Secure Communications

Comments

• ar2rsawseen Maintainer

  May 2013

  I'd say the best way is to hash data already on the client side, or even better encrypt the data on the client side and then decrypt on the server using RSA or something similar

  http://appcodingeasy.com/Gideros-Mobile

  +1 -1Share on Facebook
• Cyberience Member

  May 2013

  unfortunately, what ever you hash, once you transmit it, it can be captured and used to access the server from another source. A Method I can think of is to use the IP within the hash, Send the hash, and at the server, use the connection IP to generate and compare the hash. Both would need the ID, but this is where it gets messy. and possible IP problems when the client is behind a NAT.

  REAL programmers type copy con filename.exe
  ---------------------------------------

  +1 -1Share on Facebook
• jdbc Member

  May 2013 edited May 2013

  What do you use for secure communications with your Server?
  HTTPS should be the way to send login credentials, and then receive a Session to work within.
  Without HTTPS, how do we do this? I can think of various ways, but all have a form of hole in them.
  
  Regards

  I think HTTPS (HTTP + SSL) is not a good option for communication on lua programming because you will need to use a SSL implementation to cipher data between mobile (client) and server. May you can use a Gideros Plugin SSL but it will be really difficult.
  
  Normaly HTTPS is used between a browser and a web server, but a browser uses Diffie-Hoftman protocol for key exchange and create a session previously to send data.
  
  The main problem is how to share a simetric key between client and server in order to sent encrypted data. If you can set this key as a previous one only known by both parties, then you can use a simmetric algorithm (may be as Gideros Plugin C++ or just simply lua implementation) to encrypt data in client and decrypt in server.
  
  I guess symetric algorithms (DES for example) are better and easy than asymetric ones because in the second case you will need two keys (private and public) for both (client and server).
  
  I do not know if there are some DES implementation on lua, but sure it will be really slow.

  JDBC Games on Google Play
  

  +1 -1Share on Facebook
• jdbc Member

  May 2013 edited May 2013

  With a hash you only can verify signature and data integrity but it can not be used to encrypt data.
  
  It depends what you understand by secure and exactly what you need for client and server communication: data integrity, authentication, privacy, ...
  
  I have found this fork of Luacrypto that you can use both digest and encrypt / decrypt though OpenSSL
  
  https://github.com/mkottman/luacrypto
  
  I expect it helps.

  JDBC Games on Google Play
  

  +1 -1Share on Facebook
• Cyberience Member

  May 2013

  Mostly Solved, It was pointed out to me, that https is not working. I missed it in the release notes.
  But this opens up a conundrum, Is there a way to construct the URL to work through a proxy?

  REAL programmers type copy con filename.exe
  ---------------------------------------

  +1 -1Share on Facebook
• jdbc Member

  May 2013 edited May 2013

  Mostly Solved, It was pointed out to me, that https is not working. I missed it in the release notes.
  But this opens up a conundrum, Is there a way to construct the URL to work through a proxy?

  You will need an HTTPS proxy and define mapping URL in the proxy. Have you a server certificate in the server side?
  

  JDBC Games on Google Play
  

  +1 -1Share on Facebook