Introduction

There are different kinds of hacking in mobile game industry. People might modify client data before sending to server, or spy on the data from server. The most common way to prevent these kind of hack is to encrypt and sign your message before sending out.

The main difference of “signing a message” and “encrypting a message” is that, “signing a message” make sure the message comes from right source and without modification. Whereas “encrypting a message” make sure the message can ONLY be read by authorised parties.

In this post, we will focus on signing message part.

Public Key and Private Key

I assume you have a basic understanding about encryption, in case you are not familiar with encryption keys, we go through it quickly here:

Usage

Content encrypted by Public Key can only decrypt by its private key.

Content encrypted by Private Key can only decrypt by its public key.

Public Key

For public use, you can upload it to the web, or send it with your message.

Mainly use for encryption and open sign (verify sign)

Private Key

Should keep it secret, better to add a password

Mainly use for decryption and sign a message

About Signing a Message

Why we need to sign a message

To prevent data modification by third party in the middle of data transfer

Make sure the message come from the right source

How it works

Signing the Message

ServerA calculate a hash from the messageM (the message you want to encrypt)

ServerA encrypt the hash by using private key (This is signing the message)

2. Send out the message and hash

ServerA send the messageM and encryptedHash to ClientB (messageM don’t need to encrypt, just the original message)

3. Open the Signed Message

ClientB decrypt the encryptedHash by using public key from serverA

ClientB calculated the hash by using messageM and compare with decrypted hash, if two hash is the same, the messageM is valid and not modified by third party in the middle of transfer.

Show me the code

Core Code

Config File

Encryption Service

Conclusion

In this post, we only talk about how to make sure the message come from the right source, but the message is still can be read in the middle of transfer. If we want to make sure the message can only be read by authorised parties, we will need to encrypt the message too.