Attention | Topic was automatically imported from the old Question2Answer platform. | |
Asked By | dkenshu |
The Crypto object provides access to keys; however there is no way to use them to encrypt/decrypt arbitrary content, such as a message body independent of the transport protocol.
I want to encrypt/decrypt my payloads so that the TLS transport handshake is not necessary.
Is a plugin necessary?
If I use a plugin, how then does it get distributed with the final game? For example, a Python plugin. Doesn’t the plugin need to run on the target system? Which means phones are a potential problem?
How strong does the encrytion has to be?
klaas | 2020-07-21 19:27
Strong enough to deter all but the most determined attacker.
In my architecture, each player (ostensibly on phone) connects to a central matchmaker server, which then relays gameplay packets to each player, eliminating the NAT problem. However, that also means a malicious actor could play man-in-the-middle if that actor can read the gameplay packets.
I am also thinking about using an auth token.
dkenshu | 2020-07-22 12:24
But how important is the data. How valuable is the transfered data?
If money or sensible data is submitted you definitly need a strong AES encryption library.
But if only minor relevant(players postion, score etc) data is submitted i would suggest a simpler approach would do it.
Have a look here:
GitHub - wwwtyro/cryptico: An easy-to-use encryption system utilizing RSA and AES for javascript.
This does de/encryption with public/private keys and supports signing
This seems to be reasonable save for non sensible data. RSA is vulnurable to attacks but with a correct implementation it isnt simple to break.
The javascript implementation could be converted to gd with some effort.
klaas | 2020-07-22 16:13
The data is not that sensitive. I think I’ve got a good-enough solution using GD in the works (a combination of time, random number, base64 and a secret procedure).
The idea of calling out to some other external utility (Auth0 for example) to get an encrypted token for auth is intriguing; I had not thought of that.
Thanks!
dkenshu | 2020-07-22 18:50