question on security

Options
Pikker
Pikker
edited November 2011 in Photon Server
Hello all! My name is Ed and I just have a few questions about the security of the photon socket server.

1.) how secure is the server when it comes to sending and receiving packets? how does the server decide if the packet it receives is coming from your application? I don't want just anybody using unity to be able to request data from the server .

2.)what if a hacker uses a superclass to force your client to send correct packets with their own data. for example send a packet that is used to perform some sort of action in game without actually performing that action required to send the request.

just a few questions if anybody can answer these thank, you very much :)

Comments

  • Boris
    Boris
    Options
    Pikker wrote:
    1.) how secure is the server when it comes to sending and receiving packets? how does the server decide if the packet it receives is coming from your application? I don't want just anybody using unity to be able to request data from the server .
    The standard applications are not secured. You will probably have to add a login operation and user accounts to secure access.
    Pikker wrote:
    2.)what if a hacker uses a superclass to force your client to send correct packets with their own data. for example send a packet that is used to perform some sort of action in game without actually performing that action required to send the request.
    You have to write custom server business logic to verify the input.

    This is what photon is made for: To enable you to write your own server business logic with .NET C# on top of a powerful socket server.
  • Pikker
    Pikker
    Options
    So maybe a system that works just like the encryption built into photon with public and private keys?
  • Tobias
    Tobias admin
    Options
    Encryption is supported by Photon, so you can send and receive data encrypted.
    In Photon v3, you just call EstablishEncryption() (or similar) and wait for the state-callback that tells you when encryption is available.

    Boris was just talking about an authentication operation, which compares incoming username+password to anything you saved in your database. This is "business" logic, which depends on your usecase and which Photon makes easy to implement.
  • Pikker
    Pikker
    Options
    Thats already done, my client will not switch from the logon screen to the realm selection screen unless it received an authentication event from otherwise it will send a response stating credentials are incorrect. I was just wondering if there was already a built in private public key system that works like the encryption used to do(i understand that encryption is much simpler now as i am already using it for encrypting login details :P)
  • dreamora
    dreamora
    Options
    I don't think so.
    But implementing RSA is trivial, thats a 1 day thing even if you have to readup on it :)
  • Tobias
    Tobias admin
    Options
    No, you can't access the shared keys or anything encryption-related. But I don't understand why you would need a "private public key system"?
    Once encryption with the server is established, you can encrypt operations "on the fly" by just setting a bool flag for it. You don't have to care about the details.
  • quarion
    quarion
    Options
    I have a question to clarify this - is Photon able internally to recognise its Peers?
    I mean, for example John connects to the game, I check his login and password, and then I mark him as "trustworthy" peer and he can access the server.
    Is it possible for someone else to "hijack" that peers session and to communicate with the server pretending he is John?
    If that is the case, we need to manually implement some session validation mechanism, like passing session Id with each request.
  • Tobias
    Tobias admin
    Options
    It's impossible to get into a encrypted conversation, except when you impose a server for the real clients and forward the communication to the real server as fake-client.

    The shared key for encryption is only known for the two sides and can't be derived by observing the "exchange conversation" of client and server. Only public parts are exchanged.

Cookies,
anyone?

We use cookies and related technologies to enhance your experience, show you personalised content and analyze performance and traffic on our website. By clicking on the „Accept All“ button you consent to the use of non-functional cookies and the subsequent processing of personal data to optimize our website and services as described in more detail in our Privacy and Cookie Policy.

By clicking on the „Customize or Deny all“ button you can decide otherwise. Clicking on the „Customize“ button will take you to a page where you can configure the usage of non-functional cookies (and related technologies) or deny all of them. You can access these settings at any time and also subsequently deselect cookies at any time in the footer area of our website.

ACCEPT ALL

Cookie Overview

We use the following categories of cookies and related technologies to enhance your experience, show you personalized content, and analyze performance and traffic on our website. We respect your right to privacy and accordingly you can chose to not allow some types of cookies (and related technologies). Click on the different category sliders and change our default settings to manage your cookie settings.

For more information on the specific cookies/related technologies we use and on how we use these, please see section 15 E. of our Privacy and Cookie Policy.

ABSOLUTELY NECESSARY

Authentication cookies we use are required to run our services … Cookies are required: Link

FUNCTIONAL AND MARKETING COOKIES

These cookies collect anonymous data and allow us to optimize our website and user experience. These cookies are listed here:

ANALYTICS

Help us to understand how visitors interact with our services, enables us to analyze and improve our services (also through third party analytics).