The Fort Knox of Game Data
KensGames stores almost nothing about you, encrypts what little it does store with the same primitives used by banks and government systems, and refuses to ship the meaning of that data to your device. The result is a service where a successful breach yields ciphertext indexed against geometry, not a database of personal records.
Cryptographic Primitives In Use
What protects your data right now
- AES‑256‑GCM for player coordinates. NIST‑approved authenticated encryption with a fresh 96‑bit IV per write and a verified authentication tag on every read.
- HMAC‑SHA256 substrate signatures. Any tampered substrate is rejected before a lens is allowed to read it.
- bcrypt password hashing at cost 12. Plaintext passwords are never written to disk and never logged.
- Constant‑time comparison (
crypto.timingSafeEqual) on verification codes to neutralise timing side‑channels. - WebAuthn passkeys as the primary authentication path on supported devices, removing the password from the threat model entirely.
- TLS 1.3 on all client traffic via HTTPS and WSS.
What An Attacker Actually Has To Do
To recover anything meaningful from KensGames an attacker needs three independent things at the same time: the encrypted manifold, the specific lens program that interprets it, and the keys that unlock both the coordinate cipher and the substrate signature. Possessing only one or two of those yields geometry, not data. There is no asset library to ransack, no per‑game database of personal records, no plaintext save files and no shipped 3D model archive. The total payload of the playable site is roughly 120 MB of which 7.3 MB is code, and that code is projection logic, not user records.
What A Worst‑Case Breach Looks Like
A worst‑case server compromise that lifts the database leaves the attacker with AES‑GCM ciphertext keyed to opaque coordinate identifiers. Without the encryption key, the ciphertext cannot be decrypted. Without the matching lens, even a decrypted coordinate resolves only to a position on a surface with no semantic meaning attached. Without the substrate signing key, any attempt to forge or replay state is rejected at verification.
What This Claim Is Not
It is not a claim that KensGames is unbreakable. No system is. It is not a claim that the cryptography itself is novel, and deliberately so, because novel cryptography is how breaches happen. It is not a claim that a sufficiently determined attacker with full client‑side debugger access cannot reverse‑engineer a public lens. Lenses that carry trust‑bearing logic are run on the server for exactly that reason.
What This Claim Is
The surface area of "what is worth stealing" has been deliberately collapsed by architecture, not by promises. Standard, audited, peer‑reviewed cryptography protects what little remains. The combination of a small, encrypted, geometry‑native data model and a server‑authoritative lens boundary makes a successful exfiltration both expensive to achieve and low‑value when achieved. That is the practical meaning of "Fort Knox" in this context. Not a vault that cannot be opened, but a vault that, when opened, contains very little a thief can spend.
Honest Caveats & Current Work
- Encryption‑at‑rest keys are environment‑variable held today. Migration to a sealed key store with per‑user data keys derived via HKDF is in progress.
- Anti‑replay nonces on authenticated coordinate updates are being added so old ciphertexts cannot be resubmitted.
- A formal threat model document is being written to accompany this page and to govern future game additions.
- Per‑game substrate isolation, where each game's substrate is signed with a distinct HMAC subkey derived from the game id, is planned.
Disclaimer
The information on this page describes the security architecture and cryptographic primitives in use on KensGames as of the build referenced in version.json. It is provided for transparency and is not a warranty, guarantee, or contractual commitment. KensGames is operated by an independent creator and the service is provided "as is" without warranties of any kind, express or implied, including but not limited to merchantability, fitness for a particular purpose, or non‑infringement. Use of the service is at your own risk. The operator does not accept liability for damages arising from use of, or inability to use, the service, including loss of data, loss of progress, or loss of access to player accounts.
If you believe you have discovered a security vulnerability, please report it privately by email rather than disclosing it publicly. Coordinated disclosure is appreciated and will be acknowledged.