Figure 1: Components of the Internet Entertainment System
Jo-Han Wong BEng (Comm)(Hons), RMIT University, jhwong@pc.jaring.my
Mark A Gregory BEng. (Elec)(Hons) MEng., Senior Lecturer, Department of Communication and Electronic Engineering, RMIT University, m.gregory@rmit.edu.au
By necessity, security is an area that needs crucial attention especially when deploying e-commerce applications onto the Internet. One such application of e-commerce is Internet entertainment. Generally, the games reside on a server (the game server) that is linked to the Internet. End-users interact through the game client and interact with the game server using an Internet browser.
Currently, a prototype Internet entertainment system is being developed at RMIT University. Communication is via TCP/IP, which by design is not secure. To be commercially viable, the communication channels between the game client and game server have to be secure. There are many ways to implement the security features, and the purpose of this paper is to briefly discuss about this.
By necessity, security is an area that needs crucial attention especially when deploying e-commerce applications onto the Internet. One such application is Internet entertainment [1]. An example of a work-in-progress Internet entertainment system is shown in Figure 1.
This system resembles a client/server model. An important design feature of this system is the use of separate components for specific functions, i.e., separate systems to handle game-specific services and non game-specific services. For game-specific services, the game client interacts with the game server. The game server is a server application for a particular game whilst the game client is the client portion for the particular game. End users interact through the game client, which is embedded in the Web browser. The Web server provides non game-specific services such as registration, authentication and help. These services are in turn accessed through the Web browser.
Figure 1: Components of the Internet Entertainment System
The game server is currently implemented as an NT service and coded in C++, whilst the game client is a Java 1.02 compliant Java applet. Being Java 1.02 compliant means that the game client can actually be run from within the major Web browsers such as Netscape Navigator and Microsoft Internet Explorer. The advantage of such an implementation is it essentially guarantees platform independence with respect to the game client.
Communications between the game client and the game server is via TCP/IP (Transport Control Protocol/Internet Protocol) and implemented using the Berkeley-style sockets interface. Game-specific messages are encapsulated within TCP. However, TCP/IP by design is not a secure protocol, and all data that travels between the game client and the game server is exposed for the entire world to see (see Figure 2) [2]. Consequently, the current setup is more useful as a ‘proof of concept’ Internet entertainment system.
Figure 2: Insecure Communications Channel over the
Internet
due to Absence of Security Mechanisms Above TCP/IP,
in TCP/IP and under
TCP/IP
To be commercially viable, the communications channel between the game client and game server has to be secure. Security requirements include confidentiality, integrity, authentication and non-repudiation. Currently, the SSL (Secure Sockets Layer) security protocol is the preferred choice to fulfill this purpose. SSL is a protocol for encrypting TCP/IP transmissions between two applications [3].
Because the game client and the game server do not use the HTTP (Hypertext Transfer Protocol) protocol to communicate, this has automatically precluded the use of the SSL support built into the major Web browsers. The alternative is to use an SSL class package such as Java’s Java Cryptography Architecture (JCA) and Java Cryptography Extension (JCE), RSA’s BSAFE SSL-J or IBM’s SSLight. However, these class packages are meant to be run on Java 1.1 and won’t work on Web browsers that only support Java 1.02. In addition, even if the Java Virtual Machine (JVM) 1.1 were downloaded to the computer, it would still be inaccessible to the Java applet. Sun having recognized this limitation, created Java Plug-In, that enables developers to direct applets to specify a different virtual machine than the one included with the Web browser [HREF1]. This solution guarantees platform independence but would still require the user to download the correct JVM.
Yet another way of implementing security is to use Microsoft’s Software Development Kit (SDK) for Java [HREF2]. The advantage of such an approach is that it allows the developer to access the Windows security provider interfaces and Component Object Model (COM) security services, and negates the need to download additional virtual machines (VM). In addition, majority of the Java code would remain unaltered, thus saving time and preserving the effort previously expended in designing the game client. However, this effectively limits the game client exclusively to the Windows platform.
Since the game server is implemented as an NT service, the SSL security protocol will be implemented using either the Windows security provider interfaces or via the COM security services. Using Microsoft-based solutions is a compelling choice because of the scalability advantage especially if COM is implemented on the game server end.
Another alternative is to implement the game server as a Java servlet. A Java servlet can be thought of as an applet running on the server side, albeit without a face [HREF3]. Servlets provide a mechanism to build component-based Web applications whilst still being platform-independent.
Ideally, it would be best to implement the game server and game client using Java-based technologies or Microsoft-based technologies exclusively. However, given the current state of the Internet entertainment system, the best solution might be to have a hybrid system.
[1] Gregory, Mark 1999 ‘Internet Entertainment’, AUSWEB99 Conference, Sydney, Australia, May 20-21, 1999
[2] Ghosh, Anup K. 1998 ‘E-Commerce Security - Weak Links, Best Defenses’, Wiley Computer Publishing.
[3] Garfinkel, Simson & Spafford, Gene 1997 ‘Web Security & Commerce’, O’Reilly & Associates Inc.
[ Proceedings ]