I hope I am not bringing up a question that is already answered, if it has, a point in the right direction would be appreciated, but in all my searching I can't seem to find my exact answer to my question.

I have fully functioning MMO with client/server communication. Players download the client obviously, and the server is located remotely (currently controlled only by me) an an Amazon AWS server.

So my basic is question is this. Players create their account for my game from within the client (email, username, password, etc), store this on the server (currently encrypted on the client using a simple XOR encryption, then sent to the server ). And now of course I am looking to now finally make this packet encryption more legitimate and professional.

While researching this, I find people asking similar questions, but I see them jumping right into terms like already having "SSL encryption", sending "salts" and "hashing" the data, but I need to know where to begin from step 1. I am not finding a step-by-step general procedure for beginning to encrypt packets, and figuring out which method I should be doing. It seems like this is more complicated than just writing some simple algorithms and hashing data.

I am attempting to make my game secure enough so that if I do start charging money for the game, or just make the game go "live", I can tell my players "Your login information is secure". I am not interested in dealing with any real money account information at this point. Just one step at a time.

I am basically looking for a guideline of where to start with this. The simplest answer is basically what I am looking for. My game is currently communicating with Winsock, and for now is going to be windows platform specific. Coded in C++.

Should I just look into using something like OpenSSL and go from there?

Those sound like the solutions I may be looking for, I will begin researching those immediately, thanks for the reply!

Thanks for all the information, that is all extremely useful. I am currently running all my information through TCP. I do not know what the difference between using TCP and TLS until I start looking into this more, however I am only planning on trying to sending only account information this way (email, login, password) so I am only going to send a few packets securely for now.

I am not going to attempt to do any type of monetary transactions of any kind (credit cards, virtual goods/cash etc ). If I get to that point I will rely on a third party, but I am not near that stage just yet. However I may want people to receive a "CD-key" to register their game (free or paid) off a website login at some point which they would enter as well, but will be the extent of how far I go with this until I rely on more professionally secure methods for money transactions.

As I mentioned before I would just like to assure people who play game that their information is "secure" when they send it and it is stored on the server. I realize it can never be 100% foolproof. But again, its better then what I am doing now.

I am not trying to guard against any particular type of attack, just trying to do a general secure encryption for this information.

I found this great post on Stack Overflow which seems to describe what I should be doing based off of your suggestions as well:

http://stackoverflow.com/questions/5415752/how-to-save-string-username-password-in-encrypted-form-in-database-and-decryp

It explains that you should salt and hash the password using the SHA-256 algorithm from OpenSSL.

But a few questions still linger.

How should I still send the password (and other info like login/email) to the server by itself so I can still salt/hash it? Should just still be sending it through WSASetSocketSecurity() be safe enough since I will be salt/hashing it on server and not storing the password in any way on the server? (Should I be masking the data somehow to deter packet sniffers? etc..)

Does WSASetSocketSecurity() have any performance issues? Should I just leave it on for the player the whole game? Or just use it when sending sensitive information packets?

I hope I am thinking about this the right way. Of all my years programming I just seem to have a bit of trouble wrapping my head around this.

Okay so this is what I am thinking so far...

I will open up my TCP socket and add WSASetSocketSecurity to it.

I will implement a self-made SRP Protocol to the character string.

I will use the SHA-256 hash algorithm from OpenSSL for the SRP hash

The SRP pseudocode from wikipedia makes it seem simple enough to implement by hand.

I really don't know the stability, uses, or performance issues of doing this. The documentation for those issues seem non-existant. I am assuming this will provide "enough" protection for account information, without completely converting my code from TCP to TLS.

Any thoughts?