Connection encryption

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

netvortex
Posts: 23
Joined: 08 Feb 2014, 11:34

Re: Connection encryption

Postby netvortex » 19 Apr 2014, 10:42

k0tbegemot wrote:you are joking right? do u really consider hard coding fixed encryption key into flash client acceptable solution?

Noone said you should take this simple example. It's simply to illustrate that encryption can be done easily without producing huge overhead over the whole protocol.
k0tbegemot
Posts: 8
Joined: 23 Mar 2014, 04:33

Re: Connection encryption

Postby k0tbegemot » 19 Apr 2014, 11:00

like I said in my previous reply, to handle encryption keys securely, you will have to re-implment big junk of SSL and 10 to 1 that your implementation will be less secure and less efficient than actual SSL.

It is easy to encrypt data. It is far from trivial to make it impossible (or even difficult) for "bad guys" to extract keys.
netvortex
Posts: 23
Joined: 08 Feb 2014, 11:34

Re: Connection encryption

Postby netvortex » 20 Apr 2014, 17:00

There are only 2 possibilities:
1. If the attacker has access to the memory of your application then SSL doesn't help you at all. The opposite is the case, the SSL lib can be found in memory more easily than your own implementation.
2. If the attacker is only on the network accessing the network-stream encrypting packets with AES does the job since there is no way to decrypt it.

You have these 2 scenarios only and both do not require SSL. Seriously, no offense but you only need it when you are unable to implement it yourself - there is no other reason i could think off.
k0tbegemot
Posts: 8
Joined: 23 Mar 2014, 04:33

Re: Connection encryption

Postby k0tbegemot » 20 Apr 2014, 17:08

3rd variant (and most probable): if attacker has access to flash application (for example by downloading it from your server... as any user will do)... s/he can extract key and reverse engineer encryption algorithm.
seeingrain
Posts: 28
Joined: 27 Mar 2014, 03:34

Re: Connection encryption

Postby seeingrain » 24 Jun 2014, 09:08

I've posted my solution in a new thread: viewtopic.php?f=18&t=17244
In my transparant solution, no source code is touched
k0tbegemot
Posts: 8
Joined: 23 Mar 2014, 04:33

Re: Connection encryption

Postby k0tbegemot » 24 Jun 2014, 09:24

For future references: we end up using hybrid approach. Client first connects via https to jetty (which is part of Smart Fox Server). Our custom servlet generate pair of encryption keys to be used to encrypt communications between client and server and returns these keys to client (all these done via HTTPS so keys can not be sniffed). Once client received the keys, normal Smart Fox communication protocol is used but all data encrypted with these keys.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Connection encryption

Postby Lapo » 24 Jun 2014, 13:21

Seems like a good idea.
What key length are you using, if I can ask.
Lapo
--
gotoAndPlay()
...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Connection encryption

Postby Lapo » 10 Feb 2015, 10:19

As announced in our blog, connection encryption will come with the next SFS2X release, 2.10 :)

A few more details are discussed here: http://smartfoxserver.com/blog/?p=163

Stay tuned
Lapo

--

gotoAndPlay()

...addicted to flash games
ndesy
Posts: 33
Joined: 18 Feb 2008, 21:41
Location: Montreal

Re: Connection encryption

Postby ndesy » 02 Apr 2015, 13:05

Any news about the 2.10 release ? :)

What level of flexibility will we have about the activation of this feature ? We have multiple clients (web / ios / unity) that connect to the same smartfox server, and we would like to enforce users to use an encrypted connexion. But since we do not have any control over Apple AppStore, it is hard to have all clients updated at the same time.

Would that be possible to test a preview version of this update to test the TLS encryption ?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Connection encryption

Postby Lapo » 02 Apr 2015, 13:25

You can send us an email after April 15th and I will be able to send a stable preview for you to test. We have already run lots of tests, even on a large scale.
Support for iOS and C++ is still missing. The other clients are supported (C#/Unity, Flash, Java/Android etc...)

As regards activating the feature, it's just a matter of adding a few lines of code to your application (1 call and 1 event handler) and recompile with the new API.

An official release date is not set yet as we're finishing the missing API and preparing other interesting new stuff :)
Lapo

--

gotoAndPlay()

...addicted to flash games
ndesy
Posts: 33
Joined: 18 Feb 2008, 21:41
Location: Montreal

Re: Connection encryption

Postby ndesy » 02 Apr 2015, 13:32

Excellent! Actually our iOS is using Unity so it should be good for us! :)
User avatar
moccha
Posts: 112
Joined: 13 Feb 2014, 16:09

Re: Connection encryption

Postby moccha » 26 Apr 2015, 21:57

I agree with all of your points Lapo, I don't see a huge importance in encrypting the connection as it currently stands. You might make it hard to hijack data, but the user might then target the game source itself and perform a type of cheating with it instead. As long as you check data carefully server-side, connection encryption is less important.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Connection encryption

Postby Lapo » 20 May 2015, 15:41

Connection encryption is available in the latest SFS2X 2.10.0, released today:
http://www.smartfoxserver.com/download/sfs2x#p=updates

cheers
Lapo

--

gotoAndPlay()

...addicted to flash games

Return to “SFS2X Questions”

Who is online

Users browsing this forum: Google [Bot] and 44 guests