Best way of serializing data for transmission over network interface

Questions about the LÖVE API, installing LÖVE and other support related questions go here.
Forum rules
Before you make a thread asking for help, read this.
User avatar
pgimeno
Party member
Posts: 3544
Joined: Sun Oct 18, 2015 2:58 pm

Re: Best way of serializing data for transmission over network interface

Post by pgimeno »

Sounds like it's time to start worrying about the security of your users. If they have to log in, one basic precaution is not to send passwords in plain text, taking some extra steps to ensure they aren't easy to decode (RSA or other public key encryption algorithm when registering; at least challenge-response when logging in). But that exceeds the scope of this forum, I'm afraid.
steven777
Prole
Posts: 35
Joined: Tue Jul 12, 2016 4:48 am

Re: Best way of serializing data for transmission over network interface

Post by steven777 »

Should I encrypt all transitions from the client to the server or just player information strings...


Can strings be captured by an outside party ?

Right now I'm just sending plane text in a string. I could write some basic encryption for the characters in the string.... but I think this might hurt preformance if I had to encrypt all data??



Also is my server safe as long as it drops strings that aren't within the set parameters. If a string has a command of ( connect_client )

The strong is only read of it has the righy amount of data anything else returns an error or just gets negated.


Is this ok for my servers or an I still vaunerable?



I can see that the client is more vulnerable at this point tho because the users information is juat in a string... could potentially be taken out of the air and then some one would have your pass and login. (Glad I didn't use email adressing.)


Does it matter of the client is unprotected if there isn't any data to really gain... except login and pass ? Which could be changed from the Web server. Not the game server... just wondering what the likelyhood of me getting hacked is....

???
steven777
Prole
Posts: 35
Joined: Tue Jul 12, 2016 4:48 am

Re: Best way of serializing data for transmission over network interface

Post by steven777 »

And is it OK to send normal data over string ??

X,y, player cash, region, faction,current weapon, ip, data-index. Etc


---------------------

i also would advise most common users to use ENET over the udep sockets. ENET functions are built in so you dont have to hard code all of the functions. (like connection,disconnection,ping,etc) i personally like udp at this point. you can get allot more precise.
User avatar
Positive07
Party member
Posts: 1014
Joined: Sun Aug 12, 2012 4:34 pm
Location: Argentina

Re: Best way of serializing data for transmission over network interface

Post by Positive07 »

Security MUST NOT be your concern if you are developing a multiplayer game, your game will always be hackable, and yes transmission are readable, I could always connect to the same port and read your transmissions. But I can also always open your game with zip and read your code so even if you are using encryption I could delete your encription code and put some code in the middle, or simply write a decoder using whatever key may be stored in your Lua files, remember .love files are just .zip files with .lua text files inside and even if you make a fused .exe I can still open it with 7zip to see the .lua files. So the best you can do if you are planning to make a networked game is FORGET ABOUT SECURITY!
for i, person in ipairs(everybody) do
[tab]if not person.obey then person:setObey(true) end
end
love.system.openURL(github.com/pablomayobre)
steven777
Prole
Posts: 35
Joined: Tue Jul 12, 2016 4:48 am

Re: Best way of serializing data for transmission over network interface

Post by steven777 »

So from your perspective, I should set up some hack blocks but dint focus on it.

Right now I have no encryption in the strings and you are right even if I write an encoder you could just look at the encoder and reverse engineer it. I could re create the ignigma machine but what's the point.

I think I will use a randomly coded key that gets reset every hour or so. So it would take a while.


The real attack I'm worried about is D dos attacks. People spamming data to the game servers.

I have the log in server/ game serene into grated because I'm working on the same machine. I'll scale it up latter. I have a rrl wall thst blocks the incoming data from being passed if the sender is spamming the login servers. I'm not quite sure how to protect the game servers. I assume the same way.



Last question.


Should I use this server set up or the second one.

Client ----- login server-----shard,instance server----storage server( player data lookup)

Or

Client ---login/shard/pvp -- storage.

Or does this matter what I do??..




Right now when you log in it automatically establishes a connection. Then you csn go to a game on the client.

Then when the client starts a game the server loads the player into a random lobby and starts sending data around to the players in the match.


So the server acts as the log in and game server.


Should I be splitting the duties of the servers up to just individual tasks.



So the question is how many servers software types am I needing....


And what server establishes a connection ?.... the login server or the instance server...
User avatar
Positive07
Party member
Posts: 1014
Joined: Sun Aug 12, 2012 4:34 pm
Location: Argentina

Re: Best way of serializing data for transmission over network interface

Post by Positive07 »

First about the Enigma thing, how are you gonna send the keys? If you are using UDP or TCP or any other protocol really I could read it, I could also read them from memory (since you will have to put it there when using them in Lua), Also I can always modify your code so that it sends the message I want.

The key for security in games is that THE CLIENT ONLY ASKS! so you are basically asking "Can I move here?" and the server says, well you were here last time and so many seconds have passed, since this is possible with your velocity and acceleration and other stats, and you are not collision with anything, you can move (or you can't move), you can even go further and your client could send "Hey player is pressing W so what should I do?" and the server would answer.

There is no way to get more secure than that, also try using SHA hasshed passwords instead of sending bare passwords or similar, maybe other algorithm but the idea is not to put the bare data on the wire, so that it is "harder" to get the user input password, you should try to destroy that information as soon as you can so that at least you secure your user data... Of course I could always grab that SHA password and use that to validate in your server but at least I don't know that say UserA uses "1234Clowns" as a password for his stuff, it could happen that this is his e-mail password too, who knows?

Also as I said, first do your game, then you can add security as you see is needed and such, don't prioritize on this. And whenever you think you are ready to go this way, you will need to learn LOTS of cryptography and such, LOTS!!

About your architecture, simple will give you less headaches, so if you have a single server that handles everything and that works then great. On games what you try to minimize is latency, if you can ask a single server and that server will give you the right answer and fast, that is the way to go. If your server has to ask another server that checks a database and whatnot and then transmits to the first server and then the server answers, then this will take more time, of course if all this is needed to get a right answer and it is simple for you to write then go this way. Luckily you can always go back and revisit your architecture anytime, since protocols are rather standard.

So don't focus on security and don't focus on your network structure, make a game, add multiplayer, make it work, make it fast, make it secure, that's the best order you can possibly follow, pre-optimization is the root of all evil! and also having too many tasks at the same time can be frustrating and you get less done (or so it seems because it takes more time to get something to work, debug and so on) so try to keep it simple (KISS) then expand and conquer(?
for i, person in ipairs(everybody) do
[tab]if not person.obey then person:setObey(true) end
end
love.system.openURL(github.com/pablomayobre)
User avatar
zorg
Party member
Posts: 3436
Joined: Thu Dec 13, 2012 2:55 pm
Location: Absurdistan, Hungary
Contact:

Re: Best way of serializing data for transmission over network interface

Post by zorg »

And about DOS attacks, it should not be the task of a game server to "protect itself" against those.
They should be handled way earlier. Cloudfare for one automatically takes care of these, if i am not mistaken.
As for hacked clients sending too many messages or malformed (from the server's perspective, anyway) messages to the server, you could detect those in many ways, check the total length, etc... then simply close that connection (or just blacklist the address on the server) and you're done. Then again, i'm no expert on networking either, so, obligatory with a grain of salt.
Me and my stuff :3True Neutral Aspirant. Why, yes, i do indeed enjoy sarcastically correcting others when they make the most blatant of spelling mistakes. No bullying or trolling the innocent tho.
User avatar
pgimeno
Party member
Posts: 3544
Joined: Sun Oct 18, 2015 2:58 pm

Re: Best way of serializing data for transmission over network interface

Post by pgimeno »

I disagree with Positive07. If the server is protected and it has a secure private key, and the clients have its corresponding public key, proper encryption and authentication is granted. Otherwise, a Diffie-Hellman key exchange can help you set up a less secure encryption key, one that is only vulnerable to man-in-the-middle attacks, but not to sniffing or opening up the code.

Edit: I'm talking about the security of your users, not about cheating or crashing the server. The most fundamental and necessary security.

As for Cloudflare, it's not selective enough and "protects" against actual, legitimate users, me being one.
steven777
Prole
Posts: 35
Joined: Tue Jul 12, 2016 4:48 am

Re: Best way of serializing data for transmission over network interface

Post by steven777 »

So is the following ok for me to start on right now. I'm working on getting the arcitecture to a good point before moving to the game elements. Because ot could fundimentaly change the game lay put of I built the game and then added security or had to take out some things to make it faster.


------<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Security to do list ( mainly for the users )
-------<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

So I need a product rejistration( to make sure the server knows the client is usable or the server knows the ip of the user. So only clients with saved ips can get a response from the server.

I need to encrypt just the pass word with what? Juat some basic key encryption.

Maybe pass a random validation code that to the server during messaging.

Or does all data need to be transformed? Right now is bare even pass and name. So the pass and name are changing but should I just encrypt it all. (Will cause lag probably...)

-----<<<<<<<<



server structures.

Client. <--- -- |
--to-- |
Login server. |
--to-- |
Game type server(player data) < ---- |
--to-- |
Data center(names,ip,pass,keys,stats)--



client asks for login. Login fist line of defense. Says ok imma ask the game type server.

Game type server asks asks the data center server to enquire about the data. The data gets passed to the game server from the data center.

The game server then checks it and Says make a connection. Starting the lobby and match making process.

So most data would be secure on a set up like this to some degree. This means ot would take longer to log in but the game would run fine.

Gaa me server could be mmo or it could be small loby set ups either way.
---------------------


Right now it's client to server and that's really ot and establishes a connection with it. It would take me some re writing at this point to ake this setting me back about 2 days maybe

Just have to port some of the server to a new game file and make that the data center.

Connection isnt made with the data center. They just ask questions and get direct response. Or maybe I'll have some type of connection but idk of that is relevant??





Do you guys like this set up or would you be ok playing a game thay is set up like this. I'm making the game for my grandfather that passed 2 weeks ago. So I'm making the game for you guys to enjoy a game thay me and this man talked about making since 1997.
User avatar
Positive07
Party member
Posts: 1014
Joined: Sun Aug 12, 2012 4:34 pm
Location: Argentina

Re: Best way of serializing data for transmission over network interface

Post by Positive07 »

pgimeno wrote:I disagree with Positive07. If the server is protected and it has a secure private key, and the clients have its corresponding public key, proper encryption and authentication is granted. Otherwise, a Diffie-Hellman key exchange can help you set up a less secure encryption key, one that is only vulnerable to man-in-the-middle attacks, but not to sniffing or opening up the code.

Edit: I'm talking about the security of your users, not about cheating or crashing the server. The most fundamental and necessary security.

As for Cloudflare, it's not selective enough and "protects" against actual, legitimate users, me being one.
I did say that you can always secure the user data and that is great, but you can't prevent cheating because the code can be modified and the public key and the algorithm can be used to send malicious input (cheating)

The only real way to protect from this is
zorg wrote:As for hacked clients sending too many messages or malformed (from the server's perspective, anyway) messages to the server, you could detect those in many ways, check the total length, etc...
Positive07 wrote:you can even go further and your client could send "Hey player is pressing W so what should I do?" and the server would answer.
I don't think "product registration" will work, I can always simulate that I'm the client, and the program could even be redistributed, best protection here is LAW, put some licence over your code that would prevent ilegal redistribution.

For encryption try to look at an algorithm that uses a Public Key to encrypt (used by your clients) and a Private Key to decode (which only your server knows) this are the safest since no one has access to your server code but you.

And all this scripts take around the same time for short and long strings, of course to a certain degree, say 512 bytes, if you limit the user name to say 25 characters and the password to other 25 you should be able to do it fast, if not fast enough, use threads!

About your structure, why not making it so that you ask a login server which has a protected database with users data, if login is successful a conection with the game server is done... and that is WAAAAY simpler, and fast, servers are not asking eachother stuff, the game server and login server could even run in the same machine so you wouldn't be sending data to the wire (which is slow as distance grows)

If at some point security is a concern (say users start to cheat a lot) you can always update your game and your server to add security, the protocol is the same and the data would be the same so there shouldn't be a problem.

Same with architecture, splitting your server into littler parts is not that hard...

Grow as needed, if you start big, you'll never end. Currently you should assume 1 to 5 users... How big of a server do you need to cover that?

I really doubt that you have a 100 users playing a game you haven't even started.

Also for reference there is a game called TrAInsported which did multiplayer really well if you care to investigate, I don't think he used a lot of security actually since there is almost no reason at all, he doesn't even need to keep track of user data

Well as I said, grow little by little, trying to make the safest biggest server for a multiplayer game is a huge deal, and you are not even sure if you are gonna finish the game, or if the user base would be big enough to cover the work you will need to make, or if people will try to cheat at it!
for i, person in ipairs(everybody) do
[tab]if not person.obey then person:setObey(true) end
end
love.system.openURL(github.com/pablomayobre)
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 47 guests