Is it possible to encrypt data in ASP and decrypt it in PHP? I will be writing an application in PHP that will take data from an SQL server database that has been encrypted by another application in ASP. We therefore need to use the same encryption/decryption method. Is this possible?
As mentioned in the comments, base64 is not encryption, but encoding. It can be a great way to encode binary objects for transport and storage.
The answer is, yes, if you use base64 encoding in ASP and store the value in the DB, you will be able to use base64_decode in PHP and get the original data back out.
Is it possible to encrypt data in ASP and decrypt it in PHP?
Of course.
We therefore need to use the same encrypt / decrypt method. Is this possible?
Yes
base64 encryption
base64 is an encoding scheme, it isn't encryption. PHP has base64 functions.
Related
I have a requirement to pass sensitive data from the source server (running Craft CMS) to a Laravel API. As a result, I would like to encrypt the string at the source server so that the string can be decrypted in the Laravel API for processing.
Laravel has great encryption out of the box so I would prefer to use that for simplicity. How can I ensure the string is encrypted in the same format on the source server?
If this isn't possible (due to the environment difference), what is the next best alternative?
When you encrypt something in Laravel, it returns a base64 encoded JSON string with all the necessary information: IV, encrypted string, HMAC.
To create a string in the format of the Laravel Encrypter, you can do the following.
Encrypt the string using 'AES-CBC'. While it is not the most recommended mode, it is the mode Laravel uses. You can use either 256 bit or 128 bit although you obviously should use 256 (Laravel also tries to serialize the passed value so you should do this too).
Create the HMAC with the function hash_hmac(). The parameters you need are the IV (base64 encoded) and the encrypted string. Concatenate them and use your encryption key to create the HMAC using sha256 as the hashing algorithm.
Create an array with the IV, the encrypted string and the HMAC. Laravel uses the compact() function for this so I would do the same.
JSON encode the resulting array and base64 encode the resulting JSON string.
The result should be an encoded string that Laravel can decrypt with the correct key.
For reference: The source code for the Encrypter class
I'm using RNCryptor for cryptography in an iOS project. The app decrypts JSON strings sent from a server. On the server, the strings are encrypted using unmodified versions of the PHP functions found in the RNCryptor repo.
Using the same password for encrypting all strings, the returned base64 data is sometimes invalid for different JSON strings I pass in to the RNCryptor PHP encrypt function. On the app, I see this error when trying to decrypt the data from the server:
"The operation couldn’t be completed. (net.robnapier.RNCryptManager error -4301.)"
To show you some examples, this base64 string gets successfully decrypted:
AwHwsZqlDpvAcmWX92UtkQSKcHOq18gLsLFtP4FujV3DtXVrtGL86CFY9KAs23HaAoYINTLH3ouUJPpyQEcfXni+rJUJghTFBB24kk52aU0GQ/8IIgfnXPUywUuNwD4n7DnweaS3DdmdhFBQIUpSaCEg4T5bMPhIvUAndVMvJwc/SjbhJoB+bUqRDcPYXPzMiEW1i4jea/ssE87PcX9/NZtfkoNyiY7KLRy/dhgsADde1Q==
This one, however, fails:
AwHH7y0mnQvtWNCKa73jnS2DG63ylqDBc5iema3G6+/EkwPxiIkrPQHyJLvd3MO3mMIPsJjDK1C3uBCoHDc+Gzm0NJhBa08zs1twzZQ1jBdyt/q2AnGX99nku7MqF1oJOJ8nN1lriwYcFyvjBoBkEAAG28umjwxb5Y1t29dXtJzCwsrEVERs+SNkRE5C/j++bMPTV28EmR7LviyaMFAzpT+F5yUlLp2zRQgaQfyG8RlJTcvc+IqsrOisrDn7umDg+ii/Z9GDLlMkhu7OL1lHfcmD
It seems only the base64 strings that have the "=" character get decrypted successfully. Again, I used the same password to encrypt & decrypt these two strings. Why is the PHP encrypt function behaving like this?
P.S. The JSON strings passed in are perfectly valid (generated using the PHP json_encode() function).
After much debugging, the issue turned out to be the base64 decoder I was using on iOS. I was initially using the NSData+Base64 category from this blog post. It's flawed.
I ended up using the implementation here. Everything decrypts just fine now. :)
I have an Android application which use AES encryption to encrypt a password.
I have a key in my app and I generate a random IV for each encryption, and I will use this IV to decrypt the password in a php file.
In the android application, the IV is a byte[] and I don't know how to send it via http request.
I think I have to encode it because the byte[] generated is not convertible in a String to send it easily but I don't know how.
I was thinking to send it with a ByteArrayEntity but I can't give a name to this POST parameter so I can't receive it from my PHP file.
If you have any idea, can you help me please ?
Thanks in advance
Use base64 encoding. Both android and java provide mechanisms to encode and decode bae64 strings into usable formats for their respective encryption mechanisms.
Is there a way in PHP to test if a string has been encrypted using mcrypt_encrypt?
You have not written what you're actually concerned about specifically, but:
Whether or not some data has been encrypted is not dependent on which encryption function has been used but which encryption algorithm. Say, if somebody has encrypted something in PERL or in PHP - you can't tell by having the encrypted string.
So as this applies, you can't tell for mcrypt_encrypt. That function does not leave any sign inside the encrypted data.
However, if you have the key and the original text (plain) as well as the algorithm, you can reverse what mcrypt_encrypt does with mcrypt_decrypt. You can then compare the plains and if they match you can say that the plain was encrypted with the specific key and algorithm.
As we're talking about encryption, this is normally not the case, you don't have the plain.
However, you can create a checksum of the plain and encrypt it as well. Then you can decrypt it later on and compare it with a checksum of the plain you encrypted as well to tell if the data was successfully decrypted. But as this shows, this is actually additional information next to the encrypted data.
If you add more information what you're looking for, it might be possible to give more helpful suggestions.
when encrypting add some static text to your string ; when cheking use mcrypt_encode again with static text this time without original string see if encrypted static text exist in encrypted string . it should work
Presumably you mean mcrypt_encrypt()? There is no mcrypt_encode() function.
No. A properly encrypted string should be indistinguishable from random garbage. The only way to test a crypted string to see if it's crypted is to decrypt it.
Im currently using base64_encode for some $_GET params that i don't want regular user to mess with.
I was wondering that base64 is not looking too strong or is it ?
I also don't want to make some sort of mega encoding it's not so much of important information, but i would not like that user with average knowledge would mess with params in get.
Should i keep using base64 ? Currently it produces MQ== if value is 1 so it's quite easy to take it out from URL and decode and then insert your own.
Base-64 encoding doesn’t protect the data in any way. It’s a simply base conversion like using hexadecimal instead of decimal for integers.
If you just want to verify data integrity, you can use a salted hash (with a secret salt) that you store along with the data. See for example the hashed message authentication code (HMAC).
base64_encode() is not a security measure! It was designed to make sending of binary blobs possible through mediums that typically transfer ASCII only.
Use a session, or properly encrypt your variables.
I would recommend just using a session, and storing it out of the default /tmp for good measure with...
ini_set('session.save_path', '/sessions');
If you want some real encryption/decryption take a look at the Mcrypt features of PHP. http://www.php.net/manual/en/mcrypt.examples.php
But then you may want to use POST instead of GET because of the URL specifications which are limited in character usage and URL length.
Depends on what you want do do with it.
If you just want to obfuscate it (especially when you're generating those URLs in Javascript or so), you could apply ROT13 to the URL and swap a few additional characters to make decoding it a little bit more difficult.
However, if the security of your application depends on it, you could apply a static-key symmetric encrytion on the data server-side and decode it when you receive a request or so. I think that there are frameworks or so for that.