Hello
Have any one tried encrypting & decrypting the strings. Something like DES algorithm ?
Can any one suggest, which is the best algorithm we can use for encrypting & decrypting the strings ?
Thanks
1 Like
why would you like to encript the strings?
it makes sense to use a hash algorithm to store them to prevent allocing too much memory.
but if you want to hide the strings from “normal” people just do a simple xor or rot13. Do something super fast.
no matter what algorithm you choose, people will be able to look at your strings if they spend some time. So just choose the fastest algorithm.
1 Like
You can use xxtea. It is not a strong algorithm but it is fast.
Cocos2d-x already include that library
@ricardo, encryption is always needed for saving data. If it is easy to modify the data, either the ranking system are occupied by cheaters, or people will lose interest on the game easily.
Where I have encrypted stuff I don’t want users to hack I have rolled my own encryption.
For example - the key in my pList for the force to allow the player to jump is “HumptyDumpty” (I’ve changed it now in case someone reads this!)
I put in some unused entries too (“FoxNews”, “BobAndCarol”) just to make it harder.
With the values for these keys I use real simple stuff - but not necessarily the same for each row (using the key as, well, a decryption key, for example)
As Riq says - something fast over something really uncrackable.
There are loads of examples out there with source for doing serious encryption though, if that’s what you need (e.g. if your app stores personal data)
Thanks for all the replies.
We are trying to send some data to server (in the form of json string). We would like to encrypt it & send to server & server can decrypt it (Just the extra security measure). In the past people were trying to break the API and posting the dummy values to leaderboard (Especially from Android App). We would like to avoid this.
Thanks.
This is meaningless. The memory of a mobile device is not encrypted itself and the strings have to be decrypted anyway at some point in time, so the will be stored in memory. An attacker could always hook system/game libraries to patch your code or perform a ramdump.
You can find speed comparisons of various algorithms here:
http://www.cryptopp.com/benchmarks.html
Well, encryption is not really needed(except for transferring the data to the server), but signing. Always use a public key algorithm like RSA for that.
E.g. you sign your config files with your private key and the game can check the signature with the public key. As an attacker needs the private key for re-signing(which only you have), he cannot change parameters like explosion radius, damage and hit points and what not.
The only possibility is, that he patches the game and kills the signature check.
And here lies the problem with encryption on a client, an attacker has access to. You need to store the encryption key somewhere. As soon as you do that on the client, your security is mostly gone. Always use a hash of a password you never stored anywhere as the encryption key, but this is not convenient for a game, as the player always has to input that password.
Encryption patterns can be relative easily be spotted in code with modern debuggers and disassemblers. To make that harder for an attacker, you would need to dig into ASM, where you can employ self modifying code and change jump offsets and what not. But that is pretty overkill for some mobile game.
Don’t use if hashIsOkay do this else do that, when using encryption and there outcomes. Always use the outcome as an input for your other functions. E.g. use the check/hash outcome as a base parameter for your hitpoints. This way you can make invincible enemies and make the game unplayable, if someone messed with your config files or hashing/encryption.
Rolling your own encryption is always a bad idea. Doing cryptography right, is a hard thing to do. Neither it is industry proven, analyzed, attacked and reflected on by hundreds of thousands of people. Unlike the industry standards like AES or RSA.
It’s not about cracking the encryption algorithm, but about patching your game code and making ram dumps.
You don’t need to crack the algorithm, but just alter the logic or find your encryption key in memory.
As already mentioned by @winipcfg, you can use XXTEA for the encryption of your data, or just rely on https.
You can only make it reliable with implementing your own game server.
Get a session UID from your server, which is used as a key for hashing/encryption. This will prevent an attacker from intercepting your data in a MiM scenario and performing a replay attack
Use encryption(https) or encrypt the data itself for transferring it to your game server.
You need statistical analysis of the transferred data, to check if that data was from a real game play or a fake/cheated one.
E.g. Is it possible to reach X points in Y seconds? Is it possible to kill an enemy in X seconds with Y bullets and so on.
For this, you can implement a Bayesian network(same as used for spam filters) and feed your game sessions into it. The more you train it with your sessions, the better is the outcome.
E,g, X points reached in Y seconds -> Bayesian network -> probability the game is valid. You also have to tune it. E.g. probabilities over 75% are a valid game. After X play sessions, increase that amount to make it more reliable.
E.g. Titanfall is using such algorithms through the middleware called FairFight http://gameblocks.com/
In the end, it just depends on how reliable you want to make your game. Such technology may be feasible for AAA games, but maybe are to ambitious for mobile games and not worth the time and money.
With that kind of attitude, there would be no development in cryptography 
It depends why you are doing it. As the OP says now, this is for transferring data to the network and not for local data.
When it is local data for a game, I’m concerned about people grabbing iFunBox and modifying a pList file in a text editor in order to alter the game. with a key vale pair of “HighScore”, “999,999” that’s easy for the most casual player to hack. with a key value pair of “LargeJugs”, “FhyXXA” it is an order of magnitude more difficult for the casual player.
for the determined hacker who is willing to spend the time doing memory dumps to get keys, using a well known encryption library is actually making his life easier - as he only needs to find the method call and the key being passed; using one’s own encryption demands he disassemble the encoding code in order to determine what value to hack into the pList - which is harder to do than finding the key thrown at a publicly available API
which is why I simply aim to put off the casual hacker, rather than be an impregnable fortress!
On the contrary. With that attitude, there would be no bad development in cryptography. In case you are some mathematical/cryptographical genius, I will take it back 
Not really, as the crypto keys would also be stored in memory. No matter for which situation you are using crypto, the keys will be stored in memory.
LargeJugs? About what game are we talking here?
The keys to encrypt your value to FhyXXA are stored in memory, so an attacker can just encrypt the value he wants.
If you sign your pList file he can change the values to his liking, but without success, as the signature check would fail.
Always make sanity checks on the server. So you don’t need to encrypt such things.
Of course you are correct, as we are just addressing the “novice hacker”, but the OP was not clear about the hackers, he wants to challenge.
He still only has to trace the function calls of reading the pList and the memory location. No need to trace some crypto API.
Regardless of using a crypto API or your own crypto code, the decrypted content is stored in memory.
No need to disassemble the encoding code either, as he just patches out the crypto usage. After that, the pList values can even be clear text.
Of course we are talking about Skiddies here, not about attackers that want to break into your game by all means.
Thanks for all the replies.
We finally decided to implement Encryption algorithm for JSON data+ Score logic sync with server & client + https for server communication.
are there any examples on how to use XXTEA algorithm which is already included in cocos2dx ?
Just use those two crypto functions:
unsigned char *xxtea_encrypt(unsigned char *data, xxtea_long data_len, unsigned char *key, xxtea_long key_len, xxtea_long *ret_length);
unsigned char *xxtea_decrypt(unsigned char *data, xxtea_long data_len, unsigned char *key, xxtea_long key_len, xxtea_long *ret_length);Yes i tried those. I am not sure how to use those functions (i am not that good in c++)
This is what i did (May be silly !)
xxtea_long length = 5;
xxtea_long *retLength;
unsigned char * encryptedData = xxtea_encrypt(“Hello”,length, “key”,length,retLength);
However there is error like no matching function to call
Any syntax problem ?
Thanks
"Hello" and "key" are constant char pointers, but you need unsigned const * aka a char array.
A char array has an implicit char pointer.
Also you have to set the data length, key length, init retLenth and give the function it’s address,
xxtea_long retLength = 0;
unsigned char data[] = "hello";
xxtea_long dataLength = sizeof(data);
unsigned char key[] = "key";
xxtea_long keyLength = sizeof(key);
unsigned char *encryptedData = xxtea_encrypt(data, dataLength, key, keyLength, &retLength);
CCLOG("encrypted data: %s", encryptedData);
unsigned char *decryptedData = xxtea_decrypt(encryptedData, retLength, key, keyLength, &retLength);
CCLOG("decryped data: %s", decryptedData);
Gives:
encrypted data: ?GU????0)
decryped data: helloAES-128 is pretty sure and fairly high performance. You won’t want to use it to encrypt your saved game files, but for strings it is plenty. There are several C implementations. Botan is the one I use:
http://botan.randombit.net/download.html
Code to encrypt a string with Botan
As with any encryption question it is a balance of requirements and CPU cost.
I use this research as a baseline for my CPU cost calculations.
http://panthema.net/2008/0714-cryptography-speedtest-comparison/
Benchmarks and links you should consider as well:
http://www.cryptopp.com/benchmarks.html
http://cr.yp.to/streamciphers/why.html
Tl:dr: > I’ve commented only on software speeds on a large CPU, but Salsa20 is also better than AES on small CPUs, on FPGAs, and in dedicated circuits.
Botan looks nice but I afraid it takes quite a time to implement it. For instance, we need different build version of botan based on difference OS device.
http://botan.randombit.net/manual/building.html
After build script is completed, you will find a set of c++ files which takes quite a time to understand.
Why would he not want to use AES-128 for saved games files? Speed? Security?
Regarding security:
And for new applications I suggest that people don’t use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you’re already using AES-256, there’s no reason to change.
https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
What do you mean by that? You are generating the botan library to use in your app/game.
But always ask yourself: Do I really need it?
Using a bloated lib with features you will never need, is just a waste of time and resources. Just use the things you really need. All algorithms come in fast platform independent C/C++ implementations, which take very few lines of code and resources. E.g. XXTEA and SALSA20 are implemented in about 20 and 200LoC, compared to the 500LoC of AES.
You don’t even need Salsa20(which is by the way similar to XXTAE) or even AES, just go with XXTAE. It’s simple, fast and secure for what you want to use it.
I don’t think you are creating a high security app here, which has to withstand all kinds of cyber terrorists.
Thanks for the all replies & Suggestions
If anyone is looking on how to convert string to unsigned char data[] here it is.
std::string testStr = "Test String !";
unsigned char data[testStr.length()];
strcpy( (char*) data, testStr.c_str() );
strcpy is a very bad thing, as it’s insecure. Always use the secure version strncpy!
Why are you converting a C string to a C string?
unsigned char *data = testStr.c_str(); is all you need.