This document is about: FUSION 2
SWITCH TO
FUSION 1 FUSION 2

Connection Encryption

Overview

Photon Fusion extends the capabilities of Photon Realtime's existing encryption system and includes support for end-to-end connection encryption between Fusion Clients and a Fusion Server. This enhancement is in addition to the already-supported connection encryption between peers and the Photon Cloud.

The Fusion Encryption System handles all the underlying details for the connection handshake in a secure manner, from key creation to key exchange, as well as the actual encryption/decryption of the packets sent over the network. While this incurs minimal processing cost, it ensures that only the intended peers can parse updates within a game session.

The image below illustrates that each Fusion peer can maintain several connection types:

  1. Cloud Connection: This is the connection between the local peer and the Photon Cloud. It is mandatory, primarily used for matchmaking and can serve as a relay if necessary. All GameModes (except Single player) maintain at least this type of connection.
  2. Direct Connection: This connection is established between a Fusion Server and a Fusion Client for direct communication.
Fusion Peers Connections
Fusion Peers Connections

Basic Setup

The Encryption setup is straightforward:

1. Download and Import the Datagram Encryption Native Plugin

Please contact the Photon Support Team to acquire the DatagramEncryption plugin for your platform.
This plugin is not included in the default Fusion package due to its size and rare use, but it is mandatory for the Encryption System to function properly.

Once we provide the plugin, please read the included README file for instructions on how to import it into your project.

2. Photon Cloud Connection Encryption

In order to enable encryption for the connection between the local peer and the Photon Cloud, follow these steps:

  1. Open the PhotonAppSettings asset.
  2. Set Port to 443.
  3. Set the Protocol to UDP.
  4. Set the AuthMode to Auth Once Wss.
  5. Select the Datagram Encryption GCM for the Encryption Mode.

These settings ensure the connection between the local peer and the Photon Cloud is encrypted at the Datagram level.
This covers encryption for the Shared mode.

For further information on Encryption Modes, refer to the Encryption Modes documentation.

Network Project Config - Encryption Enabled
Enable Encryption at the PhotonAppSettings

3. Photon Fusion Direct Connection Encryption

Enable the Fusion Encryption System at the NetworkProjectConfig asset.
This signal that the connection between a Fusion Server and a Fusion Client must be established in an encrypted manner.

This only affects ClientServer Modes (Client, Host, Server, AutoHostOrClient), as in Shared mode, there is only 1 type of connection - between the local peer and the Photon Cloud.

Network Project Config - Encryption Enabled
Enable Encryption at the NetworkProjectConfig

Encryption System Description

The packet encryption system achieves its behavior through the application of the following well-known algorithms with the specified settings:

  • Advanced Encryption Standard (AES) (doc page):
    • Key Size: 256 bits;
    • Mode: CipherMode.CBC (doc page).
  • Message Authentication Code (HMAC):
    • Using the HMACSHA256 function (doc page).

The Data Encryption Process can be described with the following steps:

  1. Encrypt Data:
    1. The entire buffer is encrypted using the above algorithms.
    2. A Hash based on the packet content is generated and appended to the data buffer.
  2. Decrypt Data:
    1. The Hash code is validated; otherwise, the packet is discarded.
    2. The received data buffer is decrypted.
Back to top

Cookies,
anyone?

We use cookies and related technologies to enhance your experience, show you personalised content and analyze performance and traffic on our website. By clicking on the „Accept All“ button you consent to the use of non-functional cookies and the subsequent processing of personal data to optimize our website and services as described in more detail in our Privacy and Cookie Policy.

By clicking on the „Customize or Deny all“ button you can decide otherwise. Clicking on the „Customize“ button will take you to a page where you can configure the usage of non-functional cookies (and related technologies) or deny all of them. You can access these settings at any time and also subsequently deselect cookies at any time in the footer area of our website.

ACCEPT ALL

Cookie Overview

We use the following categories of cookies and related technologies to enhance your experience, show you personalized content, and analyze performance and traffic on our website. We respect your right to privacy and accordingly you can chose to not allow some types of cookies (and related technologies). Click on the different category sliders and change our default settings to manage your cookie settings.

For more information on the specific cookies/related technologies we use and on how we use these, please see section 15 E. of our Privacy and Cookie Policy.

ABSOLUTELY NECESSARY

Authentication cookies we use are required to run our services … Cookies are required: Privacy and Cookie Policy

FUNCTIONAL AND MARKETING COOKIES

These cookies collect anonymous data and allow us to optimize our website and user experience. These cookies are listed here: Privacy and Cookie Policy

ANALYTICS / TAG MANAGER

Help us to understand how visitors interact with our services, enables us to analyze and improve our services (also through third party analytics).