A few years ago, I implemented a basic online leaderboard system in one of my games that sent encrypted score data over the wire. The encryption keys were stored in the game client’s binary. Of course, the leaderboards got hacked the same day they were released.
I have now released a new game on Steam, and I’ve worked hard to implement fully-deterministic game logic and a replay system.
The replay system works by simply replaying the user’s input that was recorded in a previous playthrough. The fully-deterministic game logic ensures that the replay will work on any machine, independently of the game’s FPS.
Now, it is time for me to implement online leaderboards.
My idea is to create a server version of the game executable which receives replay files over the network, replays them on some remote machine, and adds the score to a database if the replay data is valid.
While this prevents cheaters from simply sending a fake score to the server, it opens up many other cheating avenues, including:
Tool assisted creation of replays, either by slowing down the game speed or by manually crafting a replay file after reverse-engineering its format (the game is open-source).
Taking someone else’s replay and sending it over the network, changing data regarding who the replay belongs to.
I could somehow encrypt and compress the replay data before sending it over (or saving it on the user’s local machine), but since the game is open-source, it would be easy to reverse-engineer the encrypted replay format.
What is a good way of securing a replay-based online leaderboard system?
One possible idea I had is to have the server generate an encryption key / token for a specific user which is only valid for a small amount of time, send it over to the client, and only accept replays that are encrypted with that key. This would prevent users from uploading older replays to the server, but in theory it should work — am I missing something?