Skip to content

Commit

Permalink
Merge origin/master
Browse files Browse the repository at this point in the history
  • Loading branch information
@tonikelope
tonikelope committed May 7, 2024
2 parents c401a18 + 9c9f6f8 commit ac8926d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,18 @@ mvn clean install

<p align="center"><img src="https://github.com/tonikelope/coronapoker/raw/master/coronahmac.png"></p>

1) CoronaPoker.jar is executed normally.
2) As soon as it starts, the WatchService API is called to start monitoring changes in the directory where CoronaPoker.jar is located.
3) CoronaPoker.jar is restarted but this time disabling the option to use agents for debugging as well with a tcp port so that the new process can communicate and authenticate with the old process.
4) The new CoronaPoker process sends to the old one a message authenticated with HMACSHA256 (with a pre-shared secret key that is obfuscated inside CoronaHMAC) that contains its PID concatenated with the random_nonce_1 sent by the original CoronaPoker process and a new random_nonce_2 generated from new CoronaPoker process at runtime.
5) The original CoronaPoker process verifies the message and responds to the new process by resending the message received back authenticated with HMACSHA256 with the pre-shared secret key.
6) Once mutually authenticated, new process calculates the HMACSHA256 (with the pre-shared secret key) of CoronaPoker.jar file that it will use as seed to authenticate and verify that the other players are using the same CoronaPoker.jar binary.
7) Once the CoronaPoker.jar HMACSHA256 has been calculated, the new process generates a random_nonce_3 and sends it to the old process to let it know that it has finished.
8) The original process responds with a HMACSHA256 with pid+all random nonces generated during the process concatenated (and any creation/delete/modification event detected in CoronaPoker.jar directory).
9) After verifying the response of the old process, CoronaHMAC starts the game.

Note: If the original process is terminated by an attacker or if an attacker performs a TOCTOU, the new process will find out by corrupting the internal HMAC of CoronaPoker.jar which will later betray you to other players as a cheater. In addition, authenticated messages with HMACSHA256 and random nonces of sufficient length are used to make any man-in-the-middle and/or replay attacks almost impossible.

<p align="justify">In addition to this system, CoronaPoker includes an feature that allows players to obtain at any time during the game a "snapshot" of any player's process list, as well as a screenshot of his screen, in case he/she is using any external application to cheat. (This feature can be activated or deactivated by the server when setting the game options).</p>

<p align="justify">Finally, CoronaPoker is designed in such a way that only the game server "knows" the cards dealt to the players and they will be sent to the rest of the players if necessary at the moment they are needed. In addition, for emergency recovery mode, the permutation of the current hand's deck is stored on the server hdd in encrypted form with a key that is sent to other players (and not stored by the server in any form).</p>
Binary file modified coronahmac.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit ac8926d

Please sign in to comment.