保护 UDP 连接 [英] Securing a UDP connection

问题描述

对于个人 MMO 游戏项目，我正在 Java 中实现一个基于 UDP 的自制可靠协议.鉴于我目前的设置，我相信窥探者劫持会话相对简单，因此为了防止这种情况发生，我借此机会学习了一些密码学.非常有趣.

For a personal MMO game project I am implementing a homebrew reliable UDP-based protocol in java. Given my current setup I beleive it would be relatively simple for a snooper to hijack a session, so in order to prevent this I am taking the opportunity to learn a little cryptology. Its very interesting.

我可以使用 Diffie-Hellman 密钥交换在客户端和服务器之间成功创建共享密钥(一个非常聪明的概念)，但是现在我需要用这个来保证数据包的真实性.到目前为止，我的初步测试表明，我尝试过的两种不同的密码稍微增加了数据量，但我希望尽可能小而快.

I can successfully create a shared secret key between the client and server using a Diffie-Hellman key exchange (a very clever concept), but now I need to use this to guarantee the authenticity of the packets. My preliminary testing so far has shown that the couple of different ciphers Ive tried bloat the amount of data a bit, but I would like to keep things as small and fast as possible.

鉴于我只是想对数据包进行身份验证，而不是完全隐藏整个有效负载，我的想法是可以将密钥生成的 8 字节会话 ID 放入数据包标头中，对整个数据包进行加密，然后将其散列回 8 个字节.我取出未加密的数据包，将 8 字节的哈希值放入会话 ID 的位置，然后将其发送出去.

Given that I am only trying to authenticate the packet and not nessecarily conceal the entire payload, I have the idea that I could put an 8 byte session ID generated from the secret key into the packet header, encrypt the whole packet, and hash it back down to 8 bytes. I take the unencrypted packet and put the 8 byte hash into the place of the session ID and then send it off.

这样安全吗?加密整个数据包只是为了发送未加密的数据感觉有点不雅 - 有没有更好/更快的方法来实现我的目标?请注意，我想自己做这件事，因为它有很好的经验，所以我对 3rd 方库或其他协议选项不太感兴趣.

Would this be secure? It feels a little inelegant to encrypt the whole packet only to send it unencrypted - is there a better/faster way to achieve my goal? Please note I would like to do this myself since its good experience so Im not so interested in 3rd party libraries or other protocol options.

推荐答案

如果两个对等方都可以访问共享机密(他们应该这样做，因为您在谈论 Diffie-Helman)，您可以简单地存储数据报在其报头中.接收方检查是否匹配.

If both peers have access to a shared secret (which they should, since you're talking about Diffie-Helman), you could simply store a hash of the datagram in its header. The receiver checks to see if it matches.

作为附加的安全措施，您还可以添加挑战"字段添加到您的数据报中，并在散列过程中的某处使用它以防止重放.

As an added security measure, you could also add a "challenge" field to your datagram and use it somewhere in the hashing process to prevent replays.

所以这个哈希应该涵盖:

So this hash should cover:

• 共享秘密
• 挑战
• 数据报的内容

挑战"是一个严格递增的数字.您将它添加到您的数据报中只是为了在每次发送新消息时更改散列.如果有人截获了一条消息，它就不能重新发送它:接收者确保它不接受它.

The "challenge" is a strictly incrementing number. You add it to your datagram simply to change the hash every time you send a new message. If someone intercepts a message, it cannot resend it: the receiver makes sure it doesn't accept it.

这篇关于保护 UDP 连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！