Security and RPCs

Question

Hello there!

I've been programming a multiplayer game, w$$anonymous$$ch will be only a social Game, where you run around dress up your character and such. In order to determine who the player is and what Inventory belongs to $$anonymous$$m or whatever, I have programmed a login function. to make it save, i've made that the Client sends $$anonymous$$s (MD5 encrypted) Login Data to the Server, then the Server calls a WWW function to a .php file, w$$anonymous$$ch checks, if the given login data is correct(using a mysql database).

Everyt$$anonymous$$ng is pretty much working... Even the movement is getting updated and so do the animations.

BUT!!! I'm only using RPCs to comunicate between the Client and Server... I've now found out, that you can actually run ANY code with ANY Client on my Server with an RPC, w$$anonymous$$ch pretty much sucks.... Somebody could disconnect the Server or do even worse t$$anonymous$$ngs!

I've been searc$$anonymous$$ng over the Net for help, I have indeed found several t$$anonymous$$ngs, such as using Photon, but 1. they are expensive for me 2. I dont have that much to secure after all! Somet$$anonymous$$ng more basic should work, too! I don't really care if anybody is running around with speed hack or is teleporting $$anonymous$$mself, as long as they can't fool the login validation. (W$$anonymous$$ch i will call again if they want to modifiy the Inventory.)

Well... then ive found t$$anonymous$$s here http://docs.unity3d.com/Documentation/ScriptReference/MonoBehaviour.OnSerializeNetworkView.html

If i understood the function right, it only sends Variables across the Network. Sounds pretty secure to me, if i would disable all any RPCs by using Network.SetReceivingEnabled = false;

SO! My question is: "Is t$$anonymous$$s secure?"... I know, not$$anonymous$$ng is 100% secure, but is t$$anonymous$$s secure enough to release a game, where even real money is involved? If not, please feel free to suggest anyt$$anonymous$$ng else, that could make my game secure... I would even buy an Asset, that costs less than $50... As long as it can help me and isn't time restricted. Also i would always be very happy, if somebody adds me on skype and discuss it through a live chat, instead of a Forum such as t$$anonymous$$s here.

Answer 1

Best Answer

Answer by Jamora · Jul 25, 2013 at 03:28 PM

T$$anonymous$$s is turning out to be more of a discussion (naughty us), so it might be better to post t$$anonymous$$s on the actual forums. I'll try to have a go at your question.

RPC calls can only be used if there is the [RPC] attribute for the function. So if the server has methods no client should have access to, just leave out the [RPC], and no (knock on wood) amount of clientside hacking can be done to access that function on the server. Certainly not by using networkView.SendRPC, w$$anonymous$$ch you can test for yourself.

The RPC methods can be completely separated code-wise from nonRPC methods by using events, so even if somehow someone managed to get the source code from one of your RPC methods, they'd have no way of knowing where the events are received.

RPC methods are safe, even if equally slow to SendMessage (because of the reflection + network lag).

As Tarlius tells you, an efficient way to encrypt your data is by using RSA. Furthermore, if the privacy of your clients is a concern, you shouldn't store their passwords in your database. Instead, store a hashed - or otherwise generated by your favorite one-way function - string that can't be transformed back into the original. Then have the clients hash their password before sending it so the password never travels over the internet.

Add comment · Show 3 · Share

Kacheek · Jul 25, 2013 at 03:41 PM 0

Share

hey thanks for the answer ! well im glad rpcs are safe then ill look further into doing what youve written (with the events) and for the privacy of my clients i actually do encrypt my user passwords in md5 as soon as they enter the password then i send it to the server in my mysql database the passwords are actually saved in their encrypted form i actually never even know the real password myself! i only get the encrypted password when they register and when they login i get the encrypted password again then i check if they are the same nothing more nothing less ^^ i could ofcourse do the same with other information

ive just gotten kind of paranoid because ive read the following forum posts

http://forum.unity3d.com/threads/138437-What-do-security-conscious-people-do-for-multiplayer-networking-x-post-r-Unity3D

http://answers.unity3d.com/questions/223637/what-good-does-networkinitializesecurity-do.html

Kacheek · Jul 25, 2013 at 03:42 PM 0

Share

also i would like to add that this answer here "My solution to this would be to develop your own security system, for an example, the server sends a random password to every player on connection and sends the same password when callingR PC on this particular client." might be an idea aswell do you guys think it really helps?

i really would like to know how that guy made that cheat client which can acces the Network.InitializeSecurity function

Aria-Lliane · Feb 26, 2014 at 11:39 AM 0

Share

Reading this i just had an idea. Wouldn't it be viable to implement Asymmetric Encryption on the server side, just for the most sensitive parts like login info?

Like this: Make the server generate a pair of private - public keys on startup, the server would distribute their public key upon requested by clients. The client encrypted their info using it, and they could safely send it trough internet. Server would decrypt using its private key.

As the server doesn't need to send any sensitive information, doing this on the client side isn't needed. But it would also be doable if necessary.

Security and RPCs

1 Reply

Your answer

Welcome to Unity Answers

Follow this Question

Related Questions