Hi, everyone who knows crypto!

I'd like to code a networked videogame, and I want it to be at least somewhat secure. Don't know anything about encryption or authentication though, any recommendations for learning resources?

@Wolf480pl @neon I mean for me your use case sounds like you just want to wrap all traffic in TLS.

@Michcioperz @Wolf480pl Can you auth specific users over many sessions with TLS?

@neon @Wolf480pl From what I understand TLS is just a method of encrypting all traffic in one given session. Then you'd do authentication within the encrypted traffic somehow.

@Michcioperz @Wolf480pl Oh yeah fair point. Still spooked about missing critical stuff, people are always so angry about bad security :nopefelix:

@neon @Wolf480pl I believe people are angry about using crypto systems that aren't mathematically proven secure or own not-tested-enough implementations of good crypto systems on production

Assuming your game has a centralized server:
If TLS works for you that'd be the best (because it's widely used & tested). For server auth, server certificates are the obvious way. For user authentication, you can either use client certificataes, or some password or challenge-response auth inside the TLS connection.

When could TLS notwork for you:
- you don't really need encryption, only auth, and encryption is too slow
- you don't use TCP / stream-oriented connection


@Michcioperz @neon if you could provide more details I'd be able to give you more advice.

@Wolf480pl @Michcioperz Authentication is probably the most important thing, I'm thinking about making a kind-of peer-to-peer game. It's like an RPG but you can "merge" worlds with other players, and I'd like to be able to make that communication secure in the sense that chats are secure. E2E I guess? I'd imagine this is crypto-wise very very similar to a chat program.

@neon @Michcioperz ok, so if it's P2P, passwords are no-go. You need every user to have a public/private keypair (like in client certs, Signal, OMEMO, or bitcoin). For chat, it depends if it's synchronous (both ppl online at the same time) or async (I'll send you a message & go offline, you reply some time later). If sync, you could just use TLS. Otherwise, sth like Axolotl/OMEMO if you need forward secrecy, or hybrid encryption (like OpenPGP) if you don't.

Eh, long talk, got XMPP or IRC?

@Wolf480pl @Michcioperz I'll do synchronous, because of how I've thought about "merging" the player saves, and the players only need to see others' changes when they're actively connected.

I don't have XMPP or IRC actively in use nowadays, just Matrix ( If you'd like, I could come on XMPP some time though.

@neon @Michcioperz as for world mergning, is it permanent, or do the worlds unmerge when the players disconnect?

@Wolf480pl @Michcioperz Probably yeah. Still very much in the idea phase though, it'd be interesting if they would stay merged. Certainly would have to have an undo button in that case. :thinkingfelix:

@neon @Michcioperz maybe sth like git with signed tags for the world storage?

@Wolf480pl @Michcioperz Yeah I thought about Git, but decided it would make saves way too huge. Some very-disk-space-conservative VCS would be pretty good though, since I don't really need the full history, just a diff to the starting point.

Sign in to participate in the conversation

@neon's personal instance.