It’s not about understanding how it works (it’s simple really, and I’m sure you both understand it), it’s about realizing what you’re trying to accomplish, and how public key encryption is going to help with that. But you didn’t say anything about that, you just said “use public key encryption” - but on what? and for what purpose?
1 Like
Exactly. The problem is, all encryption requires secrets. If the secrets are stored on a client machine (which is the only place they can be stored in an offline scenario), then you’ve given the car and the keys to the driver. The keys have to be stored somewhere, and they can be found, given enough dedication.
Server-client communication can leave the private key on the server, which is fine for when you’re communicating with the server. But if you’re offline, and the game is able to record several wins to persistent storage, it needs write access to the data. That means it needs a public key for the encrypted payload. Once someone finds it, they can write whatever they like to the offline data and the server would have no way of knowing that it was tampered with.
1 Like
Asymmetric encryption, such as public key encryption, serves two different purposes, depending on which key you use to encrypt.
If you use your private key to encrypt, it’s a method of signing data, to prove the identity of the sender. Anyone who has the public key can decrypt it, but they know only someone with the private key could have encrypted it.
If you use the public key to encrypt, only the person with the corresponding private key can decrypt it. This is the more traditional use for encryption: sending messages that cannot be read by anyone but the intended recipient.
Neither of these uses is of any help in verifying that information created on your computer by a program stored on your computer hasn’t been tampered with by the user. If your computer can run the program, and use it to sign or encrypt the data, then you have all the information necessary on your hard drive to replicate it.
1 Like
The private/public key aspect doesn’t matter at all. Let’s assume at some point within the coding the data to be transferred would get encrypted with the private key. A malicious person would just hook into that part of the coding and provide some other data to be encrypted instead, like having played 1000 matches for an arcane traitstone each. Encrypted communication doesn’t mean that the source can’t be tampered with.