need information regarding security in transfering messages

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

madhan
Posts: 3
Joined: 09 May 2005, 14:06
Contact:

need information regarding security in transfering messages

Postby madhan » 09 May 2005, 14:12

hi

Its really cool product... but only concern is what about the security mesure is carried out in transfering the information... i dont see any highlight regarding security in the site...

someone should help me and give me solution on how i could trust the product data could not be tampered...

thank you
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 09 May 2005, 21:01

Hi madhan,
what are you interested in, exactly?

A socket server like SmartFoxServer does not usually transfer very sensitive informations... mainly text messages, serialized data and server events. All these informations are not encrypted, is this is what you're asking...

Internally the server takes care of a lot of security issues, checking that wrong or malicious requests are not accepted, and that certain commands are allowed only if other conditions are satisfied etc...

Special attention is given to the Admin account: you can specify one or more ip addresses allowed to login as administrator, and the admin password is always encrypted during login. In other words if you specify one IP address for the admin you can obtain the highest security for that special account.

Socket connections are automatically and continuosly monitored for activity / inactivity / flooding attempts etc... allowing auto-ban, auto kick and auto disconnect features.

Let me know if you have any more questions...

:)
Lapo
--
gotoAndPlay()
...addicted to flash games
madhan
Posts: 3
Joined: 09 May 2005, 14:06
Contact:

Postby madhan » 10 May 2005, 05:41

hi

first of all i must thank you for u immediate reply...

i am going to develop a multiplayer game which is going to involve
money... (betting), so there i need to ensure that the data transfered is
encrypted and cannot be tampered by some one else who is not at all
involved in the multiplayer game... and also the persons should not be
able to see the other players move.

for example if it is a 3 card game... and the winning will be on highest
combination of hand. the players can only see their cards. and start
betting when the game is going to over then only they must be able to
see others card... inbetween there must be no way to tamper this...
this is wht my concern is ... and i wnt to know how far i am safe using ur
product...

ar you following and encryption, decription tech while transfering
information ... ?

waiting for ur reply ...

thankyou
Madhan S
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 10 May 2005, 09:45

At the moment there isn't a specific encryption engine for sending sensible data embedded in SmartFoxServer.
We're thinking of various possible solutions for SFS PRO.

Anyways there are some possible ways to achieve good protection schemes.

Before I suggest some of them I'd like to underline one aspect: generally speaking security in flash is a "very hot" topic because the SWF format can be easily reverse enginereed and because with a memory editor you can locate the running SWF and alter its variables at runtime.

These aspects force the developers to spend more time in designing protection schemes especially in apps and games where sensitive data is sent and received.
Good solutions to these problems are code obfuscation + using more swf files that are loaded externally + using md5 hashes etc...

With that said we could now inspect the possible solutions for the multiplayer server side:

1) Data obfuscation:
it wouldn't be difficult to implement your own client side obfuscation/encryption model to send encrypted data to other clients which will decrypt the received message.

Possible problems with this method is that the encryption/decryption routines are on the client side and they could be decompiled. In order to enforce protection you should obfuscate your code.

2) Data tampering: If the application is well written, tampering is a very remote option. Each client is recognized by the server in a unique way, using its socket communication channel, so it would be unlikely that someone else could act as you during runtime, unless he has direct access to your computer.

For your specific project I would reccomend SmartFoxServer PRO: with its Actionscript server side extensions and database support, you could easily implement a solid encryption model based on md5 hashing.
(you can find a free md5 algorithm for AS here >> http://pajhome.org.uk/crypt/md5/md5src.html )

The protection scheme would look like this:

1) server generates a random number and sends it to the client
2) the client send the user password + the random number in md5 (the hash key)
3) server retrieves user password from db, adds the random key and makes the md5 hash.
4) if client and server hashes are the same then the user sent the correct password
5) now you can use the password as unique key for further encrypted transactions (using a key based algorithm)

( You can read more about this, here >> http://pajhome.org.uk/crypt/md5/chaplogin.html )

With this method the password is never exposed in clear form and no one can grab it.

About SmartFoxServer Pro, we are planning to have a pre-release version ready by the end of the month. If you're interested in testing it you can drop me an email.

:)
Lapo

--

gotoAndPlay()

...addicted to flash games
madhan
Posts: 3
Joined: 09 May 2005, 14:06
Contact:

Postby madhan » 10 May 2005, 10:41

hi

Thanks for your suggesions... one more think i would like to clarify...
Is http tunelling is possible using smart fox server... because few users
might be behind firewall/proxys so in those situation we need to
communicate through the 80 port... is there any provision for tht... ?

I hope both tunnelling and encrypted communications is possible in the
FCS (flash comm server). They are using HTTP SSL protocol for that.
so i would suggest you guys to have thesefeatures also added in the
smartfoxserver, then i think the product would be still more improved
and competent to FCS.

I would be glad to test your product, so send me the pro edition... :)

Thank you
Madhan S
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 10 May 2005, 11:09

Is http tunelling is possible using smart fox server... because few users
might be behind firewall/proxys so in those situation we need to
communicate through the 80 port... is there any provision for tht... ?


Http tunnelling is not provided at the moment and I personally don't like that approach too much. Using this technique communications get pretty slow and it would make realtime games unplayable... so in the end it is just a partial solution.

One better solution we've found with one of our clients is to have a dedicated machine running SmartFoxServer on port 80. This way everyone will be able to connect to the multiplayer server without loosing any network performance.

I hope both tunnelling and encrypted communications is possible in the
FCS (flash comm server)

I don't know FCS very well but I hope it too, since the price you pay for that one! :wink:

They are using HTTP SSL protocol for that.
so i would suggest you guys to have thesefeatures also added in the
smartfoxserver, then i think the product would be still more improved
and competent to FCS.


Yes! It is in our "to-do" list :)
I would be glad to test your product, so send me the pro edition...


Great! Please drop me an email to info@smartfoxserver.com (even an empty one) so I can add you in my local SFS contact list. Thanks! :)
Lapo

--

gotoAndPlay()

...addicted to flash games

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 31 guests