Best IT Recipes

How to encrypt data in php using public / private keys?

I have a small line of some data (less than 1 KB) that I would like user agents to go to other sites when they are sent from my site. So that other sites can verify that I was the one who created the line, I have two options.

  • The server takes me back to confirm (e.g. paypal, openid, etc.).
  • I use public / private keys to prove that I sent a message (e.g. PGP, DKIM, etc.).

I do not want to install HMAC because it means that I have to use custom keys for each site, which would be a pain.

From these two options, it seems that # 2 will save on bandwidth, making it the best choice.

So, how can you configure public / private key cryptography using PHP and are there any disadvantages?

+9
php cryptography php-openssl pgp libsodium
Jan 07 2018-11-11T00:
source share
5 answers

I would create S / MIME public / private key pairs using OpenSSL and then using the OpenSSL command to encrypt and decrypt. I believe this is superior to using PGP because openssl is included in most Linux operating systems, and PGP is not. OpenSSL is also standards-based and generally easier to work with when you have down commands.

I recommended against a "pure" PHP solution (with pure-PHP I mean doing cryptography in PHP, instead of using PHP to call an existing library or a separate executable file). You do not want to do massive cryptography in PHP. Too slow. And you want to use OpenSSL because it is well versed in high performance and security.

Here is the magic.

To make an X.509 key:

$subj="/C=US/ST=California/L=Remote/O=Country Govt./OU=My Dept/CN=Mr. Agent/emailAddress=agent@investiations.com" openssl req -x509 -newkey rsa:1024 -keyout mycert.key -out mycert.pem -nodes -subj $subj

This puts the private key in mycert.key and the public key in mycert.pem. The private key is not password protected.

Now, to sign the message with S / MIME:

 openssl smime -sign -signer mycert.pem -inkey mycert.key <input >output

To encrypt a message using S / MIME:

 openssl smime -encrypt -recip yourcert.pem <input >output

To decrypt a message using S / MIME:

 openssl smime -decrypt -inkey mycert.key -certfile mycert.pem <input >output

I also have some demos of using OpenSSL from C language bindings, but not from PHP.

+9
Jan 14 2018-11-11T00:
source share

Creating a pair of private and public keys using PHP Openssl functions:

 // Configuration settings for the key $config = array( "digest_alg" => "sha512", "private_key_bits" => 4096, "private_key_type" => OPENSSL_KEYTYPE_RSA, ); // Create the private and public key $res = openssl_pkey_new($config); // Extract the private key into $private_key openssl_pkey_export($res, $private_key); // Extract the public key into $public_key $public_key = openssl_pkey_get_details($res); $public_key = $public_key["key"];

Then you can encrypt and decrypt using private and public keys, for example:

 // Something to encrypt $text = 'This is the text to encrypt'; echo "This is the original text: $text\n\n"; // Encrypt using the public key openssl_public_encrypt($text, $encrypted, $public_key); $encrypted_hex = bin2hex($encrypted); echo "This is the encrypted text: $encrypted_hex\n\n"; // Decrypt the data using the private key openssl_private_decrypt($encrypted, $decrypted, $private_key); echo "This is the decrypted text: $decrypted\n\n";
+6
Feb 09 '16 at 10:08
source share

PGP is a good option - it is implemented correctly and completely (i.e. you have little room for security errors with PGP). I think this SO question will help you interact with GnuPG. The question is whether they will verify your signature on other sites. You must either comply with their requirements of the verification mechanism, or provide your own module, which these sites will use for verification.

It is also possible that you can use OAuth or OpenID to identify users on these other sites, but I am not an expert in these technologies.

+2
Jan 07 2018-11-11T00:
source share

Rule 1: Do not execute it yourself, use the library.

Which library? Here are my recommended PHP public key cryptographic libraries :

  • Halite , depends on libsodium (but emphasizes simplicity and ease of use in addition to security).
  • libsodium , from PECL
  • EasyRSA , which implements public key encryption and public key signatures using RSA in the most secure modes (NOT PKCS1v1.5, ever!)
  • phpseclib which EasyRSA disables.

In general, you will need libsodium if your goal is security. Regardless of whether you use Halite, it is a matter of taste.

+2
Dec 09 '15 at 7:48
source share

I wrote an example of encryption and decryption using openSSL in PHP and Python

http://glynrob.com/php/hashing-and-public-key-encryption/

Github source code available.

Remember that a secret key must be available to access the private key.

+1
Oct 19 '13 at 22:56
source share


More articles:


All Articles