Play Poker - Download Now

Data Privacy for our Poker Software

"When the stakes are high, it pays to go to great lengths to ensure that software is implemented with proper considerations for security and safety". - Matt Schmid, Cigital, Inc.

All exchanges between our client software running on client computers and our servers are encrypted. It is essential to be aware that encryption alone in the strictest sense does not ensure privacy. For example, a site where hole cards of all the players are transmitted to everyone is not secure in spite of encryption. That is why we have put a lot of energy into our security system design and policy formulation.

Security Highlights:

Software Download:

The first point at which security becomes a critical issue is when the client software is downloaded from PokerStars. We must make sure that the client software is downloaded uncompromised and unchanged. To tackle this need, we incorporated the following elements into the download process:

  • For Internet Explorer the authenticity of downloaded executable is confirmed by the browser using our key and Thawte certificate.
  • For other browsers we use 1024-bit RSA key and a Thawte server certificate to secure our HTTPS web server & download.

Playtime security:

We have a range of incorporated features to make sure of the games own security.

  • Our client software makes use of certificates produced by our own Certificate Authority (CA) to authenticate themselves to our servers.
  • Our CA certificate key is 1024 bit length.
  • Our client software implements the industry standard SSLv3 protocol. It is specifically built for use with RSA for authentication and key generation and also triple-DES (EDE3, in outer-CBC mode) for encryption. Presently we use 512-bit RSA key, which according to [1] is adequate for short and medium-term (up to several years) secrets. Since we change private keys on the server every three months, we have given a massive safety margin for the utmost security. Furthermore the use of Triple-DES EDE3 for session encryption is considered to be at an even higher level of security still.
  • No private information, like hole cards, is ever sent to other player's computers.

COLLUSION

Collusion is a method of cheating in which two or more players share their cards or by other means make up a cheating collaboration, to the disadvantage of the other players on their table.

While on the one hand it is simpler to exchange data between colluding players in online poker than it is in live cardrooms, it is far more difficult to ultimately escape detection, as the cards for each player can be scrutinized after each play.

No matter how refined the collusion is, it has to entail a play of a hand that without collusion would not have been played in that manner. Our detection system is built to recognize unusual play patterns and automatically notify our security personnel, who will in turn make a detailed manual analysis. We will also follow up on any players' submissions concerning suspected collusion.

If any player is discovered to be engaging in any type of collusion his or her account could be closed permanently.

SHUFFLE

"Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin." - John von Neumann, 1951

We recognize that the use of a fair and random shuffle algorithm is crucial to the strength of our software. To this end and so as to preclude major issues described in [2], we make use of not one but two independent sources of fully random data:

  • user input, consisting of mouse motions and events timing, gathered from client poker software
  • a true hardware random number generator created by Intel [3], which utilizes thermal noise for an entropy source

Both these sources individually generate sufficient entropy ensuring a fair and fully random shuffle.

Shuffle Highlights:

  • A pack of 52 cards can be shuffled in 52! (52 factorial) ways. 52! is approximately 2^225 (to be precise, 80,658,175,170,943,878,571,660,636,856,404,000,000,000,000,000 ways). We use 249 random bits from each entropy source (user input and thermal noise) resulting in an even and fully random statistical distribution.
  • Moreover, we employ meticulous rules to ensure that the degree of randomness is beyond reproach; for example, if user input does not create the sufficient amount of entropy, the next hand does not commence until that required amount of entropy is obtained from Intel RNG.
  • We utilize the SHA-1 cryptographic hash algorithm to combine the entropy gathered from both sources to provide an even further level of security.
  • We also have a SHA-1-based pseudo-random generator which affords even more security and defense from user data attacks.
  • The conversion of a random bit stream to random numbers, in a required range with no bias, is accomplished by employing a simple but reliable algorithm. For example, if we require a random number in the range of 0-25:
    • we obtain 5 random bits converting them to a random number from 0-31.
    • if this number exceeds 25 we simply reject all 5 bits and restart the whole procedure.
    • This procedure is unaffected by biases that pertain to modulus operation for creation of random numbers that are not 2n, n = 1,2,..
  • To execute an actual shuffle, we utilize yet another simple but reliable algorithm:
    • first we pick a random card from the initial pack (1 of 52) and remove it, placing it in a new pack – leaving the initial pack holding 51 cards and the new pack holding 1 card
    • then we pick another random card from the initial pack (1 of 51), remove it, placing it on top of the new pack - leaving the initial pack holding 50 cards and the new pack holding 2 cards
    • this procedure is repeated until all cards have moved from the initial pack to the new pack.
  • This algorithm is not affected by the "Bad Distribution Of Shuffles" described in [2]

  • PokerStars shuffle verified by Cigital and BMM International

PokerStars presented wide-ranging information concerning the PokerStars random number generator (RNG) to two independent organizations. We requested these two trusted resources to carry out in-depth investigation of the randomness of the output generated by the RNG, and its actual execution in the shuffling of the pack of cards on PokerStars.

Both independent organizations were granted complete access to the source code and verified the randomness and security of our shuffle. Check out our Online Poker Random Number Generator for further details.

Games Offered Through PokerStars Secure Poker Software

The poker games and poker tournaments listed below are offered through PokerStars' secure poker software:

[1] B. Schneier. Applied Cryptography
[2] "How We Learned to Cheat at Online Poker: A Study in Software Security" - http://itmanagement.earthweb.com/entdev/article.php/616221
[3] "The Intel Random Number Generator" - http://www.cryptography.com/resources/whitepapers/IntelRNG.pdf

Copyright © 2001-2008, PokerStars.com. All rights reserved. Rational Entertainment Enterprises Limited, 10 Hill Street, Douglas,
IM1 1EF, Isle of Man. License No. 7, granted July 2005.  Online gambling is regulated in the Isle of Man.