i have client-server application (objective-c and php).
how can i encrypt data on client and then decrypt on server?
the simpler the better
The simplest way to encrypt data traveling over the network is going to be to simply always use TLS to connect to your server running your PHP app. You could verify a particular certificate from within your app if you're afraid of sophisticated man in the middle attacks, though that will make your app fail to work without an update when your certificate changes.
If you truly need encryption/decryption at the application level, not just transport, then you should probably use RSA public-key encryption. Your client will have the public key, your server will have the private key. Apple has documentation on RSA encryption.
Okay, rule number 1: DO NOT write your own cryptographic routines.
Given that, there are some standard cryptographic libraries available. OpenSSL is recommended in this SO article.
Use SSL/TLS protocol, OpenSLL have the implementation of both, check this tutorial, its in c but may be a good start to you.
Related
For private use only, I'm creating and hosting on my web server a PHP application that retrieves all my passwords for various accounts from a MySQL database and serves them to the client that is an iPhone application which should also be able to insert new passwords in the database.
Instead of sending this data over the internet as plain text I would like to encrypt them before sending them but I'm very new to encryption so I'm feeling a little bit disoriented among all the possible encryption algorithms out there.
While the mcrypt function on PHP seems to be very flexible and compatible with many encryption algorithms I couldn't find anything like that on iOS.
What I wanted was some algorithm easy to implement both on PHP and Objective-C that, given some plain text and an encryption key (stored both on the server and on the client), would encrypt AND decrypt the plain text.
For further detail the server/client communication I had in mind was something like this:
Client sends a request containing some client-specific-app-ID and the service
whose password the server should return
The server checks if that client ID is allowed to get that information
If the client is allowed then the server querys the database and
retrieves the password
The server encrypts the password and sends it to the client
The client decrypts the password and shows it to the user
This thing is for personal use only so I don't need unbreakable security because probably nobody will care breaking it.
I'm doing this just for research and to get started with encryption. I know this is not secure at all.
Do you guys know any two-way encryption algorithm that is easy to use both on php and objective-c that I can use to encrypt passwords on the server and decrypt them in iOS?
Don't bother with your own encryption. You just need to use an SSL link, e.g.
https://yourserver.example.com/getpasswords.php
^---
SSL gives you the encryption for free, and as a bonus allows the iOS client to be reasonably sure that it's connecting to YOUR server, and not some malicious fake server.
I have several independent PHP applications running on few servers. None of the servers have SSL, but I'm able to use PHP wraper for SSL. I would like to ensure all data sent between servers is safe and signed. Do I need to generate an certificate or is it enough to create public/private key everytime I send something? Is this aproach safe?
Do I need to generate an certificate or is it enough to create
public/private key everytime I send something?
Don't generate a public/private key every time. How would you be able to check who has control over the private key? The point of certificates is to be able to bind an identity to a public key: checking you trust the certificate and that you're willing to communicate with the identity it refers to is a necessary component to secure the communication.
From what I understand, the communication between the servers doesn't involve user interaction itself. If you control all the servers, you could give them certificates, either self-signed X.509 certificates (if you can install them all for all parties: only applicable for small numbers in practice) or your own CA (if you have OpenSSL, look into CA.pl, which has a man-page).
You could then sign an encrypt the content you exchange using S/MIME (there are functions available in PHP for this).
(You might also be able to achieve the same goal using PGP, using PGP keys/certificates instead.)
If both machines have mcrypt then you could probably encrypt the text you want to send over the wire in PHP at one end and decrypt it at the other, but of course the big issue you have here is going to be key distribution. You'd either have to pre-configure each machine with the correct key and hope nobody notices you're using the same key every time (which is bad), or you'll have to come up with some kind of way of distributing your key to the receiving machine when you send data without the key being snooped. (which is complicated).
You also mentioned signing, which is also a tricky issue.
Whilst it would in theory be possible to implement all this in PHP using an appropriate extension such as mcrypt, I honestly doubt it would be worth the effort of doing it right, which would be considerable, You'd also just be reinventing the wheel.
SSL implements all the stuff you need already and is the accepted industry standard, if at all possible I'd strongly recommend you install it.
In a little project of mine I use Blowfish encryption for some data transfer, using the mcrypt extension that's available on most servers:
$encrypted = mcrypt_encrypt(MCRYPT_BLOWFISH, 'here goes a key', $data, MCRYPT_MODE_ECB, null);
Decrypting goes the same way, just use mcrypt_decrypt. This is a shared key, not a public/private key system.
This is for an iPhone app which needs to send encrypted data to a web page running php. Symmetric or asymmetric encryption is fine. Example code would be greatly appreciated.
Using SSL would be your best bet.
Look up AquaticPrime on the web if you want sample code, includes PHP and Objective-C. This is a package based on SSL for license key generation.
PHP has the Mcrypt library available to be installed which has a number of algorithms. Find a similar library with support which is callable from Objective-C, and give them a try. To avoid having a key on with the program, asymmetric or public key would be more secure (otherwise, it's just giving the password away).
http://www.php.net/manual/en/function.mcrypt-decrypt.php
You can encrypt it on your iPhone app and then decrypt it in PHP. You can pick an algorithm which is supported by both platforms (possibly AES). For the key, you could do something like concatenating the user's password and a long string (salt), the string being hard coded into the iPhone app and the PHP app.
That way, an attacker couldn't decrypt the messages without knowing the user's password, and both the PHP and iPhone app would know this password.
How can I implement encryption between server side in (php/python) and C++ (Win32/Native Windows)?
I have to transfer data between server side (using php or python) and client side (C++ using Win32 APIs). I am not sure that what functions/APIs or Libs I can use on the both sides so that both sides should be able to communicate. I am not looking for some complicated public/private key or using https but a simple encryption method. Any help in this regards would be of great help.
Thanks in advance!
Use OpenSSL on client side and OpenSSL on server side. In other way you writing "I am not looking for some complicated" but if you don't want use some complicated then you don't have encryption. Easiest way is use cleartext transmission without encryption, if you searching something like this use for example ROT13 (str_rot13) but this is not give you any encryption.
I want to use asymmetric encryption of headers in RESTful requests to verify the identity of the system sending the request: i e System A encrypts it's name, timestamp, and the service name using it's public key in a request to System B. System B then uses the public key of System A to decrypt, proving the authenticity of the request.
1) Does php-mcrypt support this?
2) Has anyone benchmarked this type of operation?
No, mcrypt is just symmetric block ciphers.
However the PHP OpenSSL extension supports asymmetric operations. The ones you want are openssl_sign and openssl_verify.
(You have a slight terminology issue - in asymmetric systems, encryption is done with public keys and decryption with private keys; signing is done with private keys and verification with public keys. Do not confuse signing with encryption or decryption - although the underlying operations are often similar, it is not the same thing, and the confusion can lead to insecure implementations).
Of course, you could just do your REST over SSL, using client certificates for authentication.