SECURITY AND ENCRYPTION

When transferring sensitive data between clients and servers, encryption is needed to ensure the integrity and safety of the communication. uLink offers a robust and flexible encryption solution that covers many different security scenarios. The solution is based on the popular and strong RSA and AES cryptography algorithms. Encryption can be enabled and disabled on-the-fly during a running game. uLink lets you specify encryption on a server-wide basis and on a per-user basis. A general overview of RSA and AES can be found here:
http://en.wikipedia.org/wiki/RSA
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard When encryption is turned on for one player it is still possible to configure uLink to send RPCs and statesyncs without encryption. This gives the game developer lots of control over when and how encryption should be applied in the game. Since encryption will increase the load on the server it is important to be able to use it only when absolutely needed. By using uLink it is possible to develop games that only encrypt sensitive data like passwords, credit card information, microtransaction orders, and in-game item tradinging orders. The rest of the game's network traffic can be unencrypted to minimize the load on the server. uLink's encryption API can also verify the authenticity of the server before connecting to it.

Turning server-wide security on

To enable encryption for the entire server, use the following method. If includeCurrentPlayers is true, all clients that are currently connected will switch to an encrypted session. This is done asynchronously, so a void uLink_OnSecurityInitialized(uLink.NetworkPlayer player) message is sent for each player once the encryption setup is finished. If includeCurrentPlayers is false, only new clients will be affected.

Turning server-wide security off

To turn off server-wide encryption, invoke the following method on the server. If includeCurrentPlayers is true, all clients that are currently connected will switch to an non-encrypted session. This is done asynchronously, and a uLink_OnSecurityUninitialized(uLink.NetworkPlayer player) message is sent for each player once the encryption un-initialization is finished. If includeCurrentPlayers is false, only new clients will be affected.

Excluding messages from server-wide security

When using server-wide security, all traffic between clients and servers will be encrypted. This can potentially be a big performance issue. Often, there is traffic that you don't necessarily need to encrypt. In uLink, it's easy to exclude such messages from encryption. First of all, you can disable encryption on a uLinkNetWorkView component. This is done by setting the securable property to None in the editor's inspector view. All traffic from this uLinkNetWorkView (statesync and RPCs) will then always be non-encrypted. If you need even more fine-grained control, you can set this value to OnlyRPCs or OnlyStateSynchronization. The default value is Both, meaning that all network traffic from this network view can be encrypted. When sending RPCs you can also ensure that the message won't be encrypted by setting the Unencrypted NetworkFlag.

Turning per-user security on

It is often not required to encrypt all traffic between the clients and the server. Instead you might want to enable encryption for a single client that is about to perform a sensitive operation such as purchasing an item, or providing a password. This can be accomplished by invoking the following method on the server side. Once the encryption setup is finished, a uLink_OnSecurityInitialized(uLink.NetworkPlayer player) message is sent to your scripts on both the server and client side. Make sure you implement these callback functions, so that the session is secured before proceeding with communicating sensitive data.

Turning per-user security off

To disable encryption for a player, use the following function. When the user's session is back to non-encrypted mode, a uLink_OnSecurityUninitialized(uLink.NetworkPlayer player) message is sent to your scripts on both the server and client side.

Specifying an RSA key-pair for verification

When using uLink security out-of-the-box, uLink will generate a random RSA key-pair for you. This enables the traffic between the server and the clients to be encrypted. But if you use a random key, the client cannot verify that it is actually communicating with a trusted server as the client does not know the public key at connection time. To enable such verification and to ensure that the first connection request including the player's username and password are sent encrypted, you need to specifiy a specific RSA key-pair that the uLink client should use. Specifiying the private key on the server is done by assigning the uLink.Network.privateKey property to a unique key like this: Remember to generate your own key-pair and don't use these! You can easily generate an RSA key-pair in the Unity Editor, through the tool located at uLink/Generate Authentication Keys... in the top menu. Make sure that you set the uLink.Network.privateKey on the server before you call uLink.Network.InitializeSecurity() and uLink.Network.InitializeServer(). The client should have no knowledge of the private key. On the client side you should assign the uLink.Network.publicKey property, as follows. Remember that the public key must be set before the client calls uLink.Network.Connect(). You can generate an RSA key-pair by using the uLink tool located in the top menu at uLink/Generate Authentication Keys..., or by printing the return value of one of the following methods. See the Editor Integration manual chapter for more information about the key-pair generation tool. To learn more about RSA key-pairs, see (MSDN) http://msdn.microsoft.com/en-us/library/system.security.cryptography.rsacryptoserviceprovider.aspx.