- Home /
Security and RPCs
Hello there!
I've been programming a multiplayer game, which will be only a social Game, where you run around dress up your character and such. In order to determine who the player is and what Inventory belongs to him or whatever, I have programmed a login function. to make it save, i've made that the Client sends his (MD5 encrypted) Login Data to the Server, then the Server calls a WWW function to a .php file, which checks, if the given login data is correct(using a mysql database).
Everything is pretty much working... Even the movement is getting updated and so do the animations.
BUT!!! I'm only using RPCs to comunicate between the Client and Server... I've now found out, that you can actually run ANY code with ANY Client on my Server with an RPC, which pretty much sucks.... Somebody could disconnect the Server or do even worse things!
I've been searching over the Net for help, I have indeed found several things, such as using Photon, but 1. they are expensive for me 2. I dont have that much to secure after all! Something more basic should work, too! I don't really care if anybody is running around with speed hack or is teleporting himself, as long as they can't fool the login validation. (Which i will call again if they want to modifiy the Inventory.)
Well... then ive found this here http://docs.unity3d.com/Documentation/ScriptReference/MonoBehaviour.OnSerializeNetworkView.html
If i understood the function right, it only sends Variables across the Network. Sounds pretty secure to me, if i would disable all any RPCs by using Network.SetReceivingEnabled = false;
SO! My question is: "Is this secure?"... I know, nothing is 100% secure, but is this secure enough to release a game, where even real money is involved? If not, please feel free to suggest anything else, that could make my game secure... I would even buy an Asset, that costs less than $50... As long as it can help me and isn't time restricted. Also i would always be very happy, if somebody adds me on skype and discuss it through a live chat, instead of a Forum such as this here.
here is more about the onserialize function
http://docs.unity3d.com/Documentation/Components/class-NetworkView.html
Where is this resource that tells how to run any code with any client on a unity server via RPC?
Based on what I know of the networking and RPC system I'd say this is not possible.
RPC just work like that.. you type in the code you want to execute on the other client/server nothing validates if that RPC is co$$anonymous$$g from a non modified client you can try it out if want to just create a new unity project just add one script that does the following :
Network.Connect(yourserverIP, yourserverPORT);
networkView.RPC("disconnecteverybody", RPC$$anonymous$$ode.All);
[RPC] void disconnecteverybody () { Network.Disconnect();
}
there is in fact the Network.InitializeSecurity function
but i've read that it doesnt validate the server
i've in fact read that somebody programmed a game that become a bit popular and then somebody programmed a hack for it that gets the same acces as the server and can manipulate everything... if a hacker can only manipulate a variable i wouldnt care about it ..
While its not directly related to the main question, it may be worth mentioning that you shouldn't be using $$anonymous$$D5 for anything security related since its not secure at all (see wikipedia). $$anonymous$$D5 is best used as a checksum at best these days. You should be looking towards SHA or something.
As for RPC... A quick google says Remote Procedure Call. This sounds like a very bad idea. Turning off the server is the very least of your worries, especially if it has access to the mysql database. Especially if you are storing credit card info in there. Worst case scenario is not so much "turn the server back on and scan for malware" but more like "get destroyed by the litigation of releasing all customers bank details and passwords".
However, I'm not sure how we went from WWW to RPC, so its possible I've misunderstood something.
Googled a bit more and it doesn't sound as bad as bad as I first thought- I thought it was running shell scripts or you were sending the php to the server. But generally, with all security based stuff, you have to imagine that the other site is corrupt. All input can come from something someone else built (or changed by something in the middle). If its just the client you're commanding its probably not such a big deal.
Also- Hashing and Encrypting are not the same thing. SHA is a hash. I think the correct process is you encrypt with public key, send the encrypted key to the server, decrypt it with your private key, use it to calculate a hash, and then throw it away. But I've never actually had to implement such a system :/ I would think that if you hash locally theres not much point other than to hide the original password; the hacker could log in with the hash. $$anonymous$$aybe you hash each end... Quick google turned a blank and its too late for me to dig deeper ^^;
Answer by Jamora · Jul 25, 2013 at 03:28 PM
This is turning out to be more of a discussion (naughty us), so it might be better to post this on the actual forums. I'll try to have a go at your question.
RPC calls can only be used if there is the [RPC] attribute for the function. So if the server has methods no client should have access to, just leave out the [RPC], and no (knock on wood) amount of clientside hacking can be done to access that function on the server. Certainly not by using networkView.SendRPC, which you can test for yourself.
The RPC methods can be completely separated code-wise from nonRPC methods by using events, so even if somehow someone managed to get the source code from one of your RPC methods, they'd have no way of knowing where the events are received.
RPC methods are safe, even if equally slow to SendMessage (because of the reflection + network lag).
As Tarlius tells you, an efficient way to encrypt your data is by using RSA. Furthermore, if the privacy of your clients is a concern, you shouldn't store their passwords in your database. Instead, store a hashed - or otherwise generated by your favorite one-way function - string that can't be transformed back into the original. Then have the clients hash their password before sending it so the password never travels over the internet.
hey thanks for the answer ! well im glad rpcs are safe then ill look further into doing what youve written (with the events) and for the privacy of my clients i actually do encrypt my user passwords in md5 as soon as they enter the password then i send it to the server in my mysql database the passwords are actually saved in their encrypted form i actually never even know the real password myself! i only get the encrypted password when they register and when they login i get the encrypted password again then i check if they are the same nothing more nothing less ^^ i could ofcourse do the same with other information
ive just gotten kind of paranoid because ive read the following forum posts
http://answers.unity3d.com/questions/223637/what-good-does-networkinitializesecurity-do.html
also i would like to add that this answer here "$$anonymous$$y solution to this would be to develop your own security system, for an example, the server sends a random password to every player on connection and sends the same password when callingR PC on this particular client." might be an idea aswell do you guys think it really helps?
i really would like to know how that guy made that cheat client which can acces the Network.InitializeSecurity function
Reading this i just had an idea. Wouldn't it be viable to implement Asymmetric Encryption on the server side, just for the most sensitive parts like login info?
Like this: $$anonymous$$ake the server generate a pair of private - public keys on startup, the server would distribute their public key upon requested by clients. The client encrypted their info using it, and they could safely send it trough internet. Server would decrypt using its private key.
As the server doesn't need to send any sensitive information, doing this on the client side isn't needed. But it would also be doable if necessary.
Your answer
Follow this Question
Related Questions
Security issues with Multi-player User Database? 2 Answers
Changing Model and spawning player by RPC 1 Answer
destroy player cloned weapon (multiplayer 1 Answer
Photon Networking: RPC call doesn't work over other clients 0 Answers
How to spawn a multiplayer non-player prefab object and sync with all clients? 0 Answers