3

Ideally I would want to encrypt the variables so there is no way to figure them out, however given that the client will send the variable via javascript and that anything can be decrypted if they see the code, I am looking for alternatives.

I was thinking of making using something that would return HEX similar to md5 or sha1 but encryption and then some how incorporate the server time or date into the variable so that the encryption would only be valid for 1-2 minutes.

The javascript would have an obfuscated/minimized function that would base the encryption on time according to javascript and then POST it to php. As long as the servers date/time was withing X minutes then it would decrypt correctly.

I'd like to send it what seems to be random data, and get back what seems to be random data. I dont want it to be the same data.

Is this the best method? I am only trying to stop people who try to use HTTP sniffers. I know once they get to the javascript source nothing could prevent it given enough time/understanding of what's going on.

If you are going to post actual code, remember that the function/ability should exist on both javascript and PHP5 (< 5.3). I would like native simple/small functions not implement a huge third party class for JS and PHP.

Edit: SSL/HTTPS is out of the question.

Improve this question
6
  • 1
    What are you trying to achieve with this kind of encryption? What are you trying to protect? Commented Jun 24, 2011 at 17:30
  • I am sending user ID's, version numbers. I am trying to prevent a user from disregarding a required update or editing their user ID to someone else's. Commented Jun 24, 2011 at 17:31
  • 6
    Use SSL. End of discussion. It'll encrypt everything out of the box and your code only has to use 'https' urls instead of 'http'. Anything else is pointless. Commented Jun 24, 2011 at 17:32
  • I would recommend SSL with some kind of checksum attached to the variables. That would do the trick. Commented Jun 24, 2011 at 17:35
  • Nothing but HTTPS is going to be secure anyway, so you might as well give up. If the information is valuable enough to protect, it's valuable enough to invest in overcoming any weak security scheme. (It might be helpful if you'd explain why HTTPS is "out of the question", since it's a robust, reliable well-established standard available for free to anyone and everyone.) Commented Jun 24, 2011 at 17:56

4 Answers 4

Reset to default
8

If you want to stop people from sniffing your web traffic, use https instead of http.

If there's one thing you should learn, it's that encryption is hard. Really hard. If you try to do it yourself, you're not going to get it right, and will likely make some subtle mistake that could bite you later. It's best to leave encryption to the people who know what they're doing.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Also everything that comes from userland, can likely be faked.
Fiddler can decrypt https traffic on fly
4

I assume HTTPS is out of the question.

Have you thought about ROT? Stupid simple implementation at least:

var output = "";
for(var i = 0; i < input.length; i++)
{
    char = ( input.charCodeAt(i) + SOME_NUMBER ) %255;
    output += String.fromCharacterCode( char )
}

Then, in PHP

$chars = $_POST['chars'];
$output = "";
for($i = 0; $i < strlen($chars); $i++ )
{
    $char = ord($chars[$i]) - SOME_NUMBER;
    if($char < 0 )$char += 255;
    $output .= chr($char);
}
Improve this answer

7 Comments

Yes I thought about ROT, was my first choice. However the 1 to 1 "encryption" is too easily guessable. I am looking for something where the data changes almost every time.
Have SOME_NUMBER be a datestamp rounded to current day. Or every hour. Your JS and PHP are likely to disagree on the current day for a few seconds around midnight but it's unlikely to be a big issue. Or you can send the key in clear text at the beginning of the message; you could hash the current datetime and send that, as long as they key is fixed length you won't have any issues.
I ended using Dire's method. Here is my Javascript so far: jsbin.com/asanuq/2/edit The code changes every 30 seconds.
OH and PS: fromCharacterCode in JS should be fromCharCode and also the PHP function doesnt decode?
the PHP's $chars[$i] should be substr($chars, $i, 1)
|
3

If you want some strong, PKI encryption on Javascript, you should check jcryption.

Improve this answer

Comments

1

I suggest that AES encryption is a good option. You can find the JavaScript library here https://code.google.com/archive/p/crypto-js/ and PHP one https://packagist.org/packages/blocktrail/cryptojs-aes-php

Now on PHP side:

<?php
include "vendor/autoload.php";
use Blocktrail\CryptoJSAES\CryptoJSAES;

$passphrase = "secret";
$text = "example value";

$encrypted = CryptoJSAES::encrypt($text, $passphrase);
echo "Encrypted: ", $encrypted, PHP_EOL;

It outputs:

Encrypted: U2FsdGVkX1/JVv/nS7aExFZiatvG8Lha7MflNsfuLHo=

We take the encrypted code and decrypt it in JavaScript:

<!DOCTYPE html>
<html>
  <head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script>
  </head>
  <body>
    <script>
      const passphrase = "secret",
            encrypted = "U2FsdGVkX1/JVv/nS7aExFZiatvG8Lha7MflNsfuLHo=";
            decrypted = CryptoJS.AES.decrypt( encrypted, passphrase );
      console.log( decrypted.toString( CryptoJS.enc.Utf8 ) );
    </script>
  </body>
</html>

After firing up this HTML in a browser you get the JavaScript console:

example value

So, you can encrypt for example sensitive data in PHP and obtain in the client application with JavaScript and decrypt. You can do it in the opposite direction. Just do not forget to obfuscate JavaScript and make the secret looking like some JavaScript.

Yet you understand that it's not really secure - with considerable effort one can figure out the encryption method, find the secret and uncover the data.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.