UDP/TCP Encryption for Xbox

[v.potapov]

Hello,
We are developing unity game for Xbox One, and we are trying to comply with Xbox requirements about secure connection that requires encrypt UDP connections. As docs says there is a 3 possible libraries to achieve this: OpenSSL, bCrypt and SChannel. The question is - do Smartfox handles UDP traffic encryption? How can we enable it? And do smartfox encryption approaches comply with Xbox requirements from the box? The same questions is for TCP traffic encryption.

Thanks in advance.

[Lapo]

Hello,
yes encryption is managed by SmartFoxServer once you deploy the SSL certificate.

How can we enable it?

See the documentation here: http://docs2x.smartfoxserver.com/Gettin ... yptography

And do smartfox encryption approaches comply with Xbox requirements from the box?

I am not familiar with XBox requirements but we use standard SSL certificates and TLS 1.2 which is the industry security standard adopted for any encrypted communication over the internet. (The same used for connecting to an online banking service, for instance)

This applies to all supported protocols in SFS2X: TCP, UDP, HTTP and Websocket.

Hope it helps

[v.potapov]

Hi Lapo,
Thanks a lot for a help!
We will follow documentation and I hope this information will be enough for getting secure communication approval. I'll be back with updated info on this in case if anyone will encounter same issue.

Best regards!

[v.potapov]

Hello, one more clarification please.

For WebSockets using Xbox requires to communicate with MessageWebSocket/StreamWebSocket libraries on a client. Can you please tell do client api uses one of those libraries to communicate through WebSockets?

[Lapo]

Hi,
you didn't specificy if you're using Unity or not, but in any case Websocket should be used for web-based clients only. For standard executables (be it PC or console) you should use standard TCP/UDP.

In any case the Websocket component in our C# client API is based on the Websocket Sharp library.

Thanks

[v.potapov]

Sorry, yes, we developing with Unity.
Thanks a lot.

[Lapo]

Exactly. So in that case Websocket are only used when the build target is WebGL.
Any other platform will use the standard SFS2X protocol over TCP/UDP sockets.

Cheers

[v.potapov]

Hi Lapo, me again)
Does servers supports only AES128 encryption? Is there a way to use AES256?

[Lapo]

Hi,

Hi Lapo, me again)
Does servers supports only AES128 encryption? Is there a way to use AES256?

Do you mean the initial TLS key exchange or the messages encryption after that?

Thanks

[v.potapov]

Do you mean the initial TLS key exchange or the messages encryption after that?

It seems that Xbox requires AES256 encryption for both cases.

[Lapo]

Hi,
I am not sure about this as we had other developers using the Xbox platform and they didn't have troubles with encryption.

For the time being, we don't support AES-256 for message encryption, although you should be able to force the initial key exchange via external JVM settings, as explained here.

[Lapo]

This may be irrelevant, at least as far as Xbox requirements, but there seem to be good arguments to stick with AES-128 when a choice is possible. Here are the details from a cryptography expert: https://www.schneier.com/blog/archives/ ... w_aes.html

From the article's conclusions:

And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change.

[v.potapov]

I wonder how other companies went through this routine)
But anyway, thanks again for a help, I'll go deep into topics you suggested.
Best Regards.

[Lapo]

Ok, let us know

[v.potapov]

Hi Lapo,
Yesterday we were able to test our multiplayer flow with SFS encryption enabled. And it seems all works great as expected. One thing is we aware of - other platforms with unsupproted encryption on a client side became unavailable to use TCP/UDP traffic, i.e. Join/Create rooms. Am I properly understand that in case of encryption enabled in Admin Tool - all clients in the current zone with unsupproted encryption must support it? Is there ways to combine secure and insecure traffic in one zone?

Best Regards