Feature Request - Cryptography API

Background

As a Roblox developer, it is currently too hard and time consuming to protect data that is in transit between client and server. As it stands, there is no standard way to protect against an exploiter using a remote spy to gather information to cheat/exploit in a game. Although solutions exist in LUA/LUAU, because of the number of computations required (especially RSA), they are very slow.

If this is addressed by Roblox, it would improve my development experience because it would save time by allowing us to use a premade API instead of finding/coding these functions ourselves. Not only would this eliminate mistakes in implementation by inexperienced developers, performance would be greatly improved because the encryption runs in machine code instead of a LUA virtual machine. Furthermore, it would improve client security because the crypto will disable one aspect that exploiters/cheaters use to break security on games: Remote Spy. By encrypting the data and then sending it, all the exploiter will be able to see is what appears to be random data being passed back and forth. Since strong crypto is being used, it will be impossible for an exploiter to decrypt the data directly.

As part of a cryptography API, routines such as the following would be nice:

• RSA or ECC Public Key Crypto: Generate Key Pair, Encrypt, Decrypt
• AES-128 Encrypt/Decrypt

Use Case

A client connects to the server and requests the server’s public key. The client then generates a symmetric key, encrypts it with the server’s public key, and sends it to the server. When the server gets the encrypted information, it decrypts it using it’s private key. This completes the cryptography handshake between client and server. From now on, any information that requires encryption is encrypted using that symmetric key.

Bob develops a private way of detecting cheaters, but it requires the cooperation of the client. In order to prevent exploiters from bypassing his method, Bob chooses to use a LUA virtual machine (such as vLua) to execute the code. The code is compiled on the server when the game starts and the resulting bytecode is sent to the client when the client connects. In order to prevent an exploiter from getting access to the bytecode and decompiling it to discover the method, Bob encrypts the data before calling FireClient. When the client gets the associated OnClientEvent event, the bytecode is decrypted and loaded into the vLua VM for execution, confident that his method is protected. Data that is generated by the protected code is serialized and encrypted before being sent to the server. On the server, the data is decrypted and is analyzed. If the analysis shows the player is cheating, they are removed from the game and a permanent ban is placed.

Due to the encryption, the program/data is impossible to directly decrypt without the session key. This removes the remote spy tool from the exploiter’s toolbox which allows an exploiter to see what data is passed between client and server.

I can see the idea of native cryptographic algorithms, but I don’t understand the use case. If the client is sending encrypted data to the server with a cryptographic key stored in memory, what prevents a malicious attacker from reading the key in memory and replacing the call to the server? Or what prevents them from changing the source of the information before it is decrypted? The client (in theory) has full control over what goes on with respect to the client and can change things that are past the decryption or before the encryption even happens.

From my perspective, the HttpService is a stronger use case. Need to make sure you trust an external service you control? Set up a certificate and verify it in-game.

Exploiters can see the value of variables on the client, including the key, the result of decryption, etc. Exploiters are not sniffing remote traffic on the wire. The use case you’ve provided does not work. What do you actually need this for? What are you trying to accomplish?

Cryptography for roblox has no use because the exploiters can just read the decrypted values in the scripts or even worse, use the decrypt function of the script

I think you are having little info of security on roblox, its not like the websites.

As for my use case: Interacting with Google APIs in Roblox is currently harder than I would like it to be. Since there is no cryptography API, I have to deploy my own services to either handle JWT creation (which is necessary to obtain an access token that lets me access Google APIs) or interact with the endpoints I’m using, which costs extra money and time.

A cryptography API would allow me to spend less time on creating and managing middleman services, and it would also save me some money.

Lest we forget about the various firebase libraries that still rely on database secrets - which are deprecated

@TheNexusAvenger @commitblue

The idea was to have the sensitive code run inside a LUA virtual machine that runs on top of Roblox’s LUA VM. All crypto functions are called from there. Granted, they can probably read anything and everything on the client, but the point is to make it so hard for them that it will either take some time to crack it, or they give up…the latter being the point

The purpose of a Crypto API is to allow crypto function inside Roblox’s LUA VM. What I’m using it for is to protect data that’s in-flight between client and server from eavesdropping by an exploiter that is using Remote Spy. That’s the sole purpose of this. I have a system already established, but it’s slow. This is in addition to other measures that are in place.

I could see crypto versions of FireServer and FireClient to do this. Hashing algorithms could also be implemented and I do know there are some use cases where you need things like SHA-256 to interface with certain web services.

I still don’t understand the use case. The goal is to hide the contents of data between the client and server, which:

1. If you mean between the client and server communication (i.e. man-in-the-middle), that would be up to Roblox to secure. Roblox being open to man-in-the-middle attacks would be very dangerous.
2. If you mean on the client with an attacker on the client, then there isn’t that much of a point since an attacker can read the memory of the data after it is unencrypted. There is a lot more they could do on top of that if they wanted to.

Wolftallemo’s use case of JWT creation makes much more sense as a use case and matches up my expectation that this would be more useful for HttpService calls.

Your point 1 is Roblox’s responsibility, that I agree with. However, with #2, not if the API is called from within a vLua VM. The VM itself, in general, is a hard nut to crack. So having the sensitive code run in a VM is the best option.

Roblox’s Luau VM was cracked way before it went open source and was more like 5.1, how much harder could a Lua 5.1 compiler/interpreter programmed in Luau be? I am in much more support of Wolftallemo’s use case, because it makes much more sense personally, and is much more explainable.

Ok, I concede your point, but I’m still going to do it to add one more layer to the client’s security.

Regardless of the use case, do you agree that having a native, engine provided, crypto API which contains a RSA/ECC public key cipher, AES symmetric key cipher, and a number a hashing functions (including the ubiquitous SHA-256) would be useful?

I’d like to see Sha-256 supported as well, it is nor for encryption purposes but for verification and detecting changes between each state of some data easily

I do like this idea. I would like to see this in action as it could help me protect my code against cracking and exploiters.

I just found out that this was implemented. I don’t know when, but it’s in the documentation.

EncodingService
HashAlgorithm

I have tested this and it is in the live engine. Was there an announcement or something that I missed?

Like half a year ago.
And if you need actual cryptography you can use this in the meantime

Interesting link, but I already wrote a bunch of crypto stuff some time ago. RSA, AES, RC4, and a custom one. I was going to try EC, but the script execution timer kept expiring while generating keys.