Custom password encryption/decryption against cheats

[Nihilant]

Now, I'm in final stage of editing details of my game and soon going official with it. So I wanted to hear your ideas on this security 'trick' I am using.

The game is multiplayer and made in Flash (actionscript 3) as UI, with Php communicating with the database.

Since the Flash is not secure enough and since I wanted to stop anyone editing URL for sending false info to Php, I've decided to go with a custom password encryption. I've made a 'system' that works like this:

1. Player logs in and php generates user's "actionpass" (a password that allows him actions ingame): it picks 20 numbers and letters (0 to 9 for numbers, A-Z for letters) ordered by a custom-made code that sets numbers/letters in positions in the string.
2. The actionpass is saved in database for that player.
3. The php then sends the regular data back to Flash UI, along with actionpass.
4. Flash UI receives the actionpass and 'decrypts' it into new 20-characters string, based on the 'reverse' version of a custom-made code from initial Php file. In other words, the 20-chars actionpass sent from Php will be decrypted to only ONE 20-chars version (no random versions).
5. When player sends new request to Php via Flash UI, the Flash sends this decrypted version of actionpass and Php checks it against the stored actionpass in the database, by decrypting it to initial 20-chars version. Only if it's the right actionpass, the Php proceeds with queries, updates etc. If it's not the right actionpass, it warns the player.
6. Whatever happens, Php changes the actionpass again and sends the new 20-chars string to Flash, etc.

What actually commences is Flash/Php exchanging and comparing actionpasses. If a player checks the POST variables, he'll see that Php sends one version of 20-chars and Flash sends different version, and it happens each time. If he notes the actionpass retreived from Php, he cannot use it in URL POST edits, since Php will now expect encrypted actionpass from Flash - and player can know it ONLY when it's already sent from Flash to Php. If he tries to use THAT actionpass (from Flash to Php) he'll find out again that the actionpass on Php side has already been changed so his random actionpass won't work.

In short, player must figure out the code that generates, encrypts and decrypts this actionpass, and both on Flash and on Php side. If actionscript in Flash is secured enough (never 100% I know!) he cannot hope to crack the code since each time he CHANGES it, I log the attempt; and he must do some tests to check his code-decyphering skills.

Now, do you guys think this is useful security measure in mmo game?

[a_bertrand]

I doubt that will really prevent people to cheat... as they could change the values inside your flash (with hacker tools or debuggers) and let your flash send over the new values as well. So sure you could protect 100% your protocol (and 100% cannot be reached anyhow) and still have issues about that kind of hacks.

The only way I know is to make the flash client pretty much stupid, and all the actions being handled on the server side. The client is used only for display and handling the player input. However that requires a lot of CPU / resources on the server, and something different than PHP as server side technology.

[Nihilant]

Yeah getting into AS of Flash is not hard, but I'll decrypt it one way or another (still, I know, not 100% secure just might make it too time-consuming for hacker to get into it). As per the other half of suggestion/comment, indeed, it would be best to have Flash only send requests to Php which whill handle all the comparisons, checks and executions of commands.

[Callan S.]

Yeah, I'd think you'd want to ensure you have server side fact checking of incoming data, really - to ensure no value passed by the client is larger or smaller than it should be, by having the server check that. All clients are vulnerable.

Of course the tricky bit is stuff like a reflex based game, as the data might be within the expected limits, but the challenge is trying to determine if a human took on the challenge or a 'bot did.

[Jackolantern]

Yeah getting into AS of Flash is not hard, but I'll decrypt it one way or another (still, I know, not 100% secure just might make it too time-consuming for hacker to get into it).

You may as well not spend the time to bother. If it isn't 100% safe (and nothing on the client can be), you can't depend on it, which means the server still has to verify and safeguard it. Things like this will only get you into trouble by giving a false sense of security. If a cheat is possible, one knowledgeable person will spend the days or even weeks to get it, and then they will package it and distribute it. Soon people who have no idea how to even read code could be using the exploit, and the game world could be ruined.