Secure servlet calls to (free) Google App Engine Groovlets

122 views Asked by At

I'm in the process of creating a game overlay distributed application with C# that needs to send data to a GAE server and gets a data update as response.

I used Gaelyk for a simple GET Groovlet but I wonder about how to secure the data delivery to my service. At the moment (local server) I just do GET calls with parametes. For successful processing I simply check that all parameters have been submitted with the call.

But as soon as I'm out in the wild this is no option. Problem is that Hackers although it's a niche application will have a strong interest in getting the response data as this can have a big impact on the game itself, e.g. gives a huge advantage for the hackers.

As GAE doesn't have a SSL option afaik, I thought of doing somehting like this:

  • First start of the client application generates a public/private key
  • The client would have the public key of my GAE server included
  • For each call I would encrypt the data to send with the clients private key/servers public key and send it via PUT (because of URL length)
  • There would be only one parameter, the key beeing the public key of the client and the value beeing the encrypted data
  • The server now decrypts with clients public key and his server private key and can upate the data
  • For the response I would encrypt with clients public key/the servers private key
  • The client is now able to decrypt the response data

Is this a legit way to secure my service? Are there better alternatives? And how to start on C# and Gaelyk/Groovy with asymetric encryption?

PS: I needed to go with C# because of some requirements with memory reading and I needed to use GAE because it's free for personal usage and I don't expect big traffic. I used Gaelyk because of the simplifed Servlet/Datastore handling.

Edit: I just saw Security on Google App Engine(Java) - Servlet SSL? about using SSL for free is possible. So my questions should rather be

Is this enough for secure communication? Can I use this from within my c# application without hassly for the user?

1

There are 1 answers

0
musketyr On BEST ANSWER

Yes, it should be sufficient. You can enforce it using the <security-constraint>

as described in the deployment descriptor configuration.