devtrackers.gg
about 5 years
ago -
David Numantian
-
Direct link
Originally posted by AND RAISED: Your save file crypto is insufficient to deter a skilled attacker. You have decided the player should not have the right to edit their own save, something I won't debate here. What I will say is that if it's intended to be an anti-cheat, you should make sure the anti-cheat is as strong as it can get, otherwise you're locking players out of save edits without deterring all cheaters.
tl;dr You should consider swapping to something with more state in the crypto stream. The current save format uses the decades-old PKzip crypto, which is vulnerable to KP attacks and also limits the *effective* password length to 13 or so characters regardless of how long the password is. This is because since there's only 13 bytes in the state, many different passwords (aka shorter than the ones you've picked) will also map to the same internal state, similar to how X mod Y will have many different X that map to Y. In this case, it's Password mod 13chars, which means the password on the encrypted save files are vulnerable to attack.
Hello
Thanks for your feedback, i´ll send it to Dev team.
Regards