Data encryption

Does protocol support an encrypted connections? How can we configure them?

1 Like

We had Network.InitializeSecurity but what’s now in UNET?

good question. Actually we have not decide yet do we want to implement encryption out the box… Light encryption based on password is just illusion, while heavy encryption with certificates exchanging and so on could be difficult to work with.

What kind encryption do you need? Why? Can it be implemented on c# level?

To mirror the high level API and low level API, maybe a high level network security API, and a…LLNSAPI? In this case, high and low security levels - The high level would have security certificates and other high-end security classes, while the low level would have passwords and other less secure methods.

That way, if someone’s just making a quick game to share with their friends and family, they can use simple login security, while if a company is making an MMO with Unity, they could include all the high-end security features.

Just a thought. :slight_smile: I’m far from an expert on it.

Implementing “light” (i.e. easily broken, not real encryption) is trivial hence completely irrelevant.

A support for a real connection with a proper SSL certificate would be great.

1 Like

still cannot promise. it is not high priority feature. The deal is: any interaction required ssl security you can do via a web request (i mean shopping, user balance access, account information) . Beside this it is only protection game traffic against “bad” guys. there aren’t a lot of use cases for this and we have only few request to support this feature. So, I cannot say that this feature will implement soon.

sorry for bad news

I don’t understand how can you say there aren’t a lot of use cases.

Players will have to send to the server their login, hence if you don’t support SSL, all login details can be freely sniffed.

This is, like, one of the most basic features I can imagine.

I cannot even begin to wonder how the unity team doesn’t consider it a big deal…

Sadly, this appalling attitude to data security is still common even among “expert” developers. The fact they claim there are very few use-cases justifying encryption had my jaw hitting the floor. Quite apart from stopping cheating, you have a -responsibility- to protect your game user’s data and this includes their passwords, usernames, contact details etc that you may be freely transmitting, or may transmit in future versions of your game. Why not start with encryption in place from the very beginning? Encryption should be standard any time you even think about sending any data across any network anywhere. It’s 2017 now, not 1997. There’s no excuse to avoid it. I find their talk about SSL being complicated bizarre, given how you could just hide that complexity away in some simple interfaces as they already do in the higher level Networking core with Unity - Scripting API: Network.InitializeSecurity

4 Likes

What is the workaround to encrypt UNETcommunication?

Workaround? There isn’t a workaround. You have to do it manually.

Our project has a RSA key hardcoded in the client and server. Then we exchange AES keys that are persistant for the session. That works fine and prevents easy tampering and data reading. If you ONLY need to detect data tampering. You can simply sign a checksum with the RSA key. But that will be quite heavy to do for each message, so I find it easier to just AES encrypt the whole buffer.

1 Like

@TwoTen
Would you be willing to share that code?

What specifically? We have done nothing special. But we run dedicated only servers. So our rsa pub key is hardcoded in clients. But you could exchange that during matchmaking over ssl. Then we exchange a aes key on connect that we encrypt the whole buffer with after serialization.

1 Like

SSL authentication mechanism is an important feature.
All unity games that do any sort of authentication need this.