Sony I hardly knew you…

So today, after 6 days of downtime I get word from Sony that apparently mine and 75 million other accounts have been compromised, including pretty much all of my personal information. Worst of all, this information included my password and possibly my credit card information.

 

This is an unforgiveable sin on many levels, but more than anything I have to say this… if you are storing sensitive information in your game, encrypt the hell out of it!  Really, it’s not that hard.  Actually here is how you do it…  this is code I have used in another project, but sadly I forget exactly where I got it from for proper crediting.  So, if you are the author, let me know and I will give proper accreditation.

using System;  using System.IO;  using System.Security.Cryptography;  using System.Text;    namespace ConfigurationLibrary  {      public sealed class CryptoString      {          private CryptoString() { }          private static byte[] savedKey = ASCIIEncoding.UTF8.GetBytes("YOURVALHERE");          private static byte[] savedIV = ASCIIEncoding.UTF8.GetBytes("YOURVALHEREASWELL");          public static byte[] Key          {              get { return savedKey; }              set { savedKey = value; }          }          public static byte[] IV          {              get { return savedIV; }              set { savedIV = value; }          }          private static void RdGenerateSecretKey(RijndaelManaged rdProvider)          {              if(savedKey == null)              {                  rdProvider.KeySize = 256;                  rdProvider.GenerateKey();                  savedKey = rdProvider.Key;              }          }          private static void RdGenerateSecretInitVector(RijndaelManaged rdProvider)          {              if(savedIV == null)              {                  rdProvider.GenerateIV();                  savedIV = rdProvider.IV;              }          }          public static string Encrypt(string originalStr)          {              // Encode data string to be stored in memory.              byte[] originalStrAsBytes = Encoding.ASCII.GetBytes(originalStr);              byte[] originalBytes = { };              // Create MemoryStream to contain output.              using(MemoryStream memStream = new                       MemoryStream(originalStrAsBytes.Length))              {                  using(RijndaelManaged rijndael = new RijndaelManaged())                  {                      // Generate and save secret key and init vector.                      RdGenerateSecretKey(rijndael);                      RdGenerateSecretInitVector(rijndael);                      if(savedKey == null || savedIV == null)                      {                          throw (new NullReferenceException(                                  "savedKey and savedIV must be non-null."));                      }                      // Create encryptor and stream objects.                      using(ICryptoTransform rdTransform =                             rijndael.CreateEncryptor((byte[])savedKey.                             Clone(), (byte[])savedIV.Clone()))                      {                          using(CryptoStream cryptoStream = new CryptoStream(memStream,                                rdTransform, CryptoStreamMode.Write))                          {                              // Write encrypted data to the MemoryStream.                              cryptoStream.Write(originalStrAsBytes, 0,                                         originalStrAsBytes.Length);                              cryptoStream.FlushFinalBlock();                              originalBytes = memStream.ToArray();                          }                      }                  }              }              // Convert encrypted string.              string encryptedStr = Convert.ToBase64String(originalBytes);              return (encryptedStr);          }          public static string Decrypt(string encryptedStr)          {              // Unconvert encrypted string.              byte[] encryptedStrAsBytes = Convert.FromBase64String(encryptedStr);              byte[] initialText = new Byte[encryptedStrAsBytes.Length];              using(RijndaelManaged rijndael = new RijndaelManaged())              {                  using(MemoryStream memStream = new MemoryStream(encryptedStrAsBytes))                  {                      if(savedKey == null || savedIV == null)                      {                          throw (new NullReferenceException(                                  "savedKey and savedIV must be non-null."));                      }                      // Create decryptor and stream objects.                      using(ICryptoTransform rdTransform =                           rijndael.CreateDecryptor((byte[])savedKey.                           Clone(), (byte[])savedIV.Clone()))                      {                          using(CryptoStream cryptoStream = new CryptoStream(memStream,                           rdTransform, CryptoStreamMode.Read))                          {                              // Read in decrypted string as a byte[].                              cryptoStream.Read(initialText, 0, initialText.Length);                          }                      }                  }              }              // Convert byte[] to string.              string decryptedStr = Encoding.ASCII.GetString(initialText);              return (decryptedStr);          }      }  }

Now its as simple as calling ConfigurationLibrary.CryptoString.Encrypt(somestring);  and ConfigurationLibrary.CryptoString.Decrypt(somestring).

 

It is this easy to encrypt your info, compromising your users security is never justified!  Just be sure to protect your encryption keys as much as possible.

 

For the record, I don’t know if Sony encrypted this information or not, but they haven’t communicated that they did, which leads me to believe that they didn’t.  If they did, Sony has done a horrible job at PR.  If they didn’t, Sony made a mistake a first year CS student never should have!  Either way, Sony just screwed up really badly.

Programming Totally Off Topic Rant Security


Scroll to Top