• Products
  • Solutions
  • Made with Unity
  • Learning
  • Support & Services
  • Community
  • Asset Store
  • Get Unity

UNITY ACCOUNT

You need a Unity Account to shop in the Online and Asset Stores, participate in the Unity Community and manage your license portfolio. Login Create account
  • Blog
  • Forums
  • Answers
  • Evangelists
  • User Groups
  • Beta Program
  • Advisory Panel

Navigation

  • Home
  • Products
  • Solutions
  • Made with Unity
  • Learning
  • Support & Services
  • Community
    • Blog
    • Forums
    • Answers
    • Evangelists
    • User Groups
    • Beta Program
    • Advisory Panel

Unity account

You need a Unity Account to shop in the Online and Asset Stores, participate in the Unity Community and manage your license portfolio. Login Create account

Language

  • Chinese
  • Spanish
  • Japanese
  • Korean
  • Portuguese
  • Ask a question
  • Spaces
    • Default
    • Help Room
    • META
    • Moderators
    • Topics
    • Questions
    • Users
    • Badges
  • Home /
avatar image
0
Question by Kacheek · Jul 25, 2013 at 11:02 AM · multiplayerrpcloginsecurityvalidation

Security and RPCs

Hello there!

I've been programming a multiplayer game, which will be only a social Game, where you run around dress up your character and such. In order to determine who the player is and what Inventory belongs to him or whatever, I have programmed a login function. to make it save, i've made that the Client sends his (MD5 encrypted) Login Data to the Server, then the Server calls a WWW function to a .php file, which checks, if the given login data is correct(using a mysql database).

Everything is pretty much working... Even the movement is getting updated and so do the animations.

BUT!!! I'm only using RPCs to comunicate between the Client and Server... I've now found out, that you can actually run ANY code with ANY Client on my Server with an RPC, which pretty much sucks.... Somebody could disconnect the Server or do even worse things!

I've been searching over the Net for help, I have indeed found several things, such as using Photon, but 1. they are expensive for me 2. I dont have that much to secure after all! Something more basic should work, too! I don't really care if anybody is running around with speed hack or is teleporting himself, as long as they can't fool the login validation. (Which i will call again if they want to modifiy the Inventory.)

Well... then ive found this here http://docs.unity3d.com/Documentation/ScriptReference/MonoBehaviour.OnSerializeNetworkView.html

If i understood the function right, it only sends Variables across the Network. Sounds pretty secure to me, if i would disable all any RPCs by using Network.SetReceivingEnabled = false;

SO! My question is: "Is this secure?"... I know, nothing is 100% secure, but is this secure enough to release a game, where even real money is involved? If not, please feel free to suggest anything else, that could make my game secure... I would even buy an Asset, that costs less than $50... As long as it can help me and isn't time restricted. Also i would always be very happy, if somebody adds me on skype and discuss it through a live chat, instead of a Forum such as this here.

Comment
Add comment · Show 8
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Kacheek · Jul 25, 2013 at 11:19 AM 0
Share

here is more about the onserialize function

http://docs.unity3d.com/Documentation/Components/class-NetworkView.html

avatar image Jamora · Jul 25, 2013 at 11:22 AM 0
Share

Where is this resource that tells how to run any code with any client on a unity server via RPC?

Based on what I know of the networking and RPC system I'd say this is not possible.

avatar image Kacheek · Jul 25, 2013 at 11:37 AM 0
Share

RPC just work like that.. you type in the code you want to execute on the other client/server nothing validates if that RPC is coming from a non modified client you can try it out if want to just create a new unity project just add one script that does the following :

Network.Connect(yourserverIP, yourserverPORT);

 networkView.RPC("disconnecteverybody", RPCMode.All);

[RPC] void disconnecteverybody () { Network.Disconnect();

}

there is in fact the Network.InitializeSecurity function

but i've read that it doesnt validate the server

i've in fact read that somebody programmed a game that become a bit popular and then somebody programmed a hack for it that gets the same acces as the server and can manipulate everything... if a hacker can only manipulate a variable i wouldnt care about it ..

avatar image Tarlius · Jul 25, 2013 at 11:53 AM 1
Share

While its not directly related to the main question, it may be worth mentioning that you shouldn't be using MD5 for anything security related since its not secure at all (see wikipedia). MD5 is best used as a checksum at best these days. You should be looking towards SHA or something.

As for RPC... A quick google says Remote Procedure Call. This sounds like a very bad idea. Turning off the server is the very least of your worries, especially if it has access to the mysql database. Especially if you are storing credit card info in there. Worst case scenario is not so much "turn the server back on and scan for malware" but more like "get destroyed by the litigation of releasing all customers bank details and passwords".

However, I'm not sure how we went from WWW to RPC, so its possible I've misunderstood something.

avatar image Tarlius · Jul 25, 2013 at 02:45 PM 1
Share

Googled a bit more and it doesn't sound as bad as bad as I first thought- I thought it was running shell scripts or you were sending the php to the server. But generally, with all security based stuff, you have to imagine that the other site is corrupt. All input can come from something someone else built (or changed by something in the middle). If its just the client you're commanding its probably not such a big deal.

Also- Hashing and Encrypting are not the same thing. SHA is a hash. I think the correct process is you encrypt with public key, send the encrypted key to the server, decrypt it with your private key, use it to calculate a hash, and then throw it away. But I've never actually had to implement such a system :/ I would think that if you hash locally theres not much point other than to hide the original password; the hacker could log in with the hash. Maybe you hash each end... Quick google turned a blank and its too late for me to dig deeper ^^;

Show more comments

1 Reply

· Add your reply
  • Sort: 
avatar image
1
Best Answer

Answer by Jamora · Jul 25, 2013 at 03:28 PM

This is turning out to be more of a discussion (naughty us), so it might be better to post this on the actual forums. I'll try to have a go at your question.

RPC calls can only be used if there is the [RPC] attribute for the function. So if the server has methods no client should have access to, just leave out the [RPC], and no (knock on wood) amount of clientside hacking can be done to access that function on the server. Certainly not by using networkView.SendRPC, which you can test for yourself.

The RPC methods can be completely separated code-wise from nonRPC methods by using events, so even if somehow someone managed to get the source code from one of your RPC methods, they'd have no way of knowing where the events are received.

RPC methods are safe, even if equally slow to SendMessage (because of the reflection + network lag).

As Tarlius tells you, an efficient way to encrypt your data is by using RSA. Furthermore, if the privacy of your clients is a concern, you shouldn't store their passwords in your database. Instead, store a hashed - or otherwise generated by your favorite one-way function - string that can't be transformed back into the original. Then have the clients hash their password before sending it so the password never travels over the internet.

Comment
Add comment · Show 3 · Share
10 |3000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Kacheek · Jul 25, 2013 at 03:41 PM 0
Share

hey thanks for the answer ! well im glad rpcs are safe then ill look further into doing what youve written (with the events) and for the privacy of my clients i actually do encrypt my user passwords in md5 as soon as they enter the password then i send it to the server in my mysql database the passwords are actually saved in their encrypted form i actually never even know the real password myself! i only get the encrypted password when they register and when they login i get the encrypted password again then i check if they are the same nothing more nothing less ^^ i could ofcourse do the same with other information

ive just gotten kind of paranoid because ive read the following forum posts

http://forum.unity3d.com/threads/138437-What-do-security-conscious-people-do-for-multiplayer-networking-x-post-r-Unity3D

http://answers.unity3d.com/questions/223637/what-good-does-networkinitializesecurity-do.html

avatar image Kacheek · Jul 25, 2013 at 03:42 PM 0
Share

also i would like to add that this answer here "My solution to this would be to develop your own security system, for an example, the server sends a random password to every player on connection and sends the same password when callingR PC on this particular client." might be an idea aswell do you guys think it really helps?

i really would like to know how that guy made that cheat client which can acces the Network.InitializeSecurity function

avatar image Aria-Lliane · Feb 26, 2014 at 11:39 AM 0
Share

Reading this i just had an idea. Wouldn't it be viable to implement Asymmetric Encryption on the server side, just for the most sensitive parts like login info?

Like this: Make the server generate a pair of private - public keys on startup, the server would distribute their public key upon requested by clients. The client encrypted their info using it, and they could safely send it trough internet. Server would decrypt using its private key.

As the server doesn't need to send any sensitive information, doing this on the client side isn't needed. But it would also be doable if necessary.

Your answer

Hint: You can notify a user about this post by typing @username

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Welcome to Unity Answers

The best place to ask and answer questions about development with Unity.

To help users navigate the site we have posted a site navigation guide.

If you are a new user to Unity Answers, check out our FAQ for more information.

Make sure to check out our Knowledge Base for commonly asked Unity questions.

If you are a moderator, see our Moderator Guidelines page.

We are making improvements to UA, see the list of changes.

Follow this Question

Answers Answers and Comments

21 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Security issues with Multi-player User Database? 2 Answers

Checking if RPC queue is empty? 0 Answers

How to manage viewIDs? 1 Answer

Rpc Can't be called on client - Problem with client, works on server 1 Answer

When to use OnSerializeNetworkView and RPC's 1 Answer

  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Spaces
  • Default
  • Help Room
  • META
  • Moderators
  • Explore
  • Topics
  • Questions
  • Users
  • Badges