Digital Data is trivial to duplicate. A bit is a bit. This is an overview of a cryptographic strategy for detecting duplicates online. It is applicable to games, movies, music, ebooks, license enforcement, piracy detecting, and digital fingerprints. For additional information, resources, and tools, visit http://free2secure.com/. There is a lot more that can be done to protect your critical information. If you are interested, send me an email to steve @ free2secure.com with the subject “Duplicate”. If you are interested in keeping up with the latest books, articles, and tools from me at Free2Secure send me an email steve @ free2secure.com with the subject “Subscribe”. Finally, if you have any security questions, issues, or shoot me a note to steve @ free2secure.com with the subject “Help”. You can be secure. Your information can be protected. You have the right to expect excellent protection from the companies, organizations, and governments you do business with.

1. Security eBooks
Cryptographic Duplicate Detection
For Access Management, Piracy
Protection, and More
Steven Davis
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

2. Security eBooks
Protocols not Players or Computers
That’s all you see
online
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

3. Security eBooks
Traditional Identification &
Authentication Methods are very weak
for verifying actual identities
• Name/Password can be shared & compromised
• ID/Key can be shared or compromised
• “Digital Fingerprints” can be duplicated
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

4. Security eBooks
• Powerful white list of
good platforms
• Improve association
of players with
platforms
• Identifying problem
platforms
• Can be a very
powerful technique Detecting
to fight server piracy
/ ghost servers
Duplicate
• Support legitimate Identities
sharing and backups
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

5. Security eBooks
Core Idea
Why not change identities AND keys at
every session (or more frequently)?
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

6. Security eBooks
Active Identity System - General Flow
tic
sta
• Initialization be
to
– Done in a variety of ways ve
ha
– Identity can even be verified retroactively
ot
• Verify Current Identity/Key Pair sn
doe
• Update Identity/Key Pair e
• Verify Update alu
tit yV
• Continue Operations en
Id
• OPTION - use “rolling update” to operate smoothly
during identity changes
• add an “A” or “B” Flag to messages
• Send “rollover” command message
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

7. Security eBooks
Server-Push Identity
Player posts ID to server ID(x)
Server returns Challenge Phrase Challenge(IDx))
Player posts encrypted Challenge Phrase ID(x),E(Key(x),Challenge(IDx))
Server validates Response
Server creates updated ID & Key
Server sends updated ID & Key encrypted in old key E(Key(x+1),ID(x+1),SessionID)
Player decrypts new ID & Key
Player sends validation message to Server SessionID,E(Key(x+1),SessionID)
• Client gets new ID/Key pair from server
• Server knows underlying identity of client
• If duplicate made of client info, server can create an “Identity Fork”
or take other action
• You know a duplicate has been made, not which copy is a duplicate
• Can be done with symmetric keys or public (asymmetric) key
systems
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

8. Security eBooks
Collaborative Identity Generation 1
Player creates new ID(cx+1), Transform of new ID, and Challenge1
Player creates new DH random z and computes b z mod p
Player posts Challenge Phrase to server
ID(x),E(Key(x),T(ID(cx+1)), b z mod p,Challenge1)
Server decrypts Challenge Phrase
Server creates new ID(sx+1), Transform of new ID, and Challenge2
Server creates new DH random y and computes b y mod p
* Server creates new DH key Key(x+1) = (b z ) y mod p
Server posts Challenge Phrase to Client
ID(x),E(Key(x),T(ID(sx+1)), b y mod p,Challenge1, Challenge2, H(Key(x+1))
Client decrypts Challenge Phrase and validates Challenge1
• Sample using Diffie-Hellman style key generation
• Could easily be adapted to other public key algorithms
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

9. Security eBooks
Collaborative Identity Generation 2
(from previous page) Client decrypts Challenge Phrase and validates Challenge1
* Client creates new DH key Key(x+1) = (b z ) y mod p
Client validates new DH key with received hash
Client sends new ID(cx+1) to Server with hash of new Key and Challenge2
ID(x),E(Key(x),ID(cx+1),H(Key(x+1)),Challenge2)
Server validates new ID against previously received Transform and validates Key(x+1) hash
* Server computes new ID ID(x+1) = ID(cx+1)+ ID(sx+1)
Server sends new ID contribution to Client
ID(x),E(Key(x),ID(sx+1)
* Client computes new ID ID(x+1) = ID(cx+1)+ ID(sx+1)
Client and sever use new ID(x+1), Key(x+1) pair
• Active Identity System is really a temporary pairwise identity
with a remote entity
• Does not need to be client-server, could be peer-to-peer
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

10. Security eBooks
Active Identity is Part of an Overall Identity &
Access Management Solution
To
Str
en
an gth
d O en
nli Pla
ne tfo
Se rm
• Digital Fingerprints cu i d
rity en
• User Name/Passwords tity
• Security Tokens
• IP Address
• Platform IDs
• Active ID
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

11. Security eBooks
Fighting Server
Piracy
• Client can detect server duplicates as server won’t have
current identity/key pair
– Can prevent connection to pirate server
• Even if real server identity/key database gets
compromised, clients will rapidly rekey to new
identity/key pairs
• Can also be used for traditional computer piracy
detection system
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

12. Security eBooks
What next?
• Don’t give up!
• More security presentations at:
http://free2secure.com/
• Check out my book “Protecting Games”
– Additional information at http://playnoevil.com/
• You can “win” the security game
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416

13. Security eBooks
About Me
• Steven Davis
– 25+ Years of Security Expertise
• Worked on everything from online
games and satellite TV to Nuclear
Command and Control and military
communications
• http://www.linkedin.com/in/playnoevil
– Author, “Protecting Games”
• Why Free2Secure?
– Security is too expensive and isn’t working. There has to be a better way.
I’m exploring these issues for IT security, ebooks, games, and whatever
else strikes my fancy at http://free2secure.com/ .
– Join me there, ask questions, challenge assumptions, let’s make things
better.
steve@free2secure.com
Games, iGaming, and Gambling +1.650.278.7416