Security background of online games
Games are gaining popularity. With the continuous launch of online premium games, more players are entering the illusory online world. An account that has been practiced for a long time is not only the accumulation of players' time and energy, but also the investment of large amounts of money. In particular, many people use real-world currencies to buy equipment and items in the online world and obtain a high-level account. You can also use your game items or high-level accounts to change the currency of the real society. This increases the importance of games. Currently, many gamers are most concerned about the security of their accounts. For example, if the number of passwords is too small, it is easy to guess, or use special software for a short period of time. Or multiple accounts can use one password for convenience of memory ......
According to relevant reports, 61% of Chinese gamers experienced theft of equipment and virtual items, accounts for 33% of stolen accounts, and 6% of hackers attacked. Various Trojans are pervasive, such as QQ, ICQ, email, website homepage, and some plug-ins, which may intrude into players' computers at any time, 93% of stolen players are attacked by Trojans.
What is the root cause of account password theft? In addition to personal vigilance, this is mainly because the game account password settings are not scientific enough and the authentication methods are not secure. Security experts in the gaming industry are also actively exploring an effective solution.
Primary authentication methods
Static Password Authentication
The common password authentication method is static password authentication. as a low-cost and convenient method, this method is widely used in network applications. However, because "password" and "User Name (or account)" are soft identifiers, there are many drawbacks and security vulnerabilities in plain text transmission over the network, for example, the user name and password may be easily forgotten or intentionally or unintentionally obtained by others, the authentication information may be eavesdropped, the security risks may be caused by the sharing of one account by multiple users, the wide range of "professional" password cracking tools, and impersonation tools.. Therefore, it is only suitable for applications with low security requirements that will not cause huge losses even if they are used or stolen by others.
Dynamic Password Authentication
This is a new type of improved password authentication. It is to make up for the defects that static password settings are complex, difficult to remember, and easy to be obtained by others in static password authentication. In authentication, the user password is dynamically changed. Generally, a token is sent to the user, and the number shown above changes with time. The variable number indicates the password for the user to enter the system. The system consists of a user-side password card and an application system-side authentication server. When a user logs on to the application system, according to the security algorithm, the authentication system will generate a dynamic password on the dedicated chip of the password card and the authentication server. After comparison, if the two passwords are the same, the authentication system will be a legal user, otherwise, it is an invalid user. The Dynamic Logging card is used to authenticate the client on the server, but cannot be used to authenticate the server on the client. At the same time, there is a problem of time synchronization. If the time difference between the client and the server is large or the network speed is slow, the customer will be unable to log on to the server due to network delay.
USB Key authentication
EPass uses advanced USB technology and algorithm encryption and authentication technology for online game anti-leech protection. Its hardware is composed of a CPU, secure storage, and an intelligent microsystem running on it, as long as you store the account and password information of a game player in the form of a key to the anti-theft lock, the key information will never be locked during use, so as to achieve real protection. This is because the account information and key used for identity authentication are set to not be directly read, and external applications can only be sent to the input factor used for calculation, the entire computing process is completely completed by the CPU in the ePass online game anti-theft lock, and only the calculation results are transferred to external applications. In this way, the key cannot be listened to by external hackers, and the key computes irreversible algorithms, and the value of the key cannot be reversed through the calculation results, the external computation results uploaded to the ePass online game anti-theft lock will also change with each input data, even if you record the value calculated for each authentication, it cannot achieve the purpose of false identity.
Features
1. two-factor authentication
Each ePass anti-leech is protected by a hardware PIN. The PIN and hardware constitute two essential factors for users to use the anti-Leech, namely, two-factor authentication ". Users can log on to the game platform system only when they have obtained the lock and PIN code. Even if the user's PIN code is leaked, as long as the user's anti-theft lock is not stolen, the legitimate user's identity will not be counterfeited; if the user's lock is lost, because the picker does not know the user's PIN code and cannot impersonate the legitimate user's identity, if the number of times the illegal user enters the wrong PIN code exceeds the specified limit, the anti-theft lock will be locked, after that, even if you enter the Correct PIN code, it will not work properly ..
2. Safe Storage space
The ePass anti-theft lock has some secure data storage space, which can store confidential data such as game player account information and keys. External applications must determine the access to the data stored in the memory through the intelligent Microsystem, access is allowed only when the permissions are consistent. In this way, we can achieve real protection and eliminate the possibility of replicating customer identity information.
3. hardware implements encryption algorithms
EPass built-in CPU or smart card chip, which can implement various data summarization, data encryption and decryption, and signature algorithms used in the PKI system. encryption and decryption operations are carried out in the lock, this ensures that the user key will not appear in the computer memory, thus eliminating the possibility that the user key will be intercepted by hackers.
4. easy to carry, secure and reliable
The ePass anti-theft lock, as big as a thumb, is very easy to carry and can be worn directly on the key chain to cater to the hearts of fashion players. The lock hardware cannot be copied, and the data stored in the ePass online game anti-leech storage is encrypted with the corresponding hardware. Even if two identical types of ePass online game anti-leech storage cannot work properly, so that the method of cracking slice cannot copy the information in the anti-theft lock of ePass online games, so it is more secure and reliable.
EPass authentication process
The entire process of applying the ePass anti-theft lock for authentication can be expressed simply by the following relationship:
EPass (X, K) = Server (X, K)
X represents the random number provided by the Server, K represents the key, ePass (X, K) represents the operation performed by the ePass anti-theft lock inserted in the client, Server (X, K) it indicates the operation of the server program. The K at both ends of the equation does not appear in the client computer, nor is it directly sent online. This is the foundation of the authentication solution security.
Shows the verification process:
Authentication steps:
The client inserts the ePass anti-leech hardware, and the server uses the ePass anti-leech system software.
1. The client first sends a login request to the authentication server. The authentication server uses the user name (or user ID) to retrieve the user's key from the user database.
2. When the authentication server receives the client's login request, it sends a random string to the client, which is finally sent to the client's ePass anti-theft lock for calculation. At the same time, the authentication server extracts the corresponding key based on the user name and uses the random string X sent to the client to perform operations on the server using the encryption engine to obtain the operation result Rh.
3. the client passes the random string X into the ePass lock. The ePass lock uses this string to perform operations with the built-in key file through the hardware encryption engine, and also obtains an operation result, the operation result can be directly sent to the authentication server in the network.
4. the authentication server compares the two calculation results Rh (server) and Rc (client) to determine the legality of a network user.
Operation Mode Analysis
Through the above features and technical descriptions of the ePass anti-Leech, it indicates that anti-leech is feasible and necessary in the gaming industry, it not only gives game players a tool to protect their wealth and a powerful tool for identity authentication, but also reduces customers' complaints and increases profit growth for game operators, it also reflects the operator's meticulous care for high-end customers and improves the service quality. Based on the current model of the game industry, we propose the following operational models: (Identity Authentication + card feature) operation process:
Game operators:
1. initialize the anti-leech lock and modify the so pin to identify whether the user uses the anti-leech lock issued by the game operator.
2. Create a UserID and password that coexist in the anti-theft lock.
3. Store the UserID and password in the Server database for verification and recovery.
Game users:
1. Purchase anti-theft locks through the customer management department of the game operator or the point card sales channel.
2. log on to the game management platform of the game operator, apply for the game account GameID, set the game password, and store the GameID and password in the anti-theft lock. The Server is also kept for users to log on and recharge. If you have multiple games, you can apply for multiple gameids and passwords.
Recharge process:
1. After the user buys the recharge card, log on to the game management platform, select the recharge option, and select the GameID to recharge.
2. Fill in the recharge card number information on the user side, and send it to the server side together with the user's UserID. The server side sends the random number R1 for verification.
3. the user end hashes the random number R1 and the user key file to form a digest and send it to the server.
4. The server also uses the random number R1 and the Stored User Key File for hash. The comparison result is the same. In this case, the number of points of the recharge card is saved to the GameID of the UserID.