7

I've been having trouble trying to communicate between PHP and my iOS application using AES encryption.

So far, I've considered two methods of implementation. The first was to use OpenSSL.
On the iOS side, I implemented in a way to mimic the code shown here: http://saju.net.in/code/misc/openssl_aes.c.txt.

On the PHP side, I took the generated key and IV (from the iPhone) and used it as input to the PHP openssl encrypt.

The results differed in terms of the output...

I have also considered: http://iphonedevelopment.blogspot.com/2009/02/strong-encryption-for-cocoa-cocoa-touch.html

but this SO post: AESCrypt decryption between iOS and PHP deterred me.

The project is not tied down to AES, it just seemed like a strong encryption algorithm that wouldn't be too hard to implement.

My basic question is: what is the easiest way to implement a good encryption algorithm that can easily be used to communicate between iOS and PHP?

Community
  • 1
  • 1
Silvae
  • 594
  • 1
  • 8
  • 20
  • 7
    The easiest way would be to transfer your data over HTTPS, as surely the iPhone and your webserver have built-in support for that. – derobert Dec 08 '11 at 21:55
  • Are you able to explain the underlying purpose of the project without giving away too much? It may help trying to solve the issue you are facing or we may be able to share alternative routes since you are not tied to AES as you mention. – JM4 Dec 08 '11 at 22:07
  • I am passing sensitive client data between an iOS device and a PHP backend. I want the data to be secure from packet sniffing, falsified login attempts, etc. – Silvae Dec 08 '11 at 22:14
  • 2
    That still sounds like a perfect job for SSL or TLS. Of course, if somebody gets hold of your application, nothing stops them from doing a login attempt. You could give your user a certificate too and perform client authentication as well, but the keys will be on the device, and may leak out. I think I heard there is something of a keystore on iOS devices though. – Maarten Bodewes Dec 09 '11 at 13:03
  • I like the idea of using https, however, I've had issues in the past trying to get data from using https with the iPhone. The server seems to have issues handshaking with the phone. An authenticity challenge is presented which I cannot pass on the phone side. Anyone else ever have an issue with this? – Silvae Dec 09 '11 at 15:24
  • @Silvae I've had similiar issues but it was just the cert I was using wasn't installed properly. iOS seems to be more picky than PC browsers with certs. I'd give https a try. It shouldn't be hard to run a test to see if you'll have problems with your cert.. – 0x6A75616E Dec 13 '11 at 02:04

3 Answers3

3

I just got through this same sort of project. I used the library you referenced in "also considered..."

Here is some example code to decrypt with php:

$iv2 = '';
for($i=0;$i<16;$i++){
    $iv2 .= "\0";   
}
$plain_text_CBC = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted_text, MCRYPT_MODE_CBC, $iv2);
var_dump($plain_text_CBC);

Make sure your keys are both 256-bit (32 characters, I have not yet had any encoding issues, but if you do, remember that you are encrypting bytes, not characters). Note that 128 in MCRYPT_RIJNDAEL_128 is the block size and not the key size, while in the method AES256DecryptWithKey, 256 is a reference to the key size, while the block size is 128. AES256DecryptWithKey runs in CBC mode, but has a null initialization vector (iv).

CBC means that each block depends on the last block, and so it uses a pre-set, usually random, "block -1" called the IV

ECB means that each block is encrypted in the same way, hence it reveals when two blocks in the same message are the same. The library mentioned does not use it, so I mentioned it just for contrast.

The use of a zero iv (0000000000000000 in bytes) is considered insecure. To fix this you would have to create an NSData *iv variable for the IV and modify the CCcrypt argument of NSData+AESCrypt.m to add [iv bytes] for the iv parameter (I have not yet tested this code), and you would need to store this iv and pass it to the php along with you message. But first I would test and have everything working with a zero iv.

user1122069
  • 1,767
  • 1
  • 24
  • 52
  • The whole point of using an IV is that it's unique for each piece of data: it's not a secret, you can append it to your ciphertext. Using the same IV for all encryptions is effectively as secure as not using an IV. Please consider reviewing my claim and editing this misinformation from the answer. – Mark Fox Feb 28 '14 at 01:46
  • Using an IV initialized to zero is **insecure** as known attacks and exploits exist for that, eg.: cookies stealing and privilege escalation (BEAST). – Michele Giuseppe Fadda Nov 13 '15 at 10:14
  • Thanks for your great comments! – user1122069 Nov 14 '15 at 17:12
  • Thanks a lot!! Been searching for this since a week – Dark Innocence Dec 22 '16 at 07:58
1

As said in the comments, it would probably easiest for you to use HTTPS.

I once set up an iPhone app that had to communicate with a PHP backend over HTTPS, and spent many hours trying to find out why the iPhone wouldn't accept the encrypted connection.

As it turned out, it didn't work because I was using a self-signed certificate on the server side. Buying an SSL certificate from a Certificate Authority solved all issues.

SSL certificates that validate a single domain name without company or extended validation are really cheap, so I suggest you give that a try!

Wilbo Baggins
  • 2,701
  • 3
  • 26
  • 39
0

For a direct example, my open source project "Techno Tap" contains PHP and iOS source that uses AES encryption successfully, feel free to take a look here

The encryption on iOS is done in ScoreboardManager.m (using NSData+AES) and decryption is done on the PHP side in Scoreboard.php

Patrick T Nelson
  • 1,234
  • 12
  • 21