Glue Content Security Plugin

Tagged:

This plugin allows you to prevent users from tampering with selected content files. If any files have been modified by end users your project will be made aware of it.

Source code is hosted and updated on Github

To Use:

  1. Install the Plugin via Glue
  2. Open your project in Glue
  3. Select a file you would like secured
  4. In the property grid, set "Secure File" to True
  5. In Visual Studio, add a call to new ClientHashVerifier().VerifyContent(); somewhere in your code
  6. If a GlueSecuritySignatureMismatchException is thrown, your content files have been modified (the exception contains the details of the files that are incorrect)

How It Works:

When a files is added as a secure file it kicks off a process that generates an RSA encryption public and private key and stores that locally in a contentKey.xml file in your project's root directory. This is NOT intended to be distributed to customers as it contains the private key.

This process also generates a contentHashes.xml file in your project's content directory. This is a file that is meant to be distributed with your released product and contains a list of the secured files, and their MD5 hashes.

Finally, this process also adds 3 code files to your project to support the content verification process, all which reside in the GlueContentSecurity folder. The ClientHashVerifier class contains the public key which is used to decrypt the XML signature, which verifies that the signed xml document was not tampered with.

When ClientHashVerifier.VerifyContent() is called, it reads the contentHashes.xml document, uses the public key to verify that the signed XML document has not been tampered with (see MSDN for more info), then reads all the files and computes MD5 signatures for each. If any files are missing or any file's MD5 does not match, then a GlueSecuritySignatureMismatchException is thrown with details on what did not match up. If no exception was thrown, all the files were good.

If your private key ever gets compromised, all you have to do is load glue and click the Generate button. It will create a new public/private key field, update all xml files, and update the public key in your project's ClientHashVerifier class automatically.

Note: This does not prevent users from *viewing* your content files. Theoretically that's impossible, but this system is only meant to prevent unauthorized users from changing content that you may want to always match, especially useful in multiplayer games.

Product File: 
Syndicate content