I recently developed an online multiplayer game and it's working fine. There's a central server handling TCP connections with clients, and they both receive and send data.
Is there a way to verify that the data sent hasn't been modified before the receiver reads it?
Does a TCP connection handle it in some way? If not what is the best way (not asking for code) to implement it?
By now I came up with those ideas:
Modify the data sent adding some sort of verify-value, such the packet length.
When a packet is received, ask the server to send it again and verify if they are equal.
I searched for a common used solution but couldn't find much.
Encryption should be my last option.
Edit
For a simple way to achieve this:
MD5
Wikipedia
Example
SHA1
Wikipedia
Example
SSL
Wikipedia
Example
Agreed with Bart, you may want to look at using a Hash method for data verification.
Related
I have been searching the web and here on how to create an encrypted chat server/client. And I think I got pretty confused now.
Firstly, I created a chat server/client from the free example Knock Knock Server from the Java Examples. So far, everything is working nicely, until I want to encrypt both server and clients.
Secondly, where do I start the encryption first? From the server then to the client? Am I suppose to use that Java Tool to create an encryption file for the server and share it with the clients?
Lastly, I am so confused after looking at so many tutorials on encryption, I don't know what is best for my situation. Can anyone help direct me to the correct tutorial website? Thanks a lot.
P.S. I do not know what kind of encryption tag I am suppose to use. Please edit that for me. Thank you.
I suggest you read about Transport Layer Security (TLS); It is probably the simplest reasonable approach to security and has been widely adopted (e.g. https and ftps).
In a sentence, it works by establishing a "secure channel" for your existing protocol to communicate over.
i don't think you need encryption and another tools. just use jsr-356 for websocket based chatting and ssl for securing your content.
I've have an application which send request to server side. my concern is that, a hacker could snoop traffic and resend the request after doing some modification in request itself.
I know the best way to solve this problem is to use SSL, but I think that will be an over killer for simple application like my application, I'm thinking to go with simple thing like MD5 algorithm.
This way if hacker tried to modify the request and resent it, at least I will discover that.
my question is that:
do you think this a good a approach, or you think there is a better way?
does the MD5 that is generated on iOS using objective C, will have the same value that is generated in Linux server using Java?
Traditionally you would need to make a hash from your payload + timestamp + secret token. Since only client and server know the token, you should be able to verify the hash correctly. And don't forget to include the timestamp in the transmission!
You may also want to encrypt the whole thing before sending - if the information is sensitive (like passwords, etc).
I believe MD5 will match if made on different systems (if done correctly).
I am making app, which would send value to php script. Then php script would conncect to Mysql database and return JSON array. And then the app would read it. How to ensure safety? For now I am not using any safety measures.
It depends, this is such a huge topic that a true answer would take a books worth of material.
What 'safety measures' are you asking about?
If you're talking about involving a web server, then you first need to secure your web server and build an API that is smart enough to protect against most common methods of attack. You need to make sure that other people - just by entering something in URL - cannot do the same thing your intended user can do. This means that you need to validate the user before giving them access to API.
Most common method of doing this is sharing a 'secret key' that only the server and client knows. So your user, with a phone, has a specific key and server has a key. Now user sends data to the server and also sends a validation hash (like sha1(KEY+DATA)). Server then receives data and makes sure that the hash is the same. Never send the key itself together with the request.
Another thing you need to test for are replay attacks. If someone listens in on the communication, then you have to limit the damage. This is usually done by you also sending a timestamp with the request and the server checking if the timestamp is within accepted range, so if someone sends that same request again later, it would fail due to timestamp being different. Server checks for this since timestamp is also taken into account for input data validation.
Then you have to make sure that the data returned from server is correct. So server will ALSO build a validation hash that your phone will check, making sure that someone didn't change the data while it was sent back to your phone.
As an added layer, you can also encrypt data that is sent (and received from API) with a heavy cryptography algorithm like AES/Rijndael 256bit encryption. This will encrypt data with a key that is required to open the data. If phone and server know the key and no one else does, then data can be sent securely.
Then the connection should be HTTPS/SSL, which helps protect communication from being listened in. But this does not help if someone already has access to your phone, so it is recommended to use the other mentioned methods as well.
As for your phone, it is pretty secure by itself as long as you don't have apps installed on it that might compromise that security. Also, if you think you can secure your web server less, thinking that since only phones communicate with it that it is safe, then a hacker can easily listen in on communication on their own phone and figure out the basics of your web service API and then open all the doors. So make sure your security layers go from biggest to smallest: web server is by far the biggest entity in your system.
As you can see, this is a MASSIVE topic that can take a long time to learn. But without knowing what exactly you were asking about, I cannot really help you any further.
I need to pass commands and data between a PHP CodeIgniter based server and a Java Client. I was thinking of using very simple encryption to encrypt / decrypt the messages. I have run into a lot of issues trying to do very basic crypto on the Java side.
Either I would like some help with the Java side of the Crypto, or a different idea to secure communication between the Client and Server.
The data is not sensitive and can be sent in the clear, as long as I can ensure it is coming from the correct source. I was thinking of using the basic encryption as an authentication measure that would not be circumvented by a replay attack. But I could be going about this all wrong.
Any help or comments are appreciated.
There is no method of guaranteeing that the data your server is received comes from a legitimate version of your Java app. If you're using any form of encryption, the key must be stored somewhere in your application bytecode. Also, it is not very difficult to hack the client-side application and let it send invalid data.
The correct approach is to keep in mind, on the server side, that your data might not be coming from the correct source and therefore you'll have to validate all data in order to make sure nothing illegal is being done.
If you just want to guarantee that legitimate users using your client application can be certain that they are communicating with your server, you can use HTTPS or some other method using asymmetric encryption.
I am writing a web service that handles financial data which needs to be protected. Currently, I am developing and debugging the service but start to think of the production environment.
It is possible to log the sent payload --- the financial data --- for debugging purposes. This is the only way for me to see whats going on as a developer. The log information is written to a log file with java.util.logging.
Do you have an idea how I could encrypt the log file? Or do you have any suggestions how to make this secure?
I think rather than encrypting the entire file you could just encrypt the sensitive data, while keeping the other logging information intact. In this case you may need to create decrypting program as well.
Or better if possible when logging the data just mask it (like credit card numbers are masked using X character) so that it will be impossible to decrypt but the developer will be able to have an idea about what happened there. As per S.L. Barth's answer you could use built in encryption to do the encrypting.
Java has built-in encryption facilities; the javax.crypto packages.
However, you probably don't want the logfiles themselves encrypted, you only want them to be encrypted when you send them over the net.
In which case, you should look for software for securely sending information; for example, a VPN.
EDIT: your problem is actually addressed in the Java tutorials.
From the looks of it, though, their example is vulnerable to a Man-In-The-Middle attack, as it does not seem to verify the origin of the sender like SSL/TLS does. So, I would recommend a VPN or other piece of third party software for secure transmission.