Exchange data in a secure way
Moderator: General Moderators
Exchange data in a secure way
Hi,
I have the following question.
We would like to install a terminal in one of our offices where users can do some input of data.
This data should be sent from the terminal to our webserver and our webserver should send a response to the terminal.
How can this be done in a secure way (do we "post" the data to a page on our server ?) and how can we determine
that the "posted" data is sent from the terminal and not from another "sender".
Best regards,
I have the following question.
We would like to install a terminal in one of our offices where users can do some input of data.
This data should be sent from the terminal to our webserver and our webserver should send a response to the terminal.
How can this be done in a secure way (do we "post" the data to a page on our server ?) and how can we determine
that the "posted" data is sent from the terminal and not from another "sender".
Best regards,
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Exchange data in a secure way
Take a look at http://www.google.co.za/search?hl=af&source=hp&q=HTTPSBDB100 wrote:How can this be done in a secure way (do we "post" the data to a page on our server ?) and how can we determine
that the "posted" data is sent from the terminal and not from another "sender".
Hth
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
-
Peter Kelly
- Forum Contributor
- Posts: 143
- Joined: Fri Jan 14, 2011 5:33 pm
- Location: England
- Contact:
Re: Exchange data in a secure way
Id recommend getting a SSL certificate these can be expensive but depending on the data can be a cheap way of transferring data. I would also try encode/encrypt any data using coding.
Re: Exchange data in a secure way
Thanks for the replies.
If we have an SSL certificate do we have to add code to post data with the SSL certificate or to check that data is
posted using a valid certificate ?
Regards
If we have an SSL certificate do we have to add code to post data with the SSL certificate or to check that data is
posted using a valid certificate ?
Regards
-
Peter Kelly
- Forum Contributor
- Posts: 143
- Joined: Fri Jan 14, 2011 5:33 pm
- Location: England
- Contact:
Re: Exchange data in a secure way
You can have a look into http://uk3.php.net/openssl but I believe as long as you submit forms using https it should be ok ish.
Re: Exchange data in a secure way
It depends on what you need.
TLS/SSL/HTTPS only solves the problem of having someone impersonate the server. It DOES NOT prevent someone impersonating the client, you'd need additional checks for that.
TLS/SSL/HTTPS only solves the problem of having someone impersonate the server. It DOES NOT prevent someone impersonating the client, you'd need additional checks for that.
Re: Exchange data in a secure way
The client needs to very the server. SSL should take care of that.
But we also need to authenticate the client. Is there a function we could use to do that (through php code) ?
Our goal is to determine that the data that gets posted to our server comes from the terminal in our office (and not from someone else).
But we also need to authenticate the client. Is there a function we could use to do that (through php code) ?
Our goal is to determine that the data that gets posted to our server comes from the terminal in our office (and not from someone else).
Re: Exchange data in a secure way
Create a 1024 bit private / public key pair with OpenSSL. Then on the client, encrypt the data with openssl_private_encrypt (using the private key).
On the server, decrypt the data with openssl_public_decrypt using the public key. If this succeeds, the message was guaranteed to be sent from the real client.
Alternatively, you could also send along a hash of the data + some hidden string that acts as a salt / password. For example, along with the actual data you also send hash('sha512',$data.'s0mE_SeCr3t_PaSsW0Rd_9136712384').
You verify this on the server end by calculating the same hash there. If the hash doesn't match, reject the data. Someone trying to impersonate the client won't be able to generate the correct hash without knowing the password.
The advantage of using openssl_* is the client could also encrypt it twice: first with the server's public key, then with the client's own private key. Then the server decrypts the data with the client's public key, and then with the server's own private key. This way you not only guarantee the sender was indeed the real client, but also the server being the only one who can decrypt the actual data (since an impersonating server won't have the required private key). So this is essentially a two-way protection.
On the server, decrypt the data with openssl_public_decrypt using the public key. If this succeeds, the message was guaranteed to be sent from the real client.
Alternatively, you could also send along a hash of the data + some hidden string that acts as a salt / password. For example, along with the actual data you also send hash('sha512',$data.'s0mE_SeCr3t_PaSsW0Rd_9136712384').
You verify this on the server end by calculating the same hash there. If the hash doesn't match, reject the data. Someone trying to impersonate the client won't be able to generate the correct hash without knowing the password.
The advantage of using openssl_* is the client could also encrypt it twice: first with the server's public key, then with the client's own private key. Then the server decrypts the data with the client's public key, and then with the server's own private key. This way you not only guarantee the sender was indeed the real client, but also the server being the only one who can decrypt the actual data (since an impersonating server won't have the required private key). So this is essentially a two-way protection.
Re: Exchange data in a secure way
Asymmetric crypto might not be the best choice performance-wise, and also may not be applicable to their needs. From what I gather about their problem is that a *browser* on the client will want to access a secret url on their server. Simple authentication and https should do the trick.
Re: Exchange data in a secure way
Aaah right. Agreed, and for TS: simple authentication could be just a .htaccess file in your web root dir, like this: (using mod_auth)Mordred wrote:From what I gather about their problem is that a *browser* on the client will want to access a secret url on their server. Simple authentication and https should do the trick.
Code: Select all
Order deny,allow
AuthUserFile "/somewhere/outside/your/web/root/.htpasswd"
AuthName "You are accessing a private area!"
AuthType Basic
Require valid-userRe: Exchange data in a secure way
Hi,
Thanks for the replies. HTTPS and simple authentication should do the trick indeed !
Thanks for the replies. HTTPS and simple authentication should do the trick indeed !