This document is about: FUSION 2
SWITCH TO

Connection Encryption

Overview

Photon Fusion extends the capabilities of Photon Realtime's existing encryption system and includes support for end-to-end connection encryption between Fusion Clients and a Fusion Server. This enhancement is in addition to the already-supported connection encryption between peers and the Photon Cloud.

The Fusion Encryption System handles all the underlying details for the connection handshake in a secure manner, from key creation to key exchange, as well as the actual encryption/decryption of the packets sent over the network. While this incurs minimal processing cost, it ensures that only the intended peers can parse updates within a game session.

The image below illustrates that each Fusion peer can maintain several connection types:

  1. Cloud Connection: This is the connection between the local peer and the Photon Cloud. It is mandatory, primarily used for matchmaking and can serve as a relay if necessary. All GameModes (except Single player) maintain at least this type of connection.
  2. Direct Connection: This connection is established between a Fusion Server and a Fusion Client for direct communication.
Fusion Peers Connections
Fusion Peers Connections

Basic Setup

The Encryption setup is straightforward:

1. Download and Import the Datagram Encryption Native Plugin

Please contact the Photon Support Team to acquire the DatagramEncryption plugin for your platform.
This plugin is not included in the default Fusion package due to its size and rare use, but it is mandatory for the Encryption System to function properly.

Once we provide the plugin, please read the included README file for instructions on how to import it into your project.

2. Photon Cloud Connection Encryption

In order to enable encryption for the connection between the local peer and the Photon Cloud, follow these steps:

  1. Open the PhotonAppSettings asset.
  2. Set Port to 443.
  3. Set the Protocol to UDP.
  4. Set the AuthMode to Auth Once Wss.
  5. Select the Datagram Encryption GCM for the Encryption Mode.

These settings ensure the connection between the local peer and the Photon Cloud is encrypted at the Datagram level.
This covers encryption for the Shared mode.

For further information on Encryption Modes, refer to the Encryption Modes documentation.

Network Project Config - Encryption Enabled
Enable Encryption at the PhotonAppSettings

3. Photon Fusion Direct Connection Encryption

Enable the Fusion Encryption System at the NetworkProjectConfig asset.
This signal that the connection between a Fusion Server and a Fusion Client must be established in an encrypted manner.

This only affects ClientServer Modes (Client, Host, Server, AutoHostOrClient), as in Shared mode, there is only 1 type of connection - between the local peer and the Photon Cloud.

Network Project Config - Encryption Enabled
Enable Encryption at the NetworkProjectConfig

Encryption System Description

The packet encryption system achieves its behavior through the application of the following well-known algorithms with the specified settings:

  • Advanced Encryption Standard (AES) (doc page):
    • Key Size: 256 bits;
    • Mode: CipherMode.CBC (doc page).
  • Message Authentication Code (HMAC):
    • Using the HMACSHA256 function (doc page).

The Data Encryption Process can be described with the following steps:

  1. Encrypt Data:
    1. The entire buffer is encrypted using the above algorithms.
    2. A Hash based on the packet content is generated and appended to the data buffer.
  2. Decrypt Data:
    1. The Hash code is validated; otherwise, the packet is discarded.
    2. The received data buffer is decrypted.
Back to top