I need to read data from XLS files that are marked as protected workbooks (of which I have the password). I cannot find any PHP libraries that allows for this functionality, so am looking into writing the code to do so myself. I can't seem to find any information on how the protection is applied, going by this, it is not clear whether any encryption is applied in the case of a protected workbook (selecting protect workbook in the Excel menu). If any encryption is applied, how do you determine which method is applied? The following options are listed:
Weak Encryption (XOR)
Office 97/2000 Compatible
RC4, Microsoft Base Cryptographic Provider v1.0
RC4, Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft DH SChannel Cryptographic Provider
RC4, Microsoft Enhanced Cryptographic Provider v1.0
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
RC4, Microsoft RSA SChannel Cryptographic Provider
RC4, Microsoft Strong Cryptographic Provider
When parsing the file with PHP, it does seem like some encryption is applied, as I get jibberish tokens after the FILEPASS (0x2f) token is read. (In this case I just ignored the FILEPASS token)
Are there any libraries that can read data of a protected workbook? (preferably PHP). Any sources which explain how the encryption is done?
Related
I haven't used an SSL certificate before and was curious to whether this is a Certificate issue or something I am doing incorrect.
I have purchased an SSL certificate which is running on my server. I am using Laravel 5. I am using the MCRYPT_RIJNDAEL_256 cipher.
In Google chrome is displays the following
Your connection to ... is encrypted with obsolete technology.
The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.
Is there something I need to change, or do I not need to worry about this?
10 days ago this question was answered here: https://security.stackexchange.com/questions/83831/google-chrome-your-connection-to-website-is-encrypted-with-obsolete-cryptograph
For "modern cryptography" you should use authenticated encryption. Google Chrome supports AES_128_GCM and CHACHA20_POLY1305.
Google is killing SHA1 as a certificate signature algorithm, not a message authentication code. Currently, when Chrome sees obsolete cryptography, its behaviour doesn't change.
#lukasgeiter actually hold the answer in the comments:
Google blog states:
Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.
In November 2014, code was checked into the chromium project that changes the messages shown in the Connection dialog.
Previously, the wording stated the bit level of the encryption of the connection, which could be misleading.
Now, Chrome will label the connection as modern if it is >= TLS 1.2 AND uses Forward Secrecy (e.g. ECDHE_RSA) AND an AEAD cipher (either AES-GCM or CHACHA20_POLY1305). Otherwise, it will be labeled as obsolete.
If you are able to configure the server yourself, and have determined you want to configure it to support a modern profile, Mozilla's SSL Configuration Generator is a good place to start.
See also Mozilla's Security/Server Side TLS wiki page for more information.
I have several independent PHP applications running on few servers. None of the servers have SSL, but I'm able to use PHP wraper for SSL. I would like to ensure all data sent between servers is safe and signed. Do I need to generate an certificate or is it enough to create public/private key everytime I send something? Is this aproach safe?
Do I need to generate an certificate or is it enough to create
public/private key everytime I send something?
Don't generate a public/private key every time. How would you be able to check who has control over the private key? The point of certificates is to be able to bind an identity to a public key: checking you trust the certificate and that you're willing to communicate with the identity it refers to is a necessary component to secure the communication.
From what I understand, the communication between the servers doesn't involve user interaction itself. If you control all the servers, you could give them certificates, either self-signed X.509 certificates (if you can install them all for all parties: only applicable for small numbers in practice) or your own CA (if you have OpenSSL, look into CA.pl, which has a man-page).
You could then sign an encrypt the content you exchange using S/MIME (there are functions available in PHP for this).
(You might also be able to achieve the same goal using PGP, using PGP keys/certificates instead.)
If both machines have mcrypt then you could probably encrypt the text you want to send over the wire in PHP at one end and decrypt it at the other, but of course the big issue you have here is going to be key distribution. You'd either have to pre-configure each machine with the correct key and hope nobody notices you're using the same key every time (which is bad), or you'll have to come up with some kind of way of distributing your key to the receiving machine when you send data without the key being snooped. (which is complicated).
You also mentioned signing, which is also a tricky issue.
Whilst it would in theory be possible to implement all this in PHP using an appropriate extension such as mcrypt, I honestly doubt it would be worth the effort of doing it right, which would be considerable, You'd also just be reinventing the wheel.
SSL implements all the stuff you need already and is the accepted industry standard, if at all possible I'd strongly recommend you install it.
In a little project of mine I use Blowfish encryption for some data transfer, using the mcrypt extension that's available on most servers:
$encrypted = mcrypt_encrypt(MCRYPT_BLOWFISH, 'here goes a key', $data, MCRYPT_MODE_ECB, null);
Decrypting goes the same way, just use mcrypt_decrypt. This is a shared key, not a public/private key system.
i have client-server application (objective-c and php).
how can i encrypt data on client and then decrypt on server?
the simpler the better
The simplest way to encrypt data traveling over the network is going to be to simply always use TLS to connect to your server running your PHP app. You could verify a particular certificate from within your app if you're afraid of sophisticated man in the middle attacks, though that will make your app fail to work without an update when your certificate changes.
If you truly need encryption/decryption at the application level, not just transport, then you should probably use RSA public-key encryption. Your client will have the public key, your server will have the private key. Apple has documentation on RSA encryption.
Okay, rule number 1: DO NOT write your own cryptographic routines.
Given that, there are some standard cryptographic libraries available. OpenSSL is recommended in this SO article.
Use SSL/TLS protocol, OpenSLL have the implementation of both, check this tutorial, its in c but may be a good start to you.
This is for an iPhone app which needs to send encrypted data to a web page running php. Symmetric or asymmetric encryption is fine. Example code would be greatly appreciated.
Using SSL would be your best bet.
Look up AquaticPrime on the web if you want sample code, includes PHP and Objective-C. This is a package based on SSL for license key generation.
PHP has the Mcrypt library available to be installed which has a number of algorithms. Find a similar library with support which is callable from Objective-C, and give them a try. To avoid having a key on with the program, asymmetric or public key would be more secure (otherwise, it's just giving the password away).
http://www.php.net/manual/en/function.mcrypt-decrypt.php
You can encrypt it on your iPhone app and then decrypt it in PHP. You can pick an algorithm which is supported by both platforms (possibly AES). For the key, you could do something like concatenating the user's password and a long string (salt), the string being hard coded into the iPhone app and the PHP app.
That way, an attacker couldn't decrypt the messages without knowing the user's password, and both the PHP and iPhone app would know this password.
I want to use asymmetric encryption of headers in RESTful requests to verify the identity of the system sending the request: i e System A encrypts it's name, timestamp, and the service name using it's public key in a request to System B. System B then uses the public key of System A to decrypt, proving the authenticity of the request.
1) Does php-mcrypt support this?
2) Has anyone benchmarked this type of operation?
No, mcrypt is just symmetric block ciphers.
However the PHP OpenSSL extension supports asymmetric operations. The ones you want are openssl_sign and openssl_verify.
(You have a slight terminology issue - in asymmetric systems, encryption is done with public keys and decryption with private keys; signing is done with private keys and verification with public keys. Do not confuse signing with encryption or decryption - although the underlying operations are often similar, it is not the same thing, and the confusion can lead to insecure implementations).
Of course, you could just do your REST over SSL, using client certificates for authentication.