Photon is able to encrypt messages between client and server, which is a must-have for sending authentication input or other sensible user-data.
On the other hand, encryption causes quite some overhead, so it's used sparingly and not exposed that much in our APIs.
For example: In our default logic, these go to all players of a room, so the content can't be too secret to send openly. So events are not encrypted by default.
Our client SDKs use it only for authentication. As developer, you can use it per message.
When you use Photon LoadBalancing or PUN, the API will automatically exchange encryption keys between client and server. This is done via Diffie Hellmann Key Exchange when the client connects.
The 160 bit key is then used for AES encryption on demand.
Once a client is authenticated, the server will issue a Token, an encrypted summary of the client's auth values to be used on other servers. The Token does not need to be read by the client.
If you use Webhooks or WebRPCs, the Photon Server will call those with HTTPS connections. If you use Unity's WebGL export, the client will connect via Secure WebSockets.
Encryption in PUN (Photon Unity Networking)
In PUN, you can call RPCs in a secure way by calling
RpcSecure()on some PhotonView.
Encryption of Operations
In all APIs, we have a class called PhotonPeer. It is a lower level class which offers a method
OpCustom(). This is the basis for all operation calls a client does an it has a parameter for encryption.
In PUN, the
PhotonNetwork.networkingPeer is a PhotonPeer. In LoadBalancing, it's the
OpCustom() with the encrypt-parameter set to true if needed.
Manually Establish Encryption
If you use the LoadBalancing API or PUN, you don't need to do this manually. Only if you start your client from scratch, you have to establish encryption after connecting.
In best case, call
OnStatusChanged like this:
The library takes care of sending and handling the required keys. When
this finishes, the client library will call
OnStatusChanged with either
of these codes: