I am trying to make a PHP script to interact a with a Java application. They will share some information, so I would like to encrypt the data that is passed between them to make it as secure as possible, on top of having an SSL certificate. However, because my website is only on a shared server at JustHost, as far as I am aware I can not use the 'mcrypt' PHP module, so I'm not sure how to do it so that both my Java application and the PHP script can encrypt data being sent and decrypt data being received!
11
-
3Why don't you just settle on a standard encryption system (say, RSA) and use their implementations in PHP and Java? Like, for example, pear.php.net/package/Crypt_RSA and javamex.com/tutorials/cryptography/rsa_encryption.shtml ?Rafael Almeida– Rafael Almeida2011-08-27 15:58:51 +00:00Commented Aug 27, 2011 at 15:58
-
@Rafael: if mcrypt is not an option, there is a good chance that Crypt_RSA won't be (it also have dependencies on external modules). BTW, RSA should not be used for data encryption, but rather to handshake and negociate a common secret key.JB Nizet– JB Nizet2011-08-27 16:07:36 +00:00Commented Aug 27, 2011 at 16:07
-
@Andy: Do you already use SSL to communicate between the applications. If so, why do you want to add an additional encryption layer? SSL is sufficient.JB Nizet– JB Nizet2011-08-27 16:09:21 +00:00Commented Aug 27, 2011 at 16:09
-
@Rafael: Thank you for reply. However, as JB Nizet pointed out - the problem is that I can't really install any external modules for PHP unfortunately...Andy– Andy2011-08-27 16:17:22 +00:00Commented Aug 27, 2011 at 16:17
-
2@Andy Where you get the certificate from has little bearing on the strength of the encryption itself. Also the very reason SSL exists is so you can't "hijack" the data being in transport - adding this additional layer is unnecessary and likely a pain to work with. For starters, how are you going to exchange keys between PHP and Java?NullUserException– NullUserException2011-08-27 16:28:45 +00:00Commented Aug 27, 2011 at 16:28
|
Show 6 more comments
1 Answer
Your SSL conversation between Java and PHP will protect it your data while it's in transit. Should you properly protect the private key with a strong password (10+ symbols) and make sure your algorithms strong no one will be able to break it by snooping on the conversation.
You won't get any extra protection by encrypting the data before sending it over the SSL conversation. And you actually might be weakening your security because in order for you to encrypt data you'll have to share some key should you choose symmetric encryption. And, by trading secret keys you're undoing much of the protection SSL gives you because the huge benefit of SSL is the fact we can encrypt data without agreeing on a secret key. If I were trying to get at your encrypted text I'd attack your client because it's easier to find your symmetric encryption key than it is to break SSL. And while you could use asymmetric encryption you'll be basically re-inventing SSL.
I would focus on making sure your SSL conversation is strong. Using only the strongest symmetric encryption: TripleDES, IDEA, AES if your server supports it. Take out the weaker algorithms so conversations can't use the weaker encryption. Generate 1024+ public/private key pairs. That might not always be easy on your shared server, but your Java application could only choose to use TripleDES, IDEA, and AES.
Make sure you validate the server's certificate on the client side so you ensure you aren't talking to a false service. That basically means taking the server's certificate and adding it to the keystore used on the client. If that's Java you can use keytool to import a certificate and use that keystore as your TrustManager/KeyManager in your SSL conversation.
If you want to encrypt the data after it's gone over the SSL conversation then you can encrypt/decrypt on the server only. But, you still have a key management problem. If you encrypt/decrypt how do you plan on securing the secret key on the server? That's always the ugly problem that doesn't have a simple answer.
3 Comments
chubbsondubs
Yes you are right AES would be best, but I don't think Apache supports it out of the box. Thanks for mentioning it. I added it to the answer just in case.
Andy
@chubbard:sorry for the delayed reply and thank you very much for your answer.I will definitely just settle for the security of my SSL certificate now; I am very glad that you warned be that I could actually compromise my SSL by adding another layer of encryption-especially seeing as though I'm not an expert at PHP at the best of times! You have also told me about importing the certificate into my Java application, which is something that I wasn't aware I should do and I will definitely look into-so I thank you for that as well!(I just thought it was a simple case of putting https not http)
Andy
Unfortunately, I'm not sure that I have the time, or knowledge to start ensuring that my "SSL conversation" is strong at the minute - but I am looking at investing into a dedicated server etc, etc. in the near future so hopefully that will allow me to take security to the next level...