Communication Security
|
|
Krista Chaffe
Registered User
Join date: 16 Jun 2007
Posts: 96
|
12-22-2007 09:47
How secure is only listening to a specific UUID.
It sounds like it should be very secure, given that the data isn't important just acting on it is as it a control system.
|
|
Osgeld Barmy
Registered User
Join date: 22 Mar 2005
Posts: 3,336
|
12-22-2007 15:30
should be fine as long as the data isnt whats needed to be protected
|
|
Krista Chaffe
Registered User
Join date: 16 Jun 2007
Posts: 96
|
12-23-2007 20:54
Exactly.
In that case I'd be looking at md5 encrypted with a string of random keys to rotate though unless there is a better way ?
|
|
Void Singer
Int vSelf = Sing(void);
Join date: 24 Sep 2005
Posts: 6,973
|
12-23-2007 21:08
if the object only listens to a specific uuid, it's secure from replay and spoofing, if however the info being transfered is sensitive (CC numbers, personal info, uuids of objects that DON'T filter, texture uuids, etc) then you might want to keep going and add encrytion... otherwise the filtered listen provides all the Authentication you need
_____________________
| | . "Cat-Like Typing Detected" | . This post may contain errors in logic, spelling, and | . grammar known to the SL populace to cause confusion | | - Please Use PHP tags when posting scripts/code, Thanks. | - Can't See PHP or URL Tags Correctly? Check Out This Link... | - 
|
|
Krista Chaffe
Registered User
Join date: 16 Jun 2007
Posts: 96
|
12-24-2007 08:47
Right now the UUID listen is sufficient.
Is md5 encryption the prefered method for more sensitive data ?
|
|
Talarus Luan
Ancient Archaean Dragon
Join date: 18 Mar 2006
Posts: 4,831
|
12-24-2007 10:13
MD5 is not for encryption, just for authentication.
It can "guarantee" that the info came from a genuine/valid source, but does nothing to obscure the data itself. For that, you will have to use a different algorithm, like XTEA.
However, in most cases, authentication is all you need, as the info rarely is important by itself to obscure.
|
|
Gordon Wendt
404 - User not found
Join date: 10 May 2006
Posts: 1,024
|
12-24-2007 13:02
If your only listening to one UUID though then securing the information shouldn't be at issue since only you, LL, the people who run the pipes your data is running through, your ISP, and your neighbor who's leeching off your open wifi connection (theoretically) could possibly get that information in the clear.
_____________________
Twitter: http://www.twitter.com/GWendt Plurk: http://www.plurk.com/GordonWendt GW Designs: XStreetSL
|
|
Kidd Krasner
Registered User
Join date: 1 Jan 2007
Posts: 1,938
|
12-24-2007 14:23
From: Void Singer if the object only listens to a specific uuid, it's secure from replay and spoofing, I'm not so sure about that. Assuming we're talking about listening to a specific object (as opposed to a specific av), the circustances and permissions on the object may matter. If the permissions aren't correct, then the owner of the object could drop in an additional script. Since the object's uuid would be the same, the listener could not determine which script within the object sent a message by only looking at the uuid. Obviously, this depends upon how it's been used. If it's just to control multiple objects with the same owner, then this isn't an issue. But if the listener is a central controller for some sort of game, then not only don't you want players to spoof messages from other players, you also don't want players to spoof messages from themselves.
|
|
Krista Chaffe
Registered User
Join date: 16 Jun 2007
Posts: 96
|
12-25-2007 12:27
Thats a very good point, I hadn't thought of that.
Now in my case it isn't an issue as the owner is configuring multiple remote units.
But I think the added thought is a very useful idea to put on the msg board.
|
|
Void Singer
Int vSelf = Sing(void);
Join date: 24 Sep 2005
Posts: 6,973
|
12-25-2007 12:58
From: Kidd Krasner I'm not so sure about that.
Assuming we're talking about listening to a specific object (as opposed to a specific av), the circustances and permissions on the object may matter. If the permissions aren't correct, then the owner of the object could drop in an additional script. Since the object's uuid would be the same, the listener could not determine which script within the object sent a message by only looking at the uuid.
Obviously, this depends upon how it's been used. If it's just to control multiple objects with the same owner, then this isn't an issue. But if the listener is a central controller for some sort of game, then not only don't you want players to spoof messages from other players, you also don't want players to spoof messages from themselves. good point, I left a bad assumption in there, that being the communication was between two objects under the OP's direct control (such as a server/vendor setup). although replay would be limited/complexrequiring both a script to engage the replay in the object, and a script in another object to listen for the data to send, which it would pass back to the spoofing script. still a very real consideration, and one that's often overlooked in link message communications (i've used something similar to test link messages sent and recieved by other peoles scripts) @Gordan: assuming says and listens, any information passed is able to be interceted, rather trivially, but if it's not sensitive it's not a big deal if you can authenticate the sender (as via uuid). sensitive info (things that can be repurposed texture uuids, CC #'s) obviously shouldn't be sent this way
_____________________
| | . "Cat-Like Typing Detected" | . This post may contain errors in logic, spelling, and | . grammar known to the SL populace to cause confusion | | - Please Use PHP tags when posting scripts/code, Thanks. | - Can't See PHP or URL Tags Correctly? Check Out This Link... | - 
|
|
Alicia Sautereau
if (!social) hide;
Join date: 20 Feb 2007
Posts: 3,125
|
12-25-2007 15:46
just my 2 cents IF anyone would want to know what your prims are saying, they can create a script that listens on all channels (wouldn`t be nice in performance tho) so i`d recommend to encrypt some if not all data if it`s sensative prepare for the worst and hope for the best 
|