2

Essentially what I'm attempting to do is within my cURL API I would like clients using the API to have specific sensitive data encrypted on their server, before it leaves their server, then decrypted on my server.

I saw that you can use the openssl_encrypt() function, though I can't really find anything that's explaining it clear enough.

An example of the process is below:

ON THE CLIENT'S SERVER SIDE:

$dataToSend = 'mysupersecretstring';
// encrypt data
// connect and send to my server

ON MY SERVER'S SIDE:

$receivedString = '39bfy4f28d30g74fb34g79';
// string above is received
// string is decrypted decrypted
// $receivedString is now plaintext and can now be used on this server

I hope I'm explaining this clearly enough. If you have any questions please don't hesitate as it's rather important I have a valid solution to this.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Jordan
  • 41
  • 5
  • 2
    Can you use an SSL certificate? – user2182349 Aug 23 '15 at 22:34
  • 1
    As I believe user2182349 is leading you, proper cryptography is hard to get right; using something that already exists, is well-understood and mature like SSL/TLS is a good idea if you don’t want to have subtle-but-critical failures of security. – icktoofay Aug 23 '15 at 22:38
  • possible duplicate of [PHP, Simplest Two Way Encryption](http://stackoverflow.com/questions/9262109/php-simplest-two-way-encryption) – Artjom B. Aug 23 '15 at 22:39
  • Yes, you can use OpenSSL in PHP to encrypt and decrypt a string, but you should ask yourself how you want to manage the encryption/decryption keys. Do you want to utilize asymmetric crypto or only symmetric? How will you securely distribute the keys? – Artjom B. Aug 23 '15 at 22:41
  • Well, yes _I_ can use an SSL but I can't expect every single one of my clients to be using an SSL, unless my SSL encrypts their connection? – Jordan Aug 23 '15 at 22:48
  • I would happily use any other encryption functions if they are available that any of you guys know about. – Jordan Aug 23 '15 at 22:49
  • @ArtjomB. is there any way to encrypt and send data without keys? EDIT: I can see that by keys that's the "password" parameter. This would be predefined as the client would be calling a method from a class they would be provided with. This class will be encrypted, so the key will never be seen. – Jordan Aug 23 '15 at 23:00
  • `This class will be encrypted` - and where is the key for that stored? – VolkerK Aug 23 '15 at 23:26
  • You need a key otherwise that wouldn't be encryption. If give an obfuscated class to the client which includes the key, then you probably need to give every client a different custom class. You really should use the same class for everyone and give the client the class and the "API key". – Artjom B. Aug 24 '15 at 06:32
  • In any case your original question is answered in the one that I linked. You should see a button to confirm that this is a duplicate above your question. – Artjom B. Aug 24 '15 at 06:33

1 Answers1

1

Put simply: Don't.

Use HTTPS instead of relying on application layer cryptography for this specific use-case.

Unless you are a professional cryptographer with a specific use case for why you wish to avoid TLS (with public key pinning) and have a plan in place to manage encryption keys, you probably shouldn't write your own cryptography. Or if you do, don't deploy/publish it.

And if you do find yourself needing to encrypt information at the application layer (there are many valid use cases for encryption here), learn all the pitfalls that you will encounter and maybe consider using libsodium instead.

Community
  • 1
  • 1
Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206