Signature Protocol for Peer-topeer Massively Multiplayer Online
Games
Speaker: Shu-Fen Chiou (邱淑芬)
1
Introduction-MMOGs

Massively multiplayer online games
(MMOGs)
server
server
server
Server
player1 player2 player3
Client-server
‧‧ ‧
player1 player2 player3
‧‧ ‧
Server-cluster
2
Introduction-MMOGs

In client-server and server-cluster



Server maintains game states.
Users send event to server.
Server sends information to users.
Server
round
time
player1 player2 player3
‧‧ ‧
3
Introduction-P2P virtual
environment


Game state is maintained by peers in
P2P environments.
Some players may gain advantages
unfairly.
A
CA
A
B
C
B
C
4
Protocols



NEO (New-Event Ordering) protocol
(GauthierDickey et al., 2004)
SEA (Secure Event Agreement) protocol
(Corman et al., 2006)
EASES (Efficient And Secure Event
Signature) protocol (Chan et al., 2008)
5
Requirements

Security

Prevent cheats





Fixed-delay Cheat (NEO, SEA)
Timestamp Cheat (NEO, SEA)
Suppressed Update Cheat (NEO, SEA)
Inconsistency Cheat (SEA)
Collusion Cheat (NEO, SEA)
6
Requirements





A
Communication


Replay attack (SEA)
Spoofing attack (SEA)
Unforgeability (EASES)
Verifiability (EASES)
All connect communication
Performance

B
C
Low computation (NEO, SEA, EASES)
7
NEO (New-Event Ordering)
protocol
MrA=E(SA(UrA)), KAr-1, SA(VAr-1)
r: The rth round
E(): Encrypt key
SA: A’s signature
UrA: Update message
KAr-1: previous round’s key
VAr-1: previous round’s vote vector
Round 1:
M1A=E(SA(U1A, t))
A
Round 2:
M2A=E(SA(U2A, t)), KA1, SA(VA1) , VA1= 1,1,1
B
C
8
Attacks for NEO protocol

Corman et al. claim the NEO has three
attacks:
B

Replay attack
Spoofing attack
Round 1: 
M1A=E(SA(U1A, t))
Round 2:
M2A=E(SA(U2A, t)), KA1, SA(VA1) , VA1= 1,1,1
Round 3:
M3A=E(SA(U3A, t)), KA2, SA(VA2) , VA2= 1,1,1
Attacker:
M3A=E(SA(U2A, t)), KA2, SA(VA2) , VA2= 0,0,0
A
C
9
SEA (Secure Event Agreement)
protocol
CommitrA=H(UrA, nr, SessID, IDA)
MrA=SA(CommitrA, UAr-1, Vhr-1A, nr-1, r)
r: The rth round
H(): Encrypt hash function
UrA: Update message
nr: A nouce
SessID: Session ID
IDA: A’s ID
SA: A’s signature
Vhr-1A: vote vector with hash function
Round 1:
Commit1A=H(U1A, n1, N1, IDA)
M1A=SA(Commit1A, 1)
Round 2:
Commit2A=H(U2A, n2, N2, IDA)
M2A=SA(Commit2A, U1A, Vh1A, N1, 2)
B
A
C
10
EASES – Initialization phase


Use a random number as the master key MKi
Generate one-time signature keys EX:
KA10=H(MKA)
KA9=H(KA10)
KA8=H(KA9)
KA7=H(KA8)
‧
‧
‧
KA2=H(KA3)
KA1=H(KA2)
KA0=H(KA1)
△A=Ssk(KA0)11
EASES – Signing phase


Mi1 = H(Ki1|Ui1), △i, Ki0
Min = H(Kin|Uin), Uin-1, Kin-1
EX:
MA1 = H(KA1|UA1), △A, KA0
MA2 = H(KA2|UA2), KA1, UA1
MA3 = H(KA3|UA3), KA2, UA2
‧
‧
‧
MA9 = H(KA9|UA9), UA8, KA8
MA10 = H(KA10|UA10), UA9, KA9
first round
subsequent round
B
A
C
12
EASES – Verification phase

In first round


Decrypts △i=Ssk(Ki0),
with playeri’s publickey and Verifies
In subsequent round


Kin-2=H(Kin-1) ?
Min-1=H(Kin-1|Uin-1) ?
B uses A’s pk to decrypt △A
verity KA0 legitimate?
MA1 = H(KA1|UA1), △A, KA0
1st
A
2nd
B
MA2 = H(KA2|UA2), KA1, UA1
B computes
Hash(KA1)=KA0
Hash(KA1|UA1) = MA1 not tamper?
13
EASES – Re-initialization phase

IN n round, re-generated new one-time
signature NewKi0, NewKi1, ‧ ‧ ‧ ‧
‧NewKim
10th: MA10=H(KA10|UA10|NewKA0), UA9, KA9
A
11th: MA11=H(NewKA1|UA11), UA10, KA10, NewKA0
B
12th: MKA
11th: B computes Hash(KA10|UA10|NewKA0) = MA10, authenticate NewKA0 ?
12th: B computes Hash(MKA) = KA10 ?
MnewA1=H(NewKA1|UA12), △NewA, NewKA0
MnewA2=H(NewKA2|UA13), UA12, NewKA1
New rounds
MnewA3=H(NewKA3|UA14), UA13, NewKA2
‧
‧
14
EASES –Late joining
△A=Ssk(KA0), KA0, KA1
MA2 = H(KA2|UA2)
Authenticate Key
Join in 2nd
C
1st MA1 = H(KA1|UA1), △A, KA0
2nd MA2 = H(KA2|UA2), KA1, UA1
A
B
3rd MA3 = H(KA3|UA3), KA2, UA2
15
Dynamic EASES –Signing phase


Like EASES-based authentication
Don’t prepare generation hash-chain
keys
1st: Ssk(H(UA1|KA1)
2nd: Ssk(H(UA2|KA2|KA1))
3rd: H(UA3|KA3|KA2)), KA1, UA1
4th: H(UA4|KA4|KA3)), KA2, UA2
‧
‧
‧
nth: H(UAn|KAn|KAn-1), KAn-2, UAn-2
16
Dynamic EASES –Verification
phase



In 1st & 2nd , B verifies the signatures
In 3rd, authenticity H(UA1|KA1)
In subsequent, authenticity H(UAn-2|KAn2|K n-3)
A
1st: Ssk(H(UA1|KA1)) & 2nd: Ssk(H(UA2|KA2|KA1))
A
3rd: H(UA3|KA3|KA2)), KA1, UA1
1st & 2nd: decrypts and stores
B
4th: H(UA4|KA4|KA3)), KA2, UA2
Subsequent round:
verifies the message of (n-2) round
17
In n round
Comparison
18
Comment – Signing phase



Add timestamp t, and user’s id
Mi1 = H(Ki1|Ui1|t), △i, Ki0, IDi
Min = H(Kin|Uin|t), Uin-1, Kin-1,
EX:
MA1 = H(KA1|UA1|t), △A, KA0, IDA
MA2 = H(KA2|UA2|t), KA1, UA1
MA3 = H(KA3|UA3|t), KA2, UA2
‧
‧
‧
MA9 = H(KA9|UA9|t), UA8, KA8
MA10 = H(KA10|UA10|t), UA9, KA9
first round
subsequent round
B
A
C
19
Communication method

Broadcast communication
C
A
B
E
G
D
F
20
Reference



C. Dickey, D. Zappala, V. Lo, J. Marr, Low latency and cheatproof event ordering for peer-to-peer games, in: Proceedings of
the ACM International Workshop on Network and Operating
System Support for Digital Audio and Video (NOSSDAV), Kinsale,
County Cork, Ireland, 2004, pp. 134–139.
A. Corman, S. Douglas, P. Schachte, V. Teague, A secure event
agreement (SEA) protocol for peer-to-peer games, in:
Proceedings of the First International Conference on Availability,
Reliability and Security, 2006.
M. C. Chan, S. Y. Hu, and J. R. Jiang, An efficient and secure
event signature (EASES) protocol for peer-to-peer massively
multiplayer online games, Computer Networks, vol. 52, pp.
1838–1845, 2008.
21