Addon Signatures – ArmA: Armed Assault

From Bohemia Interactive Community
Jump to navigation Jump to search
Line 18: Line 18:
Player connecting to a checked server is allowed to have present only addons which are signed by accepted signature. Any player not complying to this is detected, and based on server configuration a message in this sense may be displayed, or he may be kicked out, or another action defined by the server admin may be done.
Player connecting to a checked server is allowed to have present only addons which are signed by accepted signature. Any player not complying to this is detected, and based on server configuration a message in this sense may be displayed, or he may be kicked out, or another action defined by the server admin may be done.


Player cannot do any of the following is he want to pass signature verification:
Player cannot do any of the following if he wants to pass signature verification:


* modify signed addons
* modify signed addons
* having unsigned addons present
* use unsigned addons
* having addons which are signed, but not by an accepted signature
* use addons which are signed, but not by an accepted signature


If player wants to use unsigned addons when playing single player or when playing on other servers not testing for this, he needs to make sure such addons are not loaded before connecting to the checked server. This can be done using [[modfolders]] or by using some 3rd party addon management utilities.
If player wants to use unsigned addons when playing singleplayer or when playing on other servers not testing for this, he needs to make sure such addons are not loaded before connecting to the checked server. This can be done using [[modfolders]] or by using some 3rd party addon management utilities.


===Controlling addon signature verification on the server===
===Controlling addon signature verification on the server===

Revision as of 21:54, 9 June 2007

Addon Signature implementation in all version before 1.08 contains serious bugs which cause even users with no modified or unsigned addons are marked as using modified data.

Overview

Addon signatures are a way to reduce cheating in Armed Assault. They are used to detect data files modified by anyone else but the addon creator. They are based on strong cryptographic principles (private/public key pairs), therefore hacking around them is very hard.

Addon is signed by its creator using a private key, while the public key is used by the game to verify that the addon has not been modified.

Terminology

  • Checked server: a server with signature verification on
  • Unchecked server: a server with signature verification off
  • Accepted signature: on of the signatures defined by the server as trusted

What is checked

Player connecting to a checked server is allowed to have present only addons which are signed by accepted signature. Any player not complying to this is detected, and based on server configuration a message in this sense may be displayed, or he may be kicked out, or another action defined by the server admin may be done.

Player cannot do any of the following if he wants to pass signature verification:

  • modify signed addons
  • use unsigned addons
  • use addons which are signed, but not by an accepted signature

If player wants to use unsigned addons when playing singleplayer or when playing on other servers not testing for this, he needs to make sure such addons are not loaded before connecting to the checked server. This can be done using modfolders or by using some 3rd party addon management utilities.

Controlling addon signature verification on the server

If a server admin decides addon signatures should be verified, he should add a following line to the server.cfg file:

verifySignatures=1

Server admin can decide which addon makers he considers trustworthy by placing their public keys in the "keys" directory. Note: as of writing, the only existing signature is the Bohemia Interactive one, called bi.bikey. This should change once DSSignFile and FileBank utilities are released.

Community nature

The is no central authority deciding which signatures are trustworthy and which not. Each server admin can decide this. Off course, server admin are free to communicate their experiences with various signatures, or create a publicly accessible black lists of signatures which they think are no longer trustworthy, like when they know they were compromised because the private key has been leaked.

Signing addons

Signing addons is done using DSSignFile utility. A private key is needed for this.

Security considerations

There are following ways how security of this system can be compromised by human factor failing:

  • Private key has been leaked, meaning somebody is able to perform unauthorized modifications to addons signed by given signature
  • A person holding a private key and considered trustworthy so far has intentionally created or signed an addon which can be used to cheat
  • A person holding a private key has unintentionaly created or signed an addon which can be used to cheat. This can be either by mistake (e.g. someone creating an interesting uniform variant resking for default units, but not seeing this variant provides less cover) or by a fraud (addon maker signing an addon which he was passed by somebody else, but the addon contains some hidden payload, like a cheating script)
  • Somebody creating cheats fools a server admin to install his signature.
Best practices for addon makers
  • Never hand your private key to anyone, store it on a secure place, and if transferring it, use secure means
  • Never sign any addons given to you by somebody else.
  • You are the one responsible for reputation of your signature. Think about what you sign. Consider carefully if the addon or modification you have created can be used to get an unfair advantage
Best practices for server admins
  • Add only signatures of addon makers which you really trust. Do not add a signature only because a few users are requesting you do so.
  • Decide what you do when user does not pass signature verification. Use Server Side Scripting to configure it.