Crypto encoding in GDscript

:information_source: Attention Topic was automatically imported from the old Question2Answer platform.
:bust_in_silhouette: Asked By dkenshu

The Crypto object provides access to keys; however there is no way to use them to encrypt/decrypt arbitrary content, such as a message body independent of the transport protocol.

I want to encrypt/decrypt my payloads so that the TLS transport handshake is not necessary.

Is a plugin necessary?

If I use a plugin, how then does it get distributed with the final game? For example, a Python plugin. Doesn’t the plugin need to run on the target system? Which means phones are a potential problem?

How strong does the encrytion has to be?

klaas | 2020-07-21 19:27

Strong enough to deter all but the most determined attacker.

In my architecture, each player (ostensibly on phone) connects to a central matchmaker server, which then relays gameplay packets to each player, eliminating the NAT problem. However, that also means a malicious actor could play man-in-the-middle if that actor can read the gameplay packets.

I am also thinking about using an auth token.

dkenshu | 2020-07-22 12:24

But how important is the data. How valuable is the transfered data?

If money or sensible data is submitted you definitly need a strong AES encryption library.
But if only minor relevant(players postion, score etc) data is submitted i would suggest a simpler approach would do it.

Have a look here:
GitHub - wwwtyro/cryptico: An easy-to-use encryption system utilizing RSA and AES for javascript.
This does de/encryption with public/private keys and supports signing

This seems to be reasonable save for non sensible data. RSA is vulnurable to attacks but with a correct implementation it isnt simple to break.

The javascript implementation could be converted to gd with some effort.

klaas | 2020-07-22 16:13

The data is not that sensitive. I think I’ve got a good-enough solution using GD in the works (a combination of time, random number, base64 and a secret procedure).

The idea of calling out to some other external utility (Auth0 for example) to get an encrypted token for auth is intriguing; I had not thought of that.

Thanks!

dkenshu | 2020-07-22 18:50