I have a requirement to pass sensitive data from the source server (running Craft CMS) to a Laravel API. As a result, I would like to encrypt the string at the source server so that the string can be decrypted in the Laravel API for processing.
Laravel has great encryption out of the box so I would prefer to use that for simplicity. How can I ensure the string is encrypted in the same format on the source server?
If this isn't possible (due to the environment difference), what is the next best alternative?
When you encrypt something in Laravel, it returns a base64 encoded JSON string with all the necessary information: IV, encrypted string, HMAC.
To create a string in the format of the Laravel Encrypter, you can do the following.
Encrypt the string using 'AES-CBC'. While it is not the most recommended mode, it is the mode Laravel uses. You can use either 256 bit or 128 bit although you obviously should use 256 (Laravel also tries to serialize the passed value so you should do this too).
Create the HMAC with the function hash_hmac(). The parameters you need are the IV (base64 encoded) and the encrypted string. Concatenate them and use your encryption key to create the HMAC using sha256 as the hashing algorithm.
Create an array with the IV, the encrypted string and the HMAC. Laravel uses the compact() function for this so I would do the same.
JSON encode the resulting array and base64 encode the resulting JSON string.
The result should be an encoded string that Laravel can decrypt with the correct key.
For reference: The source code for the Encrypter class
Related
When I apply Crypt::encrypt(1) I'm getting this encrypted string:
eyJpdiI6IlBoQnliQkZkb0NPT1g5NG9FbkpqV2hLa3ZLUnlWSEFRMEZwM2YxTEdNVk09IiwidmFsdWUiOiJ0N0kyWmZvRWVETzE3WTJWVU5DS1ZpTVFYTGpXNHQxT2YyQWdsMFgxK0xvPSIsIm1hYyI6IjAzMjAzNzdhNzZmYmZiZDVkZGJkMjM5MWY5NjhkNzJjMWFhMzNiYmYyZDJkODNlMmFkODcyNzdhYTE3ZjFkODMifQ==
Is it possible to make string shorter (4-5 times shorter) in Laravel, using the same two-way encryption?
What you want to do, instead of encrypting uri portion is obfuscate it. For example, one of the great libraries for php is Hashids
I'm using RNCryptor for cryptography in an iOS project. The app decrypts JSON strings sent from a server. On the server, the strings are encrypted using unmodified versions of the PHP functions found in the RNCryptor repo.
Using the same password for encrypting all strings, the returned base64 data is sometimes invalid for different JSON strings I pass in to the RNCryptor PHP encrypt function. On the app, I see this error when trying to decrypt the data from the server:
"The operation couldn’t be completed. (net.robnapier.RNCryptManager error -4301.)"
To show you some examples, this base64 string gets successfully decrypted:
AwHwsZqlDpvAcmWX92UtkQSKcHOq18gLsLFtP4FujV3DtXVrtGL86CFY9KAs23HaAoYINTLH3ouUJPpyQEcfXni+rJUJghTFBB24kk52aU0GQ/8IIgfnXPUywUuNwD4n7DnweaS3DdmdhFBQIUpSaCEg4T5bMPhIvUAndVMvJwc/SjbhJoB+bUqRDcPYXPzMiEW1i4jea/ssE87PcX9/NZtfkoNyiY7KLRy/dhgsADde1Q==
This one, however, fails:
AwHH7y0mnQvtWNCKa73jnS2DG63ylqDBc5iema3G6+/EkwPxiIkrPQHyJLvd3MO3mMIPsJjDK1C3uBCoHDc+Gzm0NJhBa08zs1twzZQ1jBdyt/q2AnGX99nku7MqF1oJOJ8nN1lriwYcFyvjBoBkEAAG28umjwxb5Y1t29dXtJzCwsrEVERs+SNkRE5C/j++bMPTV28EmR7LviyaMFAzpT+F5yUlLp2zRQgaQfyG8RlJTcvc+IqsrOisrDn7umDg+ii/Z9GDLlMkhu7OL1lHfcmD
It seems only the base64 strings that have the "=" character get decrypted successfully. Again, I used the same password to encrypt & decrypt these two strings. Why is the PHP encrypt function behaving like this?
P.S. The JSON strings passed in are perfectly valid (generated using the PHP json_encode() function).
After much debugging, the issue turned out to be the base64 decoder I was using on iOS. I was initially using the NSData+Base64 category from this blog post. It's flawed.
I ended up using the implementation here. Everything decrypts just fine now. :)
I'm trying to encrypt a string the same way on a server in PHP as on an Objective-C on iOS. I've used PHP's crypt() function with the blowfish algorithm, but it takes two parameters: the string to encode and a salt. The Objective-C implementation I found: https://dl.dropboxusercontent.com/u/28430840/Blowfish-iOS-Source.zip
which was at http://www.codeding.com/articles/blowfish-encryption-algorithm-for-iphone takes three different parameters: either EBC/CBC encoding, an initvector and a key -- how does this translate to the PHP salt?
I found the initial c library but I have no idea how to include it in my project -- when I compile it fails and complains about the x86.S file.
Thanks!!!
I suppose you are looking at the wrong function. It's not crypt what you search, but mcrypt_encrypt.
This function takes an init vector, a key and an encoding parameter.
Is there a way in PHP to test if a string has been encrypted using mcrypt_encrypt?
You have not written what you're actually concerned about specifically, but:
Whether or not some data has been encrypted is not dependent on which encryption function has been used but which encryption algorithm. Say, if somebody has encrypted something in PERL or in PHP - you can't tell by having the encrypted string.
So as this applies, you can't tell for mcrypt_encrypt. That function does not leave any sign inside the encrypted data.
However, if you have the key and the original text (plain) as well as the algorithm, you can reverse what mcrypt_encrypt does with mcrypt_decrypt. You can then compare the plains and if they match you can say that the plain was encrypted with the specific key and algorithm.
As we're talking about encryption, this is normally not the case, you don't have the plain.
However, you can create a checksum of the plain and encrypt it as well. Then you can decrypt it later on and compare it with a checksum of the plain you encrypted as well to tell if the data was successfully decrypted. But as this shows, this is actually additional information next to the encrypted data.
If you add more information what you're looking for, it might be possible to give more helpful suggestions.
when encrypting add some static text to your string ; when cheking use mcrypt_encode again with static text this time without original string see if encrypted static text exist in encrypted string . it should work
Presumably you mean mcrypt_encrypt()? There is no mcrypt_encode() function.
No. A properly encrypted string should be indistinguishable from random garbage. The only way to test a crypted string to see if it's crypted is to decrypt it.
Is it possible to encrypt data in ASP and decrypt it in PHP? I will be writing an application in PHP that will take data from an SQL server database that has been encrypted by another application in ASP. We therefore need to use the same encryption/decryption method. Is this possible?
As mentioned in the comments, base64 is not encryption, but encoding. It can be a great way to encode binary objects for transport and storage.
The answer is, yes, if you use base64 encoding in ASP and store the value in the DB, you will be able to use base64_decode in PHP and get the original data back out.
Is it possible to encrypt data in ASP and decrypt it in PHP?
Of course.
We therefore need to use the same encrypt / decrypt method. Is this possible?
Yes
base64 encryption
base64 is an encoding scheme, it isn't encryption. PHP has base64 functions.