11

I have a webserver running mysql and php which sends data to a json string.

I have a second webserver which reads the data and then displays it.

Everything works fine at the moment.

I need to add some sensitive data into the string, so I was wondering what is the best way to encrypt/decrypt the json using php?

Can someone help!?

Steve
  • 153
  • 1
  • 2
  • 6

6 Answers6

15

I always liked MCRYPT

//Key
$key = 'SuperSecretKey';

//To Encrypt:
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, 'I want to encrypt this', MCRYPT_MODE_ECB);

//To Decrypt:
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $encrypted, MCRYPT_MODE_ECB);

If that's something you're looking for. It'll treat the JSON as a string and then after you decrypt it you'll have to do your json_decode() or whatever it is you're doing.

romo
  • 1,990
  • 11
  • 10
9

I bet the best way is use SSL (HTTPS) and I recommend you to read the OWASP Guide and especially the How-To section.

Octavian Helm
  • 39,405
  • 19
  • 98
  • 102
alexsuslin
  • 4,130
  • 1
  • 20
  • 30
  • 1
    Agreed. HTTPS is the way. You can't wait until the last minute and decide you want to send something "secretly". You must have a shared secret. If you don't have a shared secret, then use HTTPS because it handles it for you. Why reinvent? – Marcus Adams Feb 20 '12 at 17:47
5

It really depending on how sensitive the data are. However from my experience a simple php encryption usually do the trick. I would usually encrypt the sensitive fields in the json data fields before encoding it to a json string.

Here's the code for the encryption part.

$key = 'password to (en/de)crypt'; $string = ' string to be encrypted '; // note the spaces

To Encrypt:

$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));

To Decrypt:

$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");

However, you should always hash (MD5, SHA1) passwords, preferably with some salt.

iewnait
  • 238
  • 3
  • 7
  • The salt cannot be longuer than 24 characters with MCRYPT_RIJNDAEL_256. The others are cutted and a warning is thrown. Prefer substr(md5($salt), 0, 24) if you want to use MD5. – Gabriel Nov 15 '13 at 13:36
  • It is best not to use PHP mcrypt, it is abandonware, has not been updated in years and does not support standard PKCS#7 (née PKCS#5) padding, only non-standard null padding that can't even be used with binary data. mcrypt has many outstanding [bugs](https://sourceforge.net/p/mcrypt/bugs/) dating back to 2003. The mcrypt-extension is deprecated will be removed in PHP 7.2. Instead consider using [defuse](https://github.com/defuse/php-encryption) or [RNCryptor](https://github.com/RNCryptor), they provide a complete solution and are being maintained and is correct. – zaph Nov 25 '17 at 00:56
1

Store a private key on the server and use DES encryption; it's a 2-way algorithm.

EDIT:

Per comments, it seems I've misinterpreted the question. My assumption was OP would like to send encrypted data out on the Internet like in an email or something then get the data back at a later time and be able to decrypt it. I'll be sure to clarify through comments in the future before submitting an answer.

quickshiftin
  • 66,362
  • 10
  • 68
  • 89
  • Well I have managed to encrypt the json but can't understand how to decrypt it or find code to decrypt... – Steve Feb 20 '12 at 17:31
  • do you propose to re-invent SSL protocol? – alexsuslin Feb 20 '12 at 17:31
  • it looks like you can't find that question: http://stackoverflow.com/questions/610048/rsa-encryption-decryption-compatible-with-javascript-and-php – alexsuslin Feb 20 '12 at 17:32
  • 1
    DES? Why would you recommend DES of all algorithms? – Kitsune Feb 20 '12 at 17:33
  • @alexsuslin well you're right, if it's just a point-to-point transmission then SSL is perfect. My assumption (could be wrong) was OP wanted to have this data out on the open Internet, get it back at some point and be able to decrypt it; SSL will not work for that. – quickshiftin Feb 20 '12 at 21:06
  • @Kitsune it's a 2-way algorithm I've used in the past, perhaps there are other, better 2-way algorithms, I'm just offering an idea that works which I've implemented in the past. – quickshiftin Feb 20 '12 at 21:07
  • 1
    @quickshiftin DES is considered very insecure, and was replaced many years ago by the US government with AES, the Advanced Encryption Standard (specifically, a variant of the Rijndael algorithm). Even before AES, 3DES was devised to improve DES's lackluster security. Several years ago, a specialized machine was created that could break DES in less than a single day. AES can also be accelerated on Intel's SandyBridge processes (via AES-NI), enabling them to encrypt/decrypt with nearly zero overhead! – Kitsune Feb 20 '12 at 22:06
  • @Kitsune Well now you know why I'm on Stackoverflow, haha. Good to know man; I wonder why they even support DES in PHP and so forth if it's known to be so insecure.., well I guess most folks out there are still going w/ non-salted MD5 hashes for passwords so then again... – quickshiftin Feb 21 '12 at 02:08
0

Use Open SSL:

http://www.php.net/manual/en/book.openssl.php

You can generate a public/private key pair without the need for https if it's unavailable.

MarkR
  • 187
  • 1
  • 9
  • By "public/private key pair" I assume you mean asymmetric RSA encryption. RSA is not designed to encrypt data, it is slow ad the data length it can encrypt must e less than the key size. – zaph Nov 25 '17 at 00:58
-1

Of course, SSL (HTTPS) is needed to safely transfer data across the web.

But that said, there are still reasons to encrypt json data, before you sent them.

I had a problem with encrypting json data. It was caused by "\t" in json data. You need to remove them, before encryption. Otherwise there will be a problem when you want to decrypt it back to a propper json format.

$plain_txt = str_replace("\r",'', $plain_txt);

$plain_txt = str_replace("\n",'', $plain_txt);

$plain_txt = str_replace("\t",'', $plain_txt);

See a working example: https://gist.github.com/petermuller71/33616d55174d9725fc00a663d30194ba

Peter Muller
  • 11