Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. Unite 2023 Registrations are now LIVE! We are thrilled to announce that Unite 2023 Registration is now live and open for all!
    Dismiss Notice
New Forum User Notice Unite 2023 Registrations are now LIVE!

Question Secure connection between client and server using (SecureDriverConstructor)

Discussion in 'NetCode for ECS' started by OrientedPain, Jul 8, 2023.

  1. OrientedPain

    OrientedPain

    Joined:
    Mar 26, 2018
    Posts:
    37
    Hello Everyone,

    I just want to make sure. I made a secure connection between client and server following your tutorial Create a secure client and server and then I separated the GameServerCertificate & GameServerPrivateKey from the client build using Assembly definition and everything working fine, but the ServerCommonName & GameClientCA (Certificate Authority) on the client build. My question is, is there any problem to leave ClientCA public on the client build side? Should I be fine?

    If the answer is yes, the connection is secure, that means all messages sent and received between client and server secure and encrypted? I'm trying to build multi player login system using IRpcCommand Interface and take the username and password from the player (Client), are password and username sent to server encrypted? or should I encrypt them before send them to server? Does IRpcCommand encrypted and authenticated by default?

    Last question is it good idea to make login authentication system using IRpcCommand?

    Thanks in advance.
     
    Last edited: Jul 8, 2023
    OrientedPain, Jul 8, 2023
    #1

  2. simon-lemay-unity

    simon-lemay-unity

    Unity Technologies

    Joined:
    Jul 19, 2021
    Posts:
    359
    Yes this is fine. The only information that truly must be kept secret is the server's private key. Everything else is information that will be available on the client one way or another anyway.

    Once you've set up DTLS at the transport level, all information going through the transport will be encrypted and authenticated. That includes RPCs, so it is safe to send sensitive information with those.

    I'd argue that it is a bad idea to write your own authentication system, whether it's using RPCs or not. I'd recommend using a third-party identity provider (like Google or Facebook) instead, and/or to use a separate service to handle user authentication (big cloud providers usually have something for that in their offerings).

    These providers usually work by having the user authenticate themselves securely through a dedicated login platform that returns an access token. The client then sends this access token to the server (an RPC would be fine for this), which can then verify the validity of the access token (and possibly get information about the user) with the identity provider. This avoids having to send sensitive information like passwords in game traffic, and avoids the need for your server to securely store these credentials.
     
    simon-lemay-unity, Jul 10, 2023
    #2

  3. OrientedPain

    OrientedPain

    Joined:
    Mar 26, 2018
    Posts:
    37
    Thank you so much Simon, I really benefited from the valuable information you provided, especially the last one.
     
    OrientedPain, Jul 10, 2023
    #3