Connection encryption

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

rav
Posts: 82
Joined: 06 Dec 2010, 13:14

Postby rav » 22 Dec 2010, 18:31

Lapo wrote:Also I am conducting a personal research on this so I have to ask:
what is your specific use case?


may be it will be useful for something like this:
viewtopic.php?t=9427

or may be you can give me advise how to transmit 'originalPass' (which used in checkSecurePassword method) without useing SSL with certificate while man-in-the-middle scans all data from and to server
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 22 Dec 2010, 20:01

I would say that a man in the middle attack is very improbable unless we are talking about a generally misconfigured system.

The client must come from the proper web domain. If not the Flash Player will fail to connect to the Server because of the crossdomain policy. You can try to trick me into launching the game on fakedomain.com but the connection to the real server won't work.

So, if we are talking about a phishing attack then you can certainly steal my password because I will foolishly think that I am in the right place while I am not.
In this case I can only say that there's no SSL+Certificate in the world that can prevent this.

Second thing. The user password the is never transmitted in clear and if the attacker grabs the key we could care less, because we use a hashing algorithm which is not reversible.
In other words even if you got my encrypted password and my "secret key" you won't be able to obtain the proper password. And the key is valid only for the current session. On the next one it will be different and so it will be the hashed password.

We explain how this mechanism works here, in the SFS1.x docs:
http://smartfoxserver.com/docs/docPages ... /index.htm
Lapo
--
gotoAndPlay()
...addicted to flash games
rav
Posts: 82
Joined: 06 Dec 2010, 13:14

Postby rav » 23 Dec 2010, 13:55

I belive this method is really good working for login in (when plain password or hashed password is already in DB), but I can't understand how it works with registration

step by step:
1)DB is empty
2)send to DB 'my_hash' == MD5("my_password") and other registration information like "my_login", "age",..
3)'my_hash' is saved into DB 'my_hash_db'
4)call sfs.send( new LoginRequest("my_login", "my_password") );
5)sfs do 'my_enc_hash' == MD5(MD5("my_password") + 'SFSRandomDependedOnCurrentSession') and send it to server
6)server get 'my_enc_hash' and try to compare it with MD5('my_hash_db' + 'SFSRandomDependedOnCurrentSession')

f.e. somebody intercepts your sending of 'my_hash' and saves it as 'my_hash_stolen', waits when you are disconnected and tries to login:
4'a)call sfs.send( new LoginRequest("my_login", "fake_password") );
4'b)change network data from "MD5(MD5("fake_password") + 'SFSRandomDependedOnCurrentSession')" to "MD5('my_hash_stolen' + 'SFSRandomDependedOnCurrentSession')"
or
4''a)use modified version of client which do "MD5('my_hash_stolen' + 'SFSRandomDependedOnCurrentSession')" instead of "MD5(MD5("my_password") + 'SFSRandomDependedOnCurrentSession')"

5')server WILL match passwords

note: in 5) there may be another algorithm but then hacker will use same algorithm in 4'b)

please, correct me if I'm wrong
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 23 Dec 2010, 15:01

but I can't understand how it works with registration

Ah well that's another story, but you didn't mention it earlier.
No for registration it won't work. Plain and simple. This is a system for protecting a login where both party (client and server) know the password.

If you need an highly secure registration system I would simply recommend to use a webpage running HTTPS (+ Certificate)
You can either use your own web-server or the embedded Jetty instance coming with SFS2X

However you should also consider another point:
if the registration process is handled via extension code the password will travel "in clear" to the server.

This is not entirely true because the protocol is binary and with compression you just see a meaningless stream of bytes. So first step for the hacker is reverse engineer the protocol. No big deal, supposing the malicious user is a geek.

Good, but the thief now needs to hijack the persistent socket connection of the registering User in order to spy on its network data... right?

So, let's say I am at home in front of my desktop typing my data for the registration form. You are in your underground secret lab trying to obtain my password. How do you proceed with that?

Do you send me a trojan that allows you to monitor my network?
Let's say I am fool enough to click the exe and I have no antivirus.
If you could do that you could already monitor my keyboard and grab everything I write including maybe my bank account login, credi card number etc...
Additionally the trojan will probably even allow you to grab any files from my HD.

Or, let's exclude the trojan.
You park your car around the corner of my house, fire up your Linux laptop and run a brute-force attack on my router in order to break in and grab all my data.

See what I want to say?

Of course if you want the simple answer, I will say HTTPS request.
But if we go a little more in the details I would say that in general it's not as easy as it seems to spy over a connection.

My 0.02 :)
Lapo

--

gotoAndPlay()

...addicted to flash games
rav
Posts: 82
Joined: 06 Dec 2010, 13:14

Postby rav » 23 Dec 2010, 19:15

Thank you so much, yours 0.02 is very useful! :)

Is it true that embedded Jetty coming with SFS2X doesn't support HTTPS?

Lapo wrote:So, let's say I am at home in front of my desktop typing my data for the registration form. You are in your underground secret lab trying to obtain my password. How do you proceed with that?


f.e. if my internet provider hire malicious administrator who install/implement some soft/hardware which scan trafic for registration in my game (f.e. my game can use real money and it can be very attractive for hackers :) )


But I wrote (in another post):
rav wrote:I want to register new user in game (there is no password in DB yet), how can I send password to SFS in encrypted mode? (i don't want use registration via http server or something like that)


so I've found a solution (without useing https) via self-written sertificate system (with private key encryption as a sign), it works well but only in Java :( in AS3 I cannot find a way to check a sign (decrypt with public key)
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 24 Dec 2010, 14:31

Is it true that embedded Jetty coming with SFS2X doesn't support HTTPS?

Maybe because we just include the basic jar files necessary to startup the server with servlet support. This doesn't include the SSL libraries.
However you can easily download them from the Jetty website and integrate them.
I am taking a note to investigate this and provide some documentation on how to proceed. Actually I've never tried to setup SSL in Jetty.

f.e. if my internet provider hire malicious administrator who install/implement some soft/hardware which scan trafic for registration in my game (f.e. my game can use real money and it can be very attractive for hackers )

Well, this is very particular example ... one that I would regard as highly improbable but certainly not impossible.
It's as if your bank is stealing money from your account, day by day in small amounts so that you don't realize it.

In this case I think the whole application could be compromised not just the secure connection. Of course they could be able to steal private data from your database or even alter it in order to give advantage to specific users. Do you see what I mean? They could do anything with your servers because they ultimately manage and control them for you.

The secure connection issue is typically a problem of protecting the data flowing from your computer to the server from attackers that are outside of the system, if they are inside it's a whole different story. This would involve a lot more generic security issues, like the inability of the provider to ensure a high level of security in their services etc...

it works well but only in Java in AS3 I cannot find a way to check a sign (decrypt with public key)

Actionscript 3 can manipulate bytes so you should be able to create the decrypting code. Additionally there are some nice cryptography libraries available in open source form.
The best that I know of is called crypto lib:
http://code.google.com/p/as3crypto/

cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
rav
Posts: 82
Joined: 06 Dec 2010, 13:14

Postby rav » 26 Dec 2010, 08:14

Lapo wrote:I am taking a note to investigate this and provide some documentation on how to proceed.

It will be great!

Lapo wrote:In this case I think the whole application could be compromised not just the secure connection. Of course they could be able to steal private data from your database or even alter it in order to give advantage to specific users. Do you see what I mean? They could do anything with your servers because they ultimately manage and control them for you.


But I supposed that malicious administrator is in client internet provider company (he can't control game server and acess database)

Lapo wrote: Additionally there are some nice cryptography libraries available in open source form.
The best that I know of is called crypto lib:
http://code.google.com/p/as3crypto/


I just use it :) May be you know how to decrypt with public key in AS3, it will be very useful for me
User avatar
thomers1
Posts: 125
Joined: 13 Aug 2008, 07:36
Contact:

Postby thomers1 » 16 May 2011, 11:03

hi lapo,

what about securing private game states, e.g. games where my game state is not known by the other players (like in card games)?

especially when there is real money involved, transmitting the players private game states unsecured is a major turnoff for people investing in such projects, even if the real probability of an "attack" is very low. some will insist that the communication has to be encrypted, period. :-(

in any way, it would be great to have some sort of "pluggable" security interface supported by SFS2x, where the client can chose what messages to encrypt/decrypt and how (which algorithm is used).

best,
t
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 16 May 2011, 11:14

Your post is quite strange here :)
Are you sure you really read what we discussed here?
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
levancho
Posts: 71
Joined: 27 Jun 2011, 16:03

Re: Connection encryption

Postby levancho » 27 Apr 2013, 16:52

I just recently had a discussion about this usecase , in our case user case is following:

if a person has access to a router, of the potential victim or physical network cable?, he can be a man in the middle and intercept network packets and capture md5 hashed or unhashed password,

but we have found a solution for it following way:

we have two separate service pipes
first service is going through smartfox api, and this includes only game related stuff, like sending game state to client etc.
we do not send any money related stuff via this pipe.
but login is also going through this pipe.thats where we have a bottleneck.

the other service pipe is regular https (ssl) service through tomcat(or jetty),we use sprint services and AMF endpoint.
now solution to solve a login bottle neck is to send a encryption key to client using https service and using that key on the client to encrypt user password plus a salt, (for example session hash) so that it can be decrypted on the server side successfully

this way man in the middle attack can only potentially capture encrypted password which is totally useless, without a key it cant be decrypted, and since it has salt it will be different next time .
but anyways I guess selective ssl on some of the services would be nice anyways over the socket if its possible.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Connection encryption

Postby Lapo » 27 Apr 2013, 17:19

Thanks for your post.
If there's money transactions involved it's always recommended to use regular HTTPS, possibly with a valid certificate for extra client security.
Lapo

--

gotoAndPlay()

...addicted to flash games
Satyarth
Posts: 131
Joined: 06 Nov 2008, 12:45
Location: Delhi, India
Contact:

Re: Connection encryption

Postby Satyarth » 17 May 2013, 20:10

I dont think SFS + SSL would be a good choice for any multiplayer game server even if SFS2x supports it. If you need to do money transactions and you need SSL for that, do your money transactions using PHP ( or any other HTTP stack ) based backend and use SSL ( HTTPS ) for that communication.
User avatar
scream
Posts: 15
Joined: 03 Apr 2013, 09:06

Re: Connection encryption

Postby scream » 11 Jun 2013, 10:44

Hello,

I want to encrypt all data that is sent to the clients

When I want to send a response to a client, I need to put all data to an sfsobject. So If I want to apply encryption to the data in sfsobject , I must encrypt all my data one by one inside that sfs response object. It is terrible for me because I have many different kind of objects in it and many differend kind of response also.

My question is: Is there a different way to encrypt the response data simply. In other words, can I apply my own encryption method when it is converted to binary, somewhere in smartfoxserver 2x
Software Engineer
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Connection encryption

Postby Lapo » 11 Jun 2013, 11:02

Hi,
I need to ask this question: have you read this thread from the beginning?
Because if you did you will probably find out that encrypting all data is not a very good idea for some very good reasons.

I must encrypt all my data one by one inside that sfs response object. It is terrible for me because I have many different kind of objects in it and many differend kind of response also.

The SFS2X protocol supports encryption in principle but we're not providing it yet.
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
scream
Posts: 15
Joined: 03 Apr 2013, 09:06

Re: Connection encryption

Postby scream » 11 Jun 2013, 11:09

Yes I really read all :)
And I'm aware of that performance loss but for some political reasons I'll encrypt all data.

I think I will apply encryption for each data type seperately.

Thank you for your quick reply.
Software Engineer

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 53 guests