Game login authentication and security

First off I will say I am completely new to security in coding. I am currently helping a friend develop a small game (in Python) which will have a login server. I don't have much knowledge regarding security, but I know many games do have issues with this. Everything from 3rd party applications (bots) to WPE packet manipulation. Considering how small this game will be and the limited user base, I doubt we will have serious issues, but would like to try our best to limit problems. I am not sure where to start or what methods I should use, or what's worth it. For example, sending data to the server such as login name and password.

I was told his information should be encrypted when sending, so in-case someone was viewing it (with whatever means), that they couldn't get into the account. However, if someone is able to capture the encrypted string, wouldn't this string always work since it's decrypted server side? In other words, someone could just capture the packet, re开发者_JS百科use it, and still gain access to the account?

The main goal I am really looking for is to make sure the players are logging into the game with the client we provide, and to make sure it's 'secure' (broad, I know). I have looked around at different methods such as Public and Private Key encryption, which I am sure any hex editor could eventually find. There are many other methods that seem way over my head at the moment and leave the impression of overkill.

I realize nothing is 100% secure. I am just looking for any input or reading material (links) to accomplish the main goal stated above. Would appreciate any help, thanks.

This is a tough problem, because the code runs on the client. The replay problem can be solved by using a challenge by letting the server sending a random token which the client adds to the string to be encrypted. This way, the password string will be different each time, and replaying the encrypted string doesn't work (as the server checks if the encrypted password has the last sent token)

The problem is that the encryption key has to be stored on the client, and it's possible to retrieve that key.

The simple answer to how to protect the password going over the wire, replay attacks, and message tampering is: use SSL. Yes, there are other things you can do with challenge-response authentication schemes for the login part of it, but it sounds like you really want the whole channel protected anyway. Use SSL at the socket layer and then you don't have to do anything else complicated with how you send your credentials.

As for how to protect the client... The most realistic thing is to say that you don't. When you're writing the server code, never trust any data that the client sends you. Never give the client any information you don't want the player to have.

In some games, like chess (or really anything turn-based), that actually works pretty well, because it's very easy for the server to verify that the move passed in by the client is a legal move.

In other games, those restrictions aren't so practical, and then I don't know what you'd do, from a code perspective. I'd try to shift the problem to a social one at that point: Are the other players people you'd trust to bring their own dice to your gaming table? If not, can you play with someone else?

Although it might conceivably be overkill for this specific application (small game, limited user base), you should seriously consider using oAuth, since this application gives you a great chance to learn this technology (which is really solid and widespread, and spreading more and more!-) to apply it in the future -- it's been designed and implemented by excellent programmers with strong security background. You can study their tutorial to get a solid understanding and background, then use libraries such as python-oauth2 to implement oauth simply and productively in your desktop application.