenticity H(UAn-2|KAn -3) 1 st: Ssk(H(UA 1|KA 1)) & 2 nd: Ssk(H(UA 2|KA 1)) A 3 rd: H(UA 3|KA 2)), KA 1, UA 1 1 st & 2 nd: decrypts and stores B 4 th: H(UA 4|KA 3)), KA 2, UA 2 Subsequent round: verifies the message of (n-2) round 17 In n round

Comparison 18

Comment – Signing phase n n n Add timestamp t, and user’s id Mi 1 = H(Ki 1|Ui 1|t), △i, Ki 0, IDi Min = H(Kin|Uin|t), Uin-1, Kin-1, EX: MA 1 = H(KA 1|UA 1|t), △A, KA 0, IDA MA 2 = H(KA 2|UA 2|t), KA 1, UA 1 MA 3 = H(KA 3|UA 3|t), KA 2, UA 2 ‧ ‧ ‧ MA 9 = H(KA 9|UA 9|t), UA 8, KA 8 MA 10 = H(KA 10|UA 10|t), UA 9, KA 9 first round subsequent round B A C 19

Communication method n Broadcast communication C A B E G D F 20

Reference n n n C. Dickey, D. Zappala, V. Lo, J. Marr, Low latency and cheatproof event ordering for peer-to-peer games, in: Proceedings of the ACM International Workshop on Network and Operating System Support for Digital Audio and Video (NOSSDAV), Kinsale, County Cork, Ireland, 2004, pp. 134– 139. A. Corman, S. Douglas, P. Schachte, V. Teague, A secure event agreement (SEA) protocol for peer-to-peer games, in: Proceedings of the First International Conference on Availability, Reliability and Security, 2006. M. C. Chan, S. Y. Hu, and J. R. Jiang, An efficient and secure event signature (EASES) protocol for peer-to-peer massively multiplayer online games, Computer Networks, vol. 52, pp. 1838 – 1845, 2008. 21