Quick Links: Download Gideros Studio | Gideros Documentation | Gideros Development Center | Gideros community chat | DONATE
Secure Communications — Gideros Forum

Secure Communications

CyberienceCyberience Member
edited May 2013 in General questions
What do you use for secure communications with your Server?
HTTPS should be the way to send login credentials, and then receive a Session to work within.
Without HTTPS, how do we do this? I can think of various ways, but all have a form of hole in them.

Regards
REAL programmers type copy con filename.exe
---------------------------------------

Comments

  • ar2rsawseenar2rsawseen Maintainer
    I'd say the best way is to hash data already on the client side, or even better encrypt the data on the client side and then decrypt on the server using RSA or something similar
  • unfortunately, what ever you hash, once you transmit it, it can be captured and used to access the server from another source. A Method I can think of is to use the IP within the hash, Send the hash, and at the server, use the connection IP to generate and compare the hash. Both would need the ID, but this is where it gets messy. and possible IP problems when the client is behind a NAT.
    REAL programmers type copy con filename.exe
    ---------------------------------------
  • jdbcjdbc Member
    edited May 2013
    What do you use for secure communications with your Server?
    HTTPS should be the way to send login credentials, and then receive a Session to work within.
    Without HTTPS, how do we do this? I can think of various ways, but all have a form of hole in them.

    Regards
    I think HTTPS (HTTP + SSL) is not a good option for communication on lua programming because you will need to use a SSL implementation to cipher data between mobile (client) and server. May you can use a Gideros Plugin SSL but it will be really difficult.

    Normaly HTTPS is used between a browser and a web server, but a browser uses Diffie-Hoftman protocol for key exchange and create a session previously to send data.

    The main problem is how to share a simetric key between client and server in order to sent encrypted data. If you can set this key as a previous one only known by both parties, then you can use a simmetric algorithm (may be as Gideros Plugin C++ or just simply lua implementation) to encrypt data in client and decrypt in server.

    I guess symetric algorithms (DES for example) are better and easy than asymetric ones because in the second case you will need two keys (private and public) for both (client and server).

    I do not know if there are some DES implementation on lua, but sure it will be really slow.
  • jdbcjdbc Member
    edited May 2013
    With a hash you only can verify signature and data integrity but it can not be used to encrypt data.

    It depends what you understand by secure and exactly what you need for client and server communication: data integrity, authentication, privacy, ...

    I have found this fork of Luacrypto that you can use both digest and encrypt / decrypt though OpenSSL

    https://github.com/mkottman/luacrypto

    I expect it helps.
  • Mostly Solved, It was pointed out to me, that https is not working. I missed it in the release notes.
    But this opens up a conundrum, Is there a way to construct the URL to work through a proxy?
    REAL programmers type copy con filename.exe
    ---------------------------------------
  • jdbcjdbc Member
    edited May 2013
    Mostly Solved, It was pointed out to me, that https is not working. I missed it in the release notes.
    But this opens up a conundrum, Is there a way to construct the URL to work through a proxy?
    You will need an HTTPS proxy and define mapping URL in the proxy. Have you a server certificate in the server side?
Sign In or Register to comment.