Suggestions for (semi) securing high-scores in Flash/PHP game

Question

...I have read a few threads on here that have discussed various methods and was just looking for some feedback on a proposed solution we came up with. In one of the thread

Answer 1

The answer to your question is, it depends. It depends mainly of the estimated popularity of your game.

From a security perspective, your solution is about as secure as sending the highscore in cleartext. What you're doing here is called security by obscurity, which, according to who you listen to may have its benefits in some cases. In this case it's probably that Joe the average user would not likely be able to crack it himself. For anyone with some l33t h4xxor skillz you might as well send it all in cleartext. If all you want is to stop Joe, then it's probably enough, at least until someone creates a fake client for Joe to download (which depending on the popularity of your game could take anything from a couple of days to never (or faster if it's WoW)).

A better solution is the one given by @Kent Fredric. However as it says it doesn't solve the problem of someone creating a fake client. A solution to that might be something like this:

1. Give every action a player can perform an id.
2. Store every action the player performs in a list of ids.
3. When the game is over hash the score, the list of actions and encrypt it with the public key received from the server. (see Kent Fredric's post for details on this)
4. Send the encrypted hash (more commonly called digital signature) to the server together with the score and the list of actions performed.
5. Let the server "play" the game according to the actions in the list.
6. Verify that the same score was attained.
7. Verify that the digital signature is correct.
8. Update server highscore list.

This will guarantee two things:

1. The score comes from the correct client.
2. The score is correct in regards to the game played.

But there's still one serious flaw to this scheme. There's no way of knowing that the game was in fact actually played. If the client is compromised, the list could just be a prefab of a "perfect game" that is sent to the server. It's not possible to directly tamper with the scoring system, but with enough effort someone will most likely be able to create a list of actions that comprise a "perfect game".

However it gives a little bit stronger guarantee than just using the solution in Kent Fredric's post. To solve the whole problem would mean that you must validate the client somehow. This is very difficult since most ways of doing this are easily circumvented.

Finally I just had to comment on your choice of hash algorithm: MD5 is a great hash algorithm for those still living in the nineties. For the rest of us I recommend SHA-2 or at least SHA-1.