Page 1 of 1

Exchange data in a secure way

Posted: Wed Jan 19, 2011 9:32 am
by BDB100
Hi,

I have the following question.
We would like to install a terminal in one of our offices where users can do some input of data.
This data should be sent from the terminal to our webserver and our webserver should send a response to the terminal.

How can this be done in a secure way (do we "post" the data to a page on our server ?) and how can we determine
that the "posted" data is sent from the terminal and not from another "sender".

Best regards,

Re: Exchange data in a secure way

Posted: Wed Jan 19, 2011 11:19 am
by social_experiment
BDB100 wrote:How can this be done in a secure way (do we "post" the data to a page on our server ?) and how can we determine
that the "posted" data is sent from the terminal and not from another "sender".
Take a look at http://www.google.co.za/search?hl=af&source=hp&q=HTTPS
Hth

Re: Exchange data in a secure way

Posted: Wed Jan 19, 2011 5:59 pm
by Peter Kelly
Id recommend getting a SSL certificate these can be expensive but depending on the data can be a cheap way of transferring data. I would also try encode/encrypt any data using coding.

Re: Exchange data in a secure way

Posted: Thu Jan 20, 2011 2:27 am
by BDB100
Thanks for the replies.

If we have an SSL certificate do we have to add code to post data with the SSL certificate or to check that data is
posted using a valid certificate ?

Regards

Re: Exchange data in a secure way

Posted: Thu Jan 20, 2011 2:57 am
by Peter Kelly
You can have a look into http://uk3.php.net/openssl but I believe as long as you submit forms using https it should be ok ish.

Re: Exchange data in a secure way

Posted: Thu Jan 20, 2011 3:13 am
by Mordred
It depends on what you need.
TLS/SSL/HTTPS only solves the problem of having someone impersonate the server. It DOES NOT prevent someone impersonating the client, you'd need additional checks for that.

Re: Exchange data in a secure way

Posted: Thu Jan 20, 2011 6:46 am
by BDB100
The client needs to very the server. SSL should take care of that.
But we also need to authenticate the client. Is there a function we could use to do that (through php code) ?

Our goal is to determine that the data that gets posted to our server comes from the terminal in our office (and not from someone else).

Re: Exchange data in a secure way

Posted: Thu Jan 20, 2011 7:11 am
by Apollo
Create a 1024 bit private / public key pair with OpenSSL. Then on the client, encrypt the data with openssl_private_encrypt (using the private key).

On the server, decrypt the data with openssl_public_decrypt using the public key. If this succeeds, the message was guaranteed to be sent from the real client.

Alternatively, you could also send along a hash of the data + some hidden string that acts as a salt / password. For example, along with the actual data you also send hash('sha512',$data.'s0mE_SeCr3t_PaSsW0Rd_9136712384').
You verify this on the server end by calculating the same hash there. If the hash doesn't match, reject the data. Someone trying to impersonate the client won't be able to generate the correct hash without knowing the password.

The advantage of using openssl_* is the client could also encrypt it twice: first with the server's public key, then with the client's own private key. Then the server decrypts the data with the client's public key, and then with the server's own private key. This way you not only guarantee the sender was indeed the real client, but also the server being the only one who can decrypt the actual data (since an impersonating server won't have the required private key). So this is essentially a two-way protection.

Re: Exchange data in a secure way

Posted: Thu Jan 20, 2011 7:26 am
by Mordred
Asymmetric crypto might not be the best choice performance-wise, and also may not be applicable to their needs. From what I gather about their problem is that a *browser* on the client will want to access a secret url on their server. Simple authentication and https should do the trick.

Re: Exchange data in a secure way

Posted: Thu Jan 20, 2011 7:58 am
by Apollo
Mordred wrote:From what I gather about their problem is that a *browser* on the client will want to access a secret url on their server. Simple authentication and https should do the trick.
Aaah right. Agreed, and for TS: simple authentication could be just a .htaccess file in your web root dir, like this: (using mod_auth)

Code: Select all

Order deny,allow
AuthUserFile "/somewhere/outside/your/web/root/.htpasswd"
AuthName "You are accessing a private area!"
AuthType Basic
Require valid-user
The .htpasswd file contains a "username:passwordhash" line for each allowed user. Google for 'htpasswd generator' to generate the appropriate hash.

Re: Exchange data in a secure way

Posted: Fri Jan 21, 2011 1:48 am
by BDB100
Hi,

Thanks for the replies. HTTPS and simple authentication should do the trick indeed !