Exchange data in a secure way

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
BDB100
Forum Newbie
Posts: 8
Joined: Tue Sep 07, 2010 2:15 am

Exchange data in a secure way

Post by BDB100 »

Hi,

I have the following question.
We would like to install a terminal in one of our offices where users can do some input of data.
This data should be sent from the terminal to our webserver and our webserver should send a response to the terminal.

How can this be done in a secure way (do we "post" the data to a page on our server ?) and how can we determine
that the "posted" data is sent from the terminal and not from another "sender".

Best regards,
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Exchange data in a secure way

Post by social_experiment »

BDB100 wrote:How can this be done in a secure way (do we "post" the data to a page on our server ?) and how can we determine
that the "posted" data is sent from the terminal and not from another "sender".
Take a look at http://www.google.co.za/search?hl=af&source=hp&q=HTTPS
Hth
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Peter Kelly
Forum Contributor
Posts: 143
Joined: Fri Jan 14, 2011 5:33 pm
Location: England
Contact:

Re: Exchange data in a secure way

Post by Peter Kelly »

Id recommend getting a SSL certificate these can be expensive but depending on the data can be a cheap way of transferring data. I would also try encode/encrypt any data using coding.
BDB100
Forum Newbie
Posts: 8
Joined: Tue Sep 07, 2010 2:15 am

Re: Exchange data in a secure way

Post by BDB100 »

Thanks for the replies.

If we have an SSL certificate do we have to add code to post data with the SSL certificate or to check that data is
posted using a valid certificate ?

Regards
Peter Kelly
Forum Contributor
Posts: 143
Joined: Fri Jan 14, 2011 5:33 pm
Location: England
Contact:

Re: Exchange data in a secure way

Post by Peter Kelly »

You can have a look into http://uk3.php.net/openssl but I believe as long as you submit forms using https it should be ok ish.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Exchange data in a secure way

Post by Mordred »

It depends on what you need.
TLS/SSL/HTTPS only solves the problem of having someone impersonate the server. It DOES NOT prevent someone impersonating the client, you'd need additional checks for that.
BDB100
Forum Newbie
Posts: 8
Joined: Tue Sep 07, 2010 2:15 am

Re: Exchange data in a secure way

Post by BDB100 »

The client needs to very the server. SSL should take care of that.
But we also need to authenticate the client. Is there a function we could use to do that (through php code) ?

Our goal is to determine that the data that gets posted to our server comes from the terminal in our office (and not from someone else).
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Exchange data in a secure way

Post by Apollo »

Create a 1024 bit private / public key pair with OpenSSL. Then on the client, encrypt the data with openssl_private_encrypt (using the private key).

On the server, decrypt the data with openssl_public_decrypt using the public key. If this succeeds, the message was guaranteed to be sent from the real client.

Alternatively, you could also send along a hash of the data + some hidden string that acts as a salt / password. For example, along with the actual data you also send hash('sha512',$data.'s0mE_SeCr3t_PaSsW0Rd_9136712384').
You verify this on the server end by calculating the same hash there. If the hash doesn't match, reject the data. Someone trying to impersonate the client won't be able to generate the correct hash without knowing the password.

The advantage of using openssl_* is the client could also encrypt it twice: first with the server's public key, then with the client's own private key. Then the server decrypts the data with the client's public key, and then with the server's own private key. This way you not only guarantee the sender was indeed the real client, but also the server being the only one who can decrypt the actual data (since an impersonating server won't have the required private key). So this is essentially a two-way protection.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Exchange data in a secure way

Post by Mordred »

Asymmetric crypto might not be the best choice performance-wise, and also may not be applicable to their needs. From what I gather about their problem is that a *browser* on the client will want to access a secret url on their server. Simple authentication and https should do the trick.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Exchange data in a secure way

Post by Apollo »

Mordred wrote:From what I gather about their problem is that a *browser* on the client will want to access a secret url on their server. Simple authentication and https should do the trick.
Aaah right. Agreed, and for TS: simple authentication could be just a .htaccess file in your web root dir, like this: (using mod_auth)

Code: Select all

Order deny,allow
AuthUserFile "/somewhere/outside/your/web/root/.htpasswd"
AuthName "You are accessing a private area!"
AuthType Basic
Require valid-user
The .htpasswd file contains a "username:passwordhash" line for each allowed user. Google for 'htpasswd generator' to generate the appropriate hash.
BDB100
Forum Newbie
Posts: 8
Joined: Tue Sep 07, 2010 2:15 am

Re: Exchange data in a secure way

Post by BDB100 »

Hi,

Thanks for the replies. HTTPS and simple authentication should do the trick indeed !
Post Reply