Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

AppGameKit Classic Chat / AGK encryption

Author
Message
Kobaltic
12
Years of Service
User Offline
Joined: 24th Jan 2012
Location: PA, USA
Posted: 12th Dec 2013 01:05
Link
Is there any encryption for strings in AppGameKit? I want to transfer info over the net but want it encrypted. I saw sha-1 but would really like something stronger.
Back to top
Profile PM Email Website
easter bunny
12
Years of Service
User Offline
Joined: 20th Nov 2012
Playing: Dota 2
Posted: 12th Dec 2013 03:01 Edited at: 12th Dec 2013 03:13
Link
As far as I'm aware, no.
You could, of course just use HTTPS.

Some sort of custom encryption might be inline here.

One that I came up with goes something like this:

Have a few charts that [randomly] map different numbers to each other (1=54,30=255 etc) no number may be repeated.
Both parties must have at least two charts (they need the same charts), preferably more.

In the message, you supply, near the start, which chart is being used. Then for each ASCII character in the string, choose 2 numbers from the first side of the chart, that, when averaged, will equal the ASCII value of the character you want to encrypt. You then use the 2 ASCII characters in place of the original. That probably makes no sense though
It's unencrypted something like this:

Get Chart that is being used
take first 2 chars
Get ASCII values of them
take the average of those 2 values
Check that ASCII value against the chart
get the value on the other side
turn in back into ASCII
Goto next 2 chars


For more encryption, use multiple charts.
ie.
take first 2 chars
Get ASCII values of them
Get the ASCII values on the other side (from first chart)
take the average of those 2 values
Check that ASCII value against the second chart
get the value on the other side
turn in back into ASCII
Goto next 2 chars


The benefits of this, is that it's virtually unbreakable!
Because each letter has thousands of possibilities, you can use a different one each time. This means that there's NO recognizable pattern.
I'm quite happy with this cipher I came up with it when I was about 10. I'm surprised I still remember it all these years


Hope that makes sense

Of course, you could just use the old fashioned Simple Substitution Cipher
which should be enough to discourage people trying to crack it


Audacia Games
Back to top
Profile PM Email
Kobaltic
12
Years of Service
User Offline
Joined: 24th Jan 2012
Location: PA, USA
Posted: 12th Dec 2013 03:27
Link
My concern would be that someone would get in the apk and find the charts.

The other issue is that using the same method without (the equivalent of) a random salt is relatively easy to break.

Maybe I will break down and look at a c++ encryption method that I could work into AGK.

Does AppGameKit support https?
Back to top
Profile PM Email Website
easter bunny
12
Years of Service
User Offline
Joined: 20th Nov 2012
Playing: Dota 2
Posted: 12th Dec 2013 03:30
Link
Quote: "Does AppGameKit support https? "

Yep


Audacia Games
Back to top
Profile PM Email
Kobaltic
12
Years of Service
User Offline
Joined: 24th Jan 2012
Location: PA, USA
Posted: 12th Dec 2013 03:33
Link
Hmmmm tempting. Now I just have to find a cheap ssl cert.
Back to top
Profile PM Email Website
JimHawkins
15
Years of Service
User Offline
Joined: 26th Jul 2009
Location: Hull - UK
Posted: 12th Dec 2013 09:52
Link
Elsewhere we covered this with XOR - very hard to crack.

-- Jim - When is there going to be a release?
Back to top
Profile PM Website
Markus
Valued Member
20
Years of Service
User Offline
Joined: 10th Apr 2004
Location: Germany
Posted: 12th Dec 2013 11:42
Link
@Kobaltic
i believe you can also get a ssl connection without cert.
with a cert. other that use this conncetion can see its your signature
(and not a other pc).

AGK 108 B19 : Windows 8.1 Pro 64 Bit : AMD Radeon HD 6670
Back to top
Profile PM Email
Wilf
Valued Member
18
Years of Service
User Offline
Joined: 1st Jun 2006
Location: Gone to Unity.
Posted: 13th Dec 2013 10:13
Link
I tried connecting without an official cert this week, AppGameKit returned -1 every time it tried to connect over HTTPS. Bought the cert ($15 per year, Dreamhost/Comodo) and the problem went away.
Back to top
Profile PM Email
Markus
Valued Member
20
Years of Service
User Offline
Joined: 10th Apr 2004
Location: Germany
Posted: 13th Dec 2013 15:05
Link
i found some info on web about:
Quote: "Not verifying the identity of the server you connect to leaves the connection open to potential MITM attacks. SSL/TLS can be used without certificates (with anonymous cipher suites), but they're insecure (and disabled by default); as the TLS RFC says: "Note that this mode is vulnerable to man-in-the-middle attacks and is therefore deprecated." In addition, the HTTPS specification itself expects there to be an X.509 certificate.

Checking the identity of the remote party is a necessary element for securing your system. It's not very useful to exchange data secretly with a remote party who may not be who they claim they are (even if the secrecy is guaranteed).

This being said, you don't have to go via a commercial CA. You can either use self-signed certificates, which you would have to import individually into each client as trusted certificate, or create your own institutional CA. There are tools to do this, ranging from OpenSSL's CA.pl (see man-page), TinyCA or OpenCA amongst others. Some operating systems also provide their own small CA capabilities."


AGK 108 B19 : Windows 8.1 Pro 64 Bit : AMD Radeon HD 6670
Back to top
Profile PM Email
Naphier
14
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 13th Dec 2013 22:33
Link
XOR is probably the easiest.
I use it to encrypt some of my game's assets (primarily the game's data file). The keys are stored in my code so are crushed into the bytecode somewhere, would be pretty difficult for someone to find in 20MB of bytecode, I imagine.
For sending stuff to the server I just use SSL for everything but passwords. Passwords are encrypted and stored locally with sha1 and salt then stored on my server with a MD5 and salt, anyone who can hack that is pretty impressive, and if they do... they can't do much damage... they could log in to one of my user's accounts and play games and make purchases, but they'd have to pay with GPlay or iTunes, so I see no reason...
If you want to further protect the data that is sent to your server I'd recommend using XOR and store the key in your code plus on the server in a directory that is not accessible from the internet. You can also require access to that include file to need a password from the file requiring it.
I do something like this:
In my PHP requiring the secure file I define a constant, say PW to equal something. Then in my include file I check to see if that constant is defined correctly, if not you get shot out to my home page with a redirect. I also store all of my web-accessible php scripts in a password protected directory.
So there's layers upon layers of protection that will take someone a lot of effort to get through and the worse they can do is kill my databases which will be backed up. So at most it will cause inconvenience to all of my users by resetting their games back a few days and having to enter a new password.

Napland Games Facebook Twitter
Back to top
Profile PM Email Website
BatVink
Moderator
21
Years of Service
User Offline
Joined: 4th Apr 2003
Location: Gods own County, UK
Posted: 15th Dec 2013 18:06
Link
Quote: " I'd recommend using XOR and store the key in your code "


For the things we're creating here this is sufficient. You should remember that every game that is more popular than yours (the commercial stuff) acts as a prevention for you. People won't hack a game that has a small number of users when they can get credited for hacking software demanded by thousands or millions of users.

Just to make my XOR slightly more secure, I add salt and split the key across multiple variables.

ten-net consulting limited
Back to top
Profile PM Email
Naphier
14
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 15th Dec 2013 18:31
Link
Yes, salting and splitting across multiple variables is a great idea.
I was just looking through my bytecode file last night and I noticed that right there in plain ASCII I could see my server's log in credentials since I stored them in a single string literal...
So look out for stuff like that too, nothing makes it easier than putting stuff out there in plain ascii for everyone to see!

Napland Games Facebook Twitter
Back to top
Profile PM Email Website
Naphier
14
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 15th Dec 2013 18:43
Link
So... I just threw the switch on our game to flip over to using SSL. We have a valid certificate and I paid $50 for it. Apparently there is something wrong with AppGameKit using SSL AND a password protected directory. I'll be reporting this sometime this week, it's not the first issue I've seen like this.... yay...

Napland Games Facebook Twitter
Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-11-24 23:53:03
Your offset time is: 2024-11-24 23:53:03