[Feat Req] Proper Network Encryption (+SSL/TLS?)

We currently have our own system, but it would've been wayy easier and more legible if this was native:

Currently, Photon PUN *does* sort of have an encryption feature -- but it doesn't do much good if the encryption key is sent with the message ;p we actually tried Photon's encryption, at first, until we realized this when we had an attack maybe 6 months ago after analyzing the traffic.

If it was offered, I'd probably swap our system with the native PUN one just for code legibility. And thinking about future projects.

Or, more importantly, how come TLS/SSL does not seem to be enabled so encryption wouldn't be necessary? I'm sure there's a reasonable explanation, but I'm curious what the roadblocker is.

Comments

  • JohnTube
    JohnTube ✭✭✭✭✭
    edited January 2019
    Hi @xblade724,

    but it doesn't do much good if the encryption key is sent with the message ;p we actually tried Photon's encryption
    What do you mean?

    Encryption keys are exchanged between client and server and not between clients.
    Read more about this here.

    how come TLS/SSL does not seem to be enabled so encryption wouldn't be necessary?
    I don't think TLS is commonly used in non-webbrowser based realtime games. Also what does it add to Photon's built-in encryption?
  • Can you elaborate? We're not sending keys in the messages.
    How is your system doing this and how is it safe?
  • xblade724
    xblade724
    edited January 2019
    > Can you elaborate? We're not sending keys in the messages.
    https://i.imgur.com/8HeuAMY.png
    Using the PUN encryption can be decrypted with WireShark. It seems that the key is included within it when sent this way.

    > how is it safe?
    It's not ;D that's why I was wondering! We use our own system to secure network traffic, instead, after discovering this (about 8 months ago+).
  • Using the PUN encryption can be decrypted with WireShark. It seems that the key is included within it when sent this way.

    Encryption in Photon is done per command and only on demand. Typically, whatever you're sending is temporary info and to be read by the others in the room, so encrypting positions (which everyone has anyways) is just a waste of performance.
    The RpcSecure method can be used where needed, yes. Are you saying you found a RpcSecure message in plain text in Wireshark?

    I meant to ask: How is your system secure? Or in more detail: How is it more secure than ours?
  • @xblade724 : Care to elaborate how your encryption works and how it's better?
    If that's secret but you would share it with us, then mail: developer@photonengine.com.

    Thanks.
  • Re-checked encryption for RpcSecure().
    It's working just as expected, provided you set the "encrypt" parameter to true.
  • Mortimer
    Mortimer
    edited October 2019
    Your encryption is vulnerable to man-in-the-middle attacks. That is true for many encryption schemes that don't have a public certificate structure, like the TLS protocol does. Without it, you have no way to verify who is the real source of the network communication (communication over network can be easily spoofed).

    Obviously, using this encryption for user login information is very risky. However, I would argue that all communication to and from server should be encrypted, even frequently updated game states. Again, the main purpose is verifying identity of packet source - if any game data is sent unencrypted, then literally anyone can send counterfeit game data.

    For example an attacker could send packets with absurd player position, to make them appear as using a fly hack, and get them kicked or banned from a server (or they could directly send a disconnect message, if there is one). This could be used in a competitive game. In a game with a trading system, an attacker could spoof RPC calls that would give away player's money. The possibilities are endless.

    Lastly, you can gather some information about a player from his communication, such as his player name, who he communicates with, possibly content of his chat messages. These are all private data, which could be abused.

    Generally, it would be a good idea to make all communication encrypted via TLS (games using your cloud woudn't even need their own certificate), make all network transfers encrypted by default, and possibly, if need be, allow developers to turn off encryption for some communication, where the slight performance hit would matter.