Signature Protocol for Peer-topeer Massively Multiplayer Online Games Speaker: Shu-Fen Chiou (邱淑芬) 1 Introduction-MMOGs Massively multiplayer online games (MMOGs) server server server Server player1 player2 player3 Client-server ‧‧ ‧ player1 player2 player3 ‧‧ ‧ Server-cluster 2 Introduction-MMOGs In client-server and server-cluster Server maintains game states. Users send event to server. Server sends information to users. Server round time player1 player2 player3 ‧‧ ‧ 3 Introduction-P2P virtual environment Game state is maintained by peers in P2P environments. Some players may gain advantages unfairly. A CA A B C B C 4 Protocols NEO (New-Event Ordering) protocol (GauthierDickey et al., 2004) SEA (Secure Event Agreement) protocol (Corman et al., 2006) EASES (Efficient And Secure Event Signature) protocol (Chan et al., 2008) 5 Requirements Security Prevent cheats Fixed-delay Cheat (NEO, SEA) Timestamp Cheat (NEO, SEA) Suppressed Update Cheat (NEO, SEA) Inconsistency Cheat (SEA) Collusion Cheat (NEO, SEA) 6 Requirements A Communication Replay attack (SEA) Spoofing attack (SEA) Unforgeability (EASES) Verifiability (EASES) All connect communication Performance B C Low computation (NEO, SEA, EASES) 7 NEO (New-Event Ordering) protocol MrA=E(SA(UrA)), KAr-1, SA(VAr-1) r: The rth round E(): Encrypt key SA: A’s signature UrA: Update message KAr-1: previous round’s key VAr-1: previous round’s vote vector Round 1: M1A=E(SA(U1A, t)) A Round 2: M2A=E(SA(U2A, t)), KA1, SA(VA1) , VA1= 1,1,1 B C 8 Attacks for NEO protocol Corman et al. claim the NEO has three attacks: B Replay attack Spoofing attack Round 1: M1A=E(SA(U1A, t)) Round 2: M2A=E(SA(U2A, t)), KA1, SA(VA1) , VA1= 1,1,1 Round 3: M3A=E(SA(U3A, t)), KA2, SA(VA2) , VA2= 1,1,1 Attacker: M3A=E(SA(U2A, t)), KA2, SA(VA2) , VA2= 0,0,0 A C 9 SEA (Secure Event Agreement) protocol CommitrA=H(UrA, nr, SessID, IDA) MrA=SA(CommitrA, UAr-1, Vhr-1A, nr-1, r) r: The rth round H(): Encrypt hash function UrA: Update message nr: A nouce SessID: Session ID IDA: A’s ID SA: A’s signature Vhr-1A: vote vector with hash function Round 1: Commit1A=H(U1A, n1, N1, IDA) M1A=SA(Commit1A, 1) Round 2: Commit2A=H(U2A, n2, N2, IDA) M2A=SA(Commit2A, U1A, Vh1A, N1, 2) B A C 10 EASES – Initialization phase Use a random number as the master key MKi Generate one-time signature keys EX: KA10=H(MKA) KA9=H(KA10) KA8=H(KA9) KA7=H(KA8) ‧ ‧ ‧ KA2=H(KA3) KA1=H(KA2) KA0=H(KA1) △A=Ssk(KA0)11 EASES – Signing phase Mi1 = H(Ki1|Ui1), △i, Ki0 Min = H(Kin|Uin), Uin-1, Kin-1 EX: MA1 = H(KA1|UA1), △A, KA0 MA2 = H(KA2|UA2), KA1, UA1 MA3 = H(KA3|UA3), KA2, UA2 ‧ ‧ ‧ MA9 = H(KA9|UA9), UA8, KA8 MA10 = H(KA10|UA10), UA9, KA9 first round subsequent round B A C 12 EASES – Verification phase In first round Decrypts △i=Ssk(Ki0), with playeri’s publickey and Verifies In subsequent round Kin-2=H(Kin-1) ? Min-1=H(Kin-1|Uin-1) ? B uses A’s pk to decrypt △A verity KA0 legitimate? MA1 = H(KA1|UA1), △A, KA0 1st A 2nd B MA2 = H(KA2|UA2), KA1, UA1 B computes Hash(KA1)=KA0 Hash(KA1|UA1) = MA1 not tamper? 13 EASES – Re-initialization phase IN n round, re-generated new one-time signature NewKi0, NewKi1, ‧ ‧ ‧ ‧ ‧NewKim 10th: MA10=H(KA10|UA10|NewKA0), UA9, KA9 A 11th: MA11=H(NewKA1|UA11), UA10, KA10, NewKA0 B 12th: MKA 11th: B computes Hash(KA10|UA10|NewKA0) = MA10, authenticate NewKA0 ? 12th: B computes Hash(MKA) = KA10 ? MnewA1=H(NewKA1|UA12), △NewA, NewKA0 MnewA2=H(NewKA2|UA13), UA12, NewKA1 New rounds MnewA3=H(NewKA3|UA14), UA13, NewKA2 ‧ ‧ 14 EASES –Late joining △A=Ssk(KA0), KA0, KA1 MA2 = H(KA2|UA2) Authenticate Key Join in 2nd C 1st MA1 = H(KA1|UA1), △A, KA0 2nd MA2 = H(KA2|UA2), KA1, UA1 A B 3rd MA3 = H(KA3|UA3), KA2, UA2 15 Dynamic EASES –Signing phase Like EASES-based authentication Don’t prepare generation hash-chain keys 1st: Ssk(H(UA1|KA1) 2nd: Ssk(H(UA2|KA2|KA1)) 3rd: H(UA3|KA3|KA2)), KA1, UA1 4th: H(UA4|KA4|KA3)), KA2, UA2 ‧ ‧ ‧ nth: H(UAn|KAn|KAn-1), KAn-2, UAn-2 16 Dynamic EASES –Verification phase In 1st & 2nd , B verifies the signatures In 3rd, authenticity H(UA1|KA1) In subsequent, authenticity H(UAn-2|KAn2|K n-3) A 1st: Ssk(H(UA1|KA1)) & 2nd: Ssk(H(UA2|KA2|KA1)) A 3rd: H(UA3|KA3|KA2)), KA1, UA1 1st & 2nd: decrypts and stores B 4th: H(UA4|KA4|KA3)), KA2, UA2 Subsequent round: verifies the message of (n-2) round 17 In n round Comparison 18 Comment – Signing phase Add timestamp t, and user’s id Mi1 = H(Ki1|Ui1|t), △i, Ki0, IDi Min = H(Kin|Uin|t), Uin-1, Kin-1, EX: MA1 = H(KA1|UA1|t), △A, KA0, IDA MA2 = H(KA2|UA2|t), KA1, UA1 MA3 = H(KA3|UA3|t), KA2, UA2 ‧ ‧ ‧ MA9 = H(KA9|UA9|t), UA8, KA8 MA10 = H(KA10|UA10|t), UA9, KA9 first round subsequent round B A C 19 Communication method Broadcast communication C A B E G D F 20 Reference C. Dickey, D. Zappala, V. Lo, J. Marr, Low latency and cheatproof event ordering for peer-to-peer games, in: Proceedings of the ACM International Workshop on Network and Operating System Support for Digital Audio and Video (NOSSDAV), Kinsale, County Cork, Ireland, 2004, pp. 134–139. A. Corman, S. Douglas, P. Schachte, V. Teague, A secure event agreement (SEA) protocol for peer-to-peer games, in: Proceedings of the First International Conference on Availability, Reliability and Security, 2006. M. C. Chan, S. Y. Hu, and J. R. Jiang, An efficient and secure event signature (EASES) protocol for peer-to-peer massively multiplayer online games, Computer Networks, vol. 52, pp. 1838–1845, 2008. 21