Search Unity

Security and Encryption

Discussion in 'Multiplayer' started by LisPrin, Jun 21, 2021.

  1. LisPrin

    LisPrin

    Joined:
    Dec 12, 2018
    Posts:
    2
    Hi everyone,

    I'm a bit confused about the encryption and security of MLAPI.

    On this page (https://docs-multiplayer.unity3d.co...connection-approval/#connection-data-security) it says that under Timeout that "the ConnectionData [is] (encrypted and authenticated by the MLAPI)".

    However, further down, under Connection data security it says "The connection data is not encrypted or authenticated."

    When searching "encrypted" on the https://docs-multiplayer.unity3d.com page it finds multiple results under the Connection data Security heading, the preview shows "will be encrypted AND authenticated. (AES-256 encryption and HMAC...". But when clicking on the link and opening that page I only see the information above saying there is no encryption.

    In the release notes of version v0.1.0 the delted features also include the encryption (https://docs-multiplayer.unity3d.com/releases/multiplayer/mlapi-0-1-0/#removed-features):

    "Encryption has been removed from MLAPI. The Encryption option in NetworkConfig on the NetworkingManager is not available in this release. This change will not block game creation or running. A current replacement for this functionality is not available, and may be developed in future releases. See the following changes:
    • Removed SecuritySendFlags from all APIs.
    • Removed encryption, cryptography, and certificate configurations from APIs including NetworkManager and NetworkConfig.
    • Removed "hail handshake", including NetworkManager implementation and NetworkConstants entries.
    • Modified RpcQueue and RpcBatcher internals to remove encryption and authentication from reading and writing."

    There also is an old post from 2016 in the forum (https://forum.unity.com/threads/creating-secure-cryptographic-handshakes-with-diffie-hellman.694531/) inluding the remark: "MLAPI uses MLAPI.Cryptography for handshakes. Rijndael 256 (AES) for encryption and HMAC SHA256 for authentication."

    So these contradicting informations keep me wondering: Is there encryption in v0.1.0 of MLAPI and if yes: What kind of encryption is used and where is a safe source stating this?
     
    LisPrin, Jun 21, 2021
    #1

  2. luke-unity

    luke-unity

    Joined:
    Sep 30, 2020
    Posts:
    306
    There is no encryption in v0.1.0 of MLAPI anymore. It looks like the API docs are not fully up to date.
     
    luke-unity, Jun 21, 2021
    #2

  3. LisPrin

    LisPrin

    Joined:
    Dec 12, 2018
    Posts:
    2
    Okay that's unfortunate, but thank you for the quick answer!
     
    LisPrin, Jun 21, 2021
    #3

  4. luke-unity

    luke-unity

    Joined:
    Sep 30, 2020
    Posts:
    306
    We are working on providing encryption on our Unity Transport package which will work with MLAPI.
     
    luke-unity, Jun 21, 2021
    #4
    Joe-Censored likes this.