1. Hey! Guest! The 36th GMC Jam will take place between February 27th, 12:00 UTC - March 2nd, 12:00 UTC. Why not join in! Click here to find out more!
    Dismiss Notice
  2. NOTICE: We will be applying a Xenforo update on Tuesday 25th of February. This means that from approximately 10:00 to 14:00 BST the forums will be offline (or possibly longer). Sorry for the inconvenience! Official Announcement here.

GMS 2 Network Security?

Discussion in 'Programming' started by Famine, May 16, 2018.

  1. Famine

    Famine Guest

    Hello!

    I posted this earlier this week and went back on the thread, so I'm back again for help from the community. I'm currently developing a multiplayer game with a UDP server in Python. My issue is that I want to secure the communication between the game client in GMS 2 and my server in Python. There does not seem to be sufficient security measures with the networking library provided with the game engine. I was hoping someone could point me in the right direction if such functionality does exist in any form.

    Security Goals

    I was hoping to find a better way of securing user authentication, reduce the ability to spoof the client or server, and reduce or remove the ability to do replays.

    Security Concerns

    The networking features with game maker don't seem to have a way to secure the connection between the client and the server. This means when data is written to a packet and sent from the client to the server, it's not being sent through a secure channel. The most you can do here is encrypt the buffer with a symmetric key (single key) and hope the key does not get compromised or just hash the data in hopes again, it does not get compromised as well with man in the middle attacks.

    This is a big impact on user credentials and other methods of ensuring the packets being sent are truly from the client. For example, sending an encrypted nonce (HMAC) to ensure all future UPD packets are from the approved client can also be sniffed and potentially compromised as well.

    Other Solutions

    I think as there is likely no option here with the engine itself, making a login client / login handler is going to the best option. That way the login client can be programmed in another language that does support better security and have that client load the game once authentication has completed.

    Thanks for the help!
     
    Last edited by a moderator: May 16, 2018

Share This Page