Combu  3.2.2
Unity API Documentation
Server-Client Security

Let's take a look at the implementation of security in Combu

RSA + AES keys handshaking

What happens when the Unity client starts:

  1. CombuManager calls a web service to initialize the connection to the server (remember we talk about "connection" but HTTP is an asynchronous protocol, so we haven't a real-time synchronized connection like it could be in TCP)
  2. the server generates private and public RSA keys on the fly for the incoming connection and returns back the public key to the client
  3. the client then generates AES keys and send them back to the server encrypting them with the RSA public key received
  4. now both the server and client have the same AES keys that can be used to encrypt/decrypt the content of every web serbice and the client is ready to work

The reason why we added a double layer of security and don't use only RSA is because RSA encryption/decryption requires more resources (and so time) than AES, besides the fact it effectively adds more security and standard management for such situations.

Data encryption

Every call to the web services after the initialization is sent to the server encrypted with the AES keys, here is an example of request:


The server response is also encrypted with the same keys if RESPONSE_ENCRYPTED is defined and set to TRUE in config.php:

{"t":"2017-04-18 20:32:09","d":"vWH4DEOwj+GI34QOgHzuYWR\/e8rqqlG7hOZxW5nQYzPG6Cv4aQ6BNY4L4T5LruFZALLWgk6lvkMC5gIy2K9dCBlLq1R0QI6mQEFvxNmip28zjOT4eytTAU="}