Prevent modified client to connect

Hi there,

So I was thinking about security..
My main concern was how you can prevent modified clients to connect to the server.

As far as I know it is possible to reverse engineer a Unity game. Or even simpler, just get the server IP and connect with a custom client...

How can this be prevented? (Im using HLAPI)

Also, does anyone know where http://docs.unity3d.com/ScriptReference/Network.InitializeSecurity.html
is for uNet? Can't find a single thing that improves the security for unet...

 

What your looking for is Script CRC Check on the networkmanager properties, it checks to see if the client scripts match the server scripts and diconnects the client if they dont match.. heres more info..

You can turn it on and off in the editor.

http://docs.unity3d.com/ScriptReference/Networking.NetworkCRC.html

For important stuff though, you should keep on the server only, like player movment or money, helth etc should not be done on the client but the server, so even if they do modify the data on the client, it has no effect on the server.

 

Interesting, I have missed that one..
How would this be implemented?

I guess you call http://docs.unity3d.com/ScriptReference/Networking.NetworkCRC.RegisterBehaviour.html for every script you want to be matched?

What about error handling? How can I log a mismatch and disconnect the client?

Thx

 

I havent played around too much with the scripting part so not sure, I actually have mine disabled since i need people with older clients to be able to connect to newer servers etc

I havent tested it, but the error may be shown for clients on the overides in networkmanager class, if you added your own class inherited from NetworkManager, you can drag that in the scene and it becomes a networkmanger that you can use to override things in the class.. like OnServerError and OnClientError.. i asume CRC check fails would show there, then you should be able to manually disconnect the player since it gives the conn for the connected player for that overide.

Code (CSharp):

1.     public override void OnClientError (NetworkConnection conn, int errorCode)
2.     {
3.       // find out what errorcode is a CRC check fail
4.     }
5.    
6.     public override void OnServerError(NetworkConnection conn, int errorCode)
7.     {
8.  
9.     }

 

Once you found out the CRC you could send it manually. So that is not really a protection.
Unity has made it to guarantee compatibility between scripts.

 

As Hayz0rx said, NetworkCRC appears to only be used for internal script tracking to make sure clients and server are using the same scripts. You would need to implement your own security to protect your game.

 

Is that even possible with HLAPI?

 

You would have to do the encryption at LLAPI level, which you might be able to accomplish by editing HLAPI source otherwise you would need to implement your own network layer on your custom LLAPI code. Network security is way above my abilities so there is not a lot I can do to help you.

 

Even if you encrypted it, the problem is your giving away the encryption keys with the client it would be the same as using CRC, there is no 100% way to protect your game, defiantly not a client, the only way to protect data is to have it server only, so that even if it was tampered with on the client, it would make no difference on the server.

As a side note Ive seen some extreamly silly people using encryption in there clients to encrypt things like payments, you should STOP right there, never use any encryption that has the encryption keys in the client, this is 100% NOT SECURE, and your risking peoples money and credit card information if you do, and thats just irresponsible and reckless.. if you really want to do payments, use SSL servers with signed cetificates, dont DYI it.