Connection Encryption

Overview

Photon Fusion extends the capabilities of Photon Realtime's existing encryption system and includes support for end-to-end connection encryption between Fusion Clients and a Fusion Server. This enhancement is in addition to the already-supported connection encryption between peers and the Photon Cloud.

The Fusion Encryption System handles all the underlying details for the connection handshake in a secure manner, from key creation to key exchange, as well as the actual encryption/decryption of the packets sent over the network. While this incurs minimal processing cost, it ensures that only the intended peers can parse updates within a game session.

The image below illustrates that each Fusion peer can maintain several connection types:

1. Cloud Connection: This is the connection between the local peer and the Photon Cloud. It is mandatory, primarily used for matchmaking and can serve as a relay if necessary. All GameModes (except Single player) maintain at least this type of connection.
2. Direct Connection: This connection is established between a Fusion Server and a Fusion Client for direct communication.

Basic Setup

The Encryption setup is straightforward and requires only two steps:

1. Photon Cloud Connection Encryption

Select the Datagram Encryption GCM for the Encryption Mode in the PhotonAppSettings asset. This choice ensures that the connection between the local peer and the Photon Cloud is encrypted at the Datagram level. This setting specifically covers encryption for the Shared mode.

For further information on Encryption Modes, refer to the Encryption Modes documentation.

2. Photon Fusion Direct Connection Encryption

Enable the Fusion Encryption System at the NetworkProjectConfig asset. This signal that the connection between a Fusion Server and a Fusion Client must be established in an encrypted manner.

This only affects ClientServer Modes (Client, Host, Server, AutoHostOrClient), as in Shared mode, there is only 1 type of connection - between the local peer and the Photon Cloud.

Encryption System Description

The packet encryption system achieves its behavior through the application of the following well-known algorithms with the specified settings:

• Advanced Encryption Standard (AES) (doc page):
  • Key Size: 256 bits;
  • Mode: CipherMode.CBC (doc page).
• Message Authentication Code (HMAC):
  • Using the HMACSHA256 function (doc page).

The Data Encryption Process can be described with the following steps:

1. Encrypt Data:
   1. The entire buffer is encrypted using the above algorithms.
   2. A Hash based on the packet content is generated and appended to the data buffer.
2. Decrypt Data:
   1. The Hash code is validated; otherwise, the packet is discarded.
   2. The received data buffer is decrypted.