The Problem:

Have you ever wondered how secure all the email messages that are being sent to/from the judges in the course of your games that you play? Probably not, as I myself did up until recently, but maybe that is not the best approach to take.

For those who don't know, email is inherently a very insecure transmission method. It is analogous to using a postcard to send messages: anyone along the way can read your message, alter it or even submit a completely fake message, and you and/or the destinary would never know it.

OK, for some sensitive information (bank transactions, credit clearances etc.) this might be an issue but for Diplomacy games? Well, just consider these possible scenarios (in increasing order of likelihood):

1. Someone 'spoofs' you by sending an email purporting to be from the real judge. OK, you might spot this from the headers that would indicate the phony source, but then again you quite likely would not (not all email clients easily show message headers, and you may not know what to look for).

2. Someone intercepts an email from the judge and alters it (changing a press message for example). You have no way of knowing that it was altered, let alone where.

3. Someone fakes you and sends an email purporting to be you, so that the judge accepts new orders, different to those that you think were going to be processed.

Not all of these possibilities are academic. I unfortunately know first-hand of a colleague I introduced to the email hobby who used his computer knowledge, plus the fact an unfortunate player sent their password by mistake, to generate false message purporting to come from the judge and to submit new orders to the judge.

The Solution:

How could this be avoided? Well, there exists a program called PGP, and its free counterpart GnuPG, that can secure emails so that these tricks become impossible. Most email clients support these programs, that tack on some extra information to the email. How does PGP work? Well, in simple terms, a unique key pair is generated: one public, the other private. Anyone can use the public key (in fact, they are often made available on public key servers) but the private key is only held by the person who created the key pair.

With these key pairs, essentially the following two features are provided:

Digital Signature

With this, a message is digitally signed by the originator with their private key. Anyone receiving this message can compare it with the corresponding public key, which will match if correct. Additionally, checks are performed that inform if the message is not the original copy (i.e. it was altered during transmission). If you know who holds the private key, then you can be certain that that message originated from them.

Digital Encryption

If you want to send a secure message, unreadable by all except the intended destinary, then you use encryption. Anyone can encrypt a message for a destination by using its corresponding public key, but only the person in possession of the matching private key can decode and read the message. Encryption strength is usually sufficient that the encoding is unbreakable in practical terms, so message security is assured.

How could this be used on the judge? For example, by adding a digital signature to all emails coming from the judge, you could be certain that is was the judge that sent it to you, and not someone else pretending to be it. Similarly, you could send your emails to the judge also digitally signed, so the judge can be sure your message was not altered mid-flow.

In addition, if you know the judge's public key and it knows yours, both of you can be certain who is really sending, and messages could be rejected if the keys do not match.

To get even more secure, the emails between the judge and player could be encrypted so that not even their content could be read by third-parties.

Identity Registration

One of the banes of judge play is the use of multiple identities, whereby the same person uses separate email addresses to play multiple positions.

To avoid this problem, use could be made of key signing. This is a procedure whereby a key itself is digitally signed by another key. This is used to validate the identity of the key signed, as the signer is agreeing that the person really exists. If enough people sign each others keys, then eventually a network of signatures is established that will lead from one person to any other (a so called Web of Trust).

In judge terms, every player could be required to have a valid key that was signed by real people. Only players signing/encrypting messages with these keys would be permitted to play on the judge.

In that way, you would be certain that each player in a game is a separate person, and no more would multiple positions be playable unknown by the same player.

When can this be implemented?

The framework for this already exists. There already exist public key servers, and various Web of Trust schemes to certify the identity of people (e.g. for Debian Developers). All that is required is to bolt this on to the existing judge system.

Currently, I have established a judge, UKSJ that is the first step in this. It is set up to send all emails digitally signed (using the email program) thus guaranteeing that the judge is really sending them. Time is always limited for me, but the next steps that I see are:

• Added ability to receive digitally signed messages from players, rejecting those with signing errors (indicating tampering).

• Allow players to encrypt messages to the judge (using the judge's public key).

• Allow players to register their public keys (either with the judge directly or a specially created dedicated key server).

• Use player-registered public keys to digitally sign/encrypt messages from the judge to each player.

Not everyone will want to go to such lengths to play on a secure judge like this. Sending from other email accounts, or using the common Webmail services (such as Yahoo and Hotmail) will not work with PGP/GnuPG, and the Microsoft Outlook Express email client actually refuses to read such messages. But, if you want to be certain that your game is free of cheating, this may be the best way to go.

If you wish to e-mail feedback on this article to the author, click on the letter above. If that does not work, feel free to use the "Dear DP..." mail interface.