Re: Should we really care??
[ QUOTE ]
in my example the only encrypted info sent was the rank and suit of each dealt card 6 times (or however many times there are players at the table) - once that info is encrypted we can tell if we know what algorithm is used to encrypt it how long the string of data will be - if the amount of encrypted data alters we can make a guess that the server is sending extra info (colluding) and then void the game.
[/ QUOTE ]
The problem with something like that is that you only need 6 bits to send the suit and rank of 1 card. Any kind of valid encryption scheme will involve transmitting more than 6 encrypted bits, which leaves a lot of room for extra baggage to tag along unseen.
If you can't trust the software that the game is being run with then you're basically doomed. That being said there are ways that you can verify the actual software and make sure it doesn't have any backdoors in it (as long as you can trust the auditors verifying the software not to be in cahoots with an evil minded programmer. It always comes down to Quis custodiet ipsos custodes?)
The software itself (or at least the key components) could be certified with a digital signature that would ensure it wasn't tampered with. But if a conspiracy was large enough anything would be possible. Of course such a far reaching conspiracy also becomes almost impossible to keep under wraps.
But the bottom line is that there's no practical way to verify the actual data stream itself. You have to be able to trust that it's accurate. The best you can hope for is to verify the integrity of the source of the stream, but if you can do that then the stream itself should be fine. There are also ways that you could verify (within the software) the actual stream itself to make sure it's not being tampered with en route.
Saying that you can't ensure that "branded" software isn't being run and that it's been replaced is simply erroneous - that is a solvable problem.
|