anyone point me in the best location for this? I've done tcp/udp sockets on single/multithreaded environments, ftp programs, chat programs, yada yada yada, my main concern is security, packet sniffing etc and what are decent methods of combatting it, if anyone can post just information or some links with reading material, aswell recommend books if you feel they will be useful for several years =P. Thanks in advance, Geoff

IPSec was/is popular, but is enabled on the OS level I believe. There was a fundamental security crack scare a few months ago, but I didn't follow up on it. It wasn't good for publicity, that's for sure.

You could perform your own presentation layer encryption using a public-key system like AES or whatnot. Even DES is enough to keep most prying eyes away, although this falls under the dreaded "security through obscurity" category.

well okay i'm just goign to through this out but I could be wrong.

Data you are going to send
Encrypt the data
send it
recieve it
decrypt it
use data

... my issue is as far as encryption keys, i'm assuming dynamic is the key, maybe my solution to my problem is just seeking out some good protocol standards? .... i'm just worried about someone making like a client hack or simulating data sent to the server to do something that shouldnt be possible. I guess another idea is put enough checks in from your other code like if they were at y and moving to x and b was the largest they could travel, it would be y+b as the max distance, but instance they tried tm move y+c and c is 4b. Obviously thats not possible and would be a good sign that they are doing something quite wrong. Is that the right track? .... =/

You should definitely consider putting in constraint evaluations, such as distance checking, not only to block malicious data but to block unintentional bugs in the client/server.

That seems to be independant of encryption in my opinion.

Your steps to encrypt/transfer/decrypt look logical.

Look into SSL and other similar technologies for a good way to perform dynamic encryption handshaking (you are on the right track).

SSL Tutorial

yah thats basically what i'm looking at, I mean I want to be able to develop network code to 1 put checks in, after a certain limit flag that user for breaking x number of checks, or start logging packets after x number of checks failed. Then it comes down to handshaking which the ssl does have a solution to. My main concern is not getting sync like a flow between the packets but making the data as asecure as possible so i'm trying to find as much info/input on the subject that I can to "absorb" =P. SSL is interesting thought 2 seperate keys one client/one server.

It sounds like you could try using RSA for the client public key / server private key step, then AES for the rest. There's no guarantee how long they will be adequate for, but it will be for a while, and they can be incredibly strong.

I haven't worked with AES, but I do have an RSA implementation in C++ at Cwiki.org

This would be a fun project to do. Good luck. :)

Also look into Diffie Hellman key exchange and TEA. Both have available source online and are fairly simple algorithms to implement if you have a large integer math class.

Here's a good online resource written by the moderator of this forum; http://www.mindcontrol.org/~hplus/authentication.html

Quote:

Also look into Diffie Hellman key exchange and TEA.

I'd agree.

Also, thanks to fenghus for linking my article.

The most important thing to realize is that encryption will only give you security against an un-involved third party in the middle (and, in the case of Diffie-Hellman, maybe not even that unless you use public certificates as well). If a determined attacker has access to the client code, he can disassemble that to get the data before it's been encrypted, and use that to reverse-engineer the protocol and cryptography. There is no defense against that attack, other than designing the game such that it doesn't matter if the client is compromised, and/or have a very proactive stance to detecting and removing hackers.

Your definatley better off using openSSL for this. It'll be much more secure than anything you could ever design your self. I also recommend taking a look at the SILC source code -> http://www.silcnet.org/ .

Also if your determined to implement your own protocol I recommend The handbook of Applied Cryptography by Buce Schneir.

http://www.amazon.com/gp/product/0471117099/002-2340780-6690441?v=glance&n=283155&v=glance