Security Overview
To prevent the Developer API Key from being exposed during transmission via network, it’s important to implement a dedicated backend service for game. Your game backend service will handle the security mechanisms, including receiving the encrypted API Key from the client and verifying the integrity of the payload to prevent any tampering during the request process.
Overview
In this integration, asymmetric encryption is used to securely transmit sensitive data, such as the developer's API key, between the game client (Unity SDK) and the game server (Developer Game Services).
Asymmetric encryption involves two keys: a public key (which can be shared freely) and a private key (which is kept secret). The workflow also incorporates HMAC (Hash-based Message Authentication Code) to ensure the integrity and authenticity of the transmitted data.
Simple Scenario for 3rd Game Developer
Example Scenario for 3rd Party Developers: When developers integrate the Leaderboard Unity SDK with the game server, developer will need to:
- Be sure to contact Myria Admin to obtain your Developer API Key, which is required to access the our Myria leaderboard services.
- Obtain the public key from your dedicated backend services.
- Use the public key to encrypt the Developer API key.
- Securely send the game data and API key using HMAC to ensure the integrity of the request.
- The server will decrypt the API key and validate the request using the HMAC and private key before forwarding any data to the Myria Leaderboard Service.
Details Workflow:
Flow Diagram:
1. Encryption of the Developer API Key (Unity SDK)
To securely transmit the Developer API Key, you need to provide the Public RSA Key generated on your dedicated server. This key pair can either be generated using the Myria Game Service Template for encryption or by incorporating an encryption module into your existing game service.
The Leaderboard Unity SDK will encrypt the Developer API Key using the Public RSA Key, which is stored in the Unity Config Resources. You can generate this key from the server and add it to the Inspector in Unity.
The Public Key is safe to share and used only for encryption. However, only the server, which holds the Private Key, can decrypt the encrypted data.
2. Sending Encrypted API Key to the Server (Unity SDK → Developer Game Services)
The encrypted API key is sent to the Developer Game Services (game server) via header of the request as encrypted-api-key.
In parallel, the Leaderboard Unity SDK keeps the public key for further communications.
Security Measure: Since only the server holds the private key, the encrypted API key is protected from interception and unauthorized decryption during its transmission.
3. Decryption of API Key (Developer Game Services)
Upon receiving the encrypted API key, the Developer Game Services decrypts it using the corresponding Private RSA key.
The decrypted API key is now available on the server side for internal processing and verification.
4. Message Authentication (HMAC Verification)
Along with the encrypted API key, the Leaderboard Unity SDK sends the game data, secured with HMAC.
HMAC ensures the integrity and authenticity of the data by hashing it with a secret key. This message authentication is applied for PostScore method. You can reference more on the Game Service Templates
The Developer Game Services re-generates the HMAC for the received data and compares it to the HMAC sent by the Unity SDK.
If the HMAC matches, the data is verified as authentic and unaltered. If the HMAC does not match, it indicates that the data might have been tampered with, and the request is rejected with an error.
While encryption secures the data, HMAC ensures that the data hasn't been modified in transit and that it comes from a trusted source.
5. Request Forwarding to Myria Leaderboard Backend
If the API key is valid and the HMAC verification succeeds, the Developer Game Services sends a direct request to the Myria Leaderboard Backend (BE) to update or fetch leaderboard data and execute the respective operations such as post scores...
The server, after successful authentication, handles further communication with the leaderboard service, ensuring only validated requests reach the backend services.
6. Error Handling
If any part of the process fails (e.g., API key decryption or HMAC verification), the Developer Game Services rejects the request and responds with an error to the Unity SDK.
To prevent invalid or tampered requests from affecting the backend services, this step ensures robust validation and early rejection of problematic data.
Asymmetric Encryption Summary
-
1 Enhanced Security: This encryption method ensures that sensitive information (like the Developer API Key) can be securely transmitted over potentially untrusted channels and secure the data between Game Unity Client and Game Server.
-
2 Data Integrity with HMAC: The use of HMAC protects the integrity of the transmitted data, ensuring that no one can alter the message without being detected.
-
3 Clear Responsibility: With public and private keys, the responsibility of data encryption lies with the client (Unity SDK), while the server (Developer Game Services) holds the responsibility of decrypting and verifying the data.
By following this workflow, developers can ensure that their requests to your leaderboard services are secure, authenticated, and resistant to tampering.