I know I cant prevent people from reverse-engineering my protocol but I'd like to take a security-through-obscurity approach to make it as hard as possible.
I have a server/client system that communicates through the network with http
style packets.
Example:
Header
Attribute: Value
Attribute2: Other Value
Payload
I would like to make it as hard as possible for anything other than my client to access the network. Pushing problems with them decompiling my assemblies aside - what would be some good things I could do to this network spec that would make it VERY DIFFICULT to understand and make another implementation without the source?
I was thinking some kind of strange hashing approach or some kind of encryption algorithm that would be difficult.
EDIT I'm not trying to protect my assemblies or source-code. I'm trying to prevent someone from, for example, watching my protocol with WireShark or similar and then making their own implementation based on that information.
All right, three cases:
Users can't access server code and can't access client code: Easiest way is to use a pregenerated shared secret stored in the binary, and aes encrypt/decrypt.
Users can access client or server code but not both: Use a public/private key method. You can encrypt using the public key but the private one is needed to decrypt.
Users can access both client and server code: You're screwed.
If you want to improve security, this static key should only be used during session initiation, to generate a new shared secret, which is then used for communication.
Edit: actually, a more easy and safe solution is to use ssl and certificates (it's a mantra that you shouldn't implement your own encryption) Each certificate comes with a secret private key. As long as users don't have access to that you're safe if you verify that the peer has the exact correct certificate.
For having reversed a few network protocols (from MMOs), I can tell you that you will never protect your protocol for very long, I'm sorry.
The best you can do is:
But these are just ways to slow down attackers. It's certainly not going to stop them.
There are three solutions:
1 and 2 already work.
I am also in the process of writing a network protocol in C#. I have made use of encryption to secure the protocol. Here is the outlay of how I did it, you might find this useful.
Regarding "I was thinking some kind of strange hashing approach", hashing is usually only used for data verification. ie to ensure it was not modified en-route to you.
Hope this helps.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.