Obfuscating POST variables between Javascript & PHP

Question

Ideally I would want to encrypt the variables so there is no way to figure them out, however given that the client will send the variable via javascript and that anything can be decrypted if they see the code, I am looking for alternatives.

I was thinking of making using something that would return HEX similar to md5 or sha1 but encryption and then some how incorporate the server time or date into the variable so that the encryption would only be valid for 1-2 minutes.

The javascript would have an obfuscated/minimized function that would base the encryption on time according to javascript and then POST it to php. As long as the servers date/time was withing X minutes then it would decrypt correctly.

I'd like to send it what seems to be random data, and get back what seems to be random data. I dont want it to be the same data.

Is this the best method? I am only trying to stop people who try to use HTTP sniffers. I know once they get to the javascript source nothing could prevent it given enough time/understanding of what's going on.

If you are going to post actual code, remember that the function/ability should exist on both javascript and PHP5 (< 5.3). I would like native simple/small functions not implement a huge third party class for JS and PHP.

Edit: SSL/HTTPS is out of the question.

Answer 1

If you want to stop people from sniffing your web traffic, use https instead of http.

If there's one thing you should learn, it's that encryption is hard. Really hard. If you try to do it yourself, you're not going to get it right, and will likely make some subtle mistake that could bite you later. It's best to leave encryption to the people who know what they're doing.

Answer 2

I assume HTTPS is out of the question.

Have you thought about ROT? Stupid simple implementation at least:

var output = "";
for(var i = 0; i < input.length; i++)
{
    char = ( input.charCodeAt(i) + SOME_NUMBER ) %255;
    output += String.fromCharacterCode( char )
}

Then, in PHP

$chars = $_POST['chars'];
$output = "";
for($i = 0; $i < strlen($chars); $i++ )
{
    $char = ord($chars[$i]) - SOME_NUMBER;
    if($char < 0 )$char += 255;
    $output .= chr($char);
}

Answer 3

If you want some strong, PKI encryption on Javascript, you should check jcryption.

Answer 4

I suggest that AES encryption is a good option. You can find the JavaScript library here https://code.google.com/archive/p/crypto-js/ and PHP one https://packagist.org/packages/blocktrail/cryptojs-aes-php

Now on PHP side:

<?php
include "vendor/autoload.php";
use Blocktrail\CryptoJSAES\CryptoJSAES;

$passphrase = "secret";
$text = "example value";

$encrypted = CryptoJSAES::encrypt($text, $passphrase);
echo "Encrypted: ", $encrypted, PHP_EOL;

It outputs:

Encrypted: U2FsdGVkX1/JVv/nS7aExFZiatvG8Lha7MflNsfuLHo=

We take the encrypted code and decrypt it in JavaScript:

<!DOCTYPE html>
<html>
  <head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script>
  </head>
  <body>
    <script>
      const passphrase = "secret",
            encrypted = "U2FsdGVkX1/JVv/nS7aExFZiatvG8Lha7MflNsfuLHo=";
            decrypted = CryptoJS.AES.decrypt( encrypted, passphrase );
      console.log( decrypted.toString( CryptoJS.enc.Utf8 ) );
    </script>
  </body>
</html>

After firing up this HTML in a browser you get the JavaScript console:

example value

So, you can encrypt for example sensitive data in PHP and obtain in the client application with JavaScript and decrypt. You can do it in the opposite direction. Just do not forget to obfuscate JavaScript and make the secret looking like some JavaScript.

Yet you understand that it's not really secure - with considerable effort one can figure out the encryption method, find the secret and uncover the data.