Monday, December 30, 2019

PHP Use of Openssl Encryption

There are a number of encryption methods available in PHP. While they are used in various applications, the main objective here is to talk about a two way encryption/decryption using Openssl.

Openssl is a general cryptography library. PHP has a number of functions that handles openssl. To use openssl you have to create or buy a SSL certificate. Buying from a cert authority means that your certificate are certified authentic. Creating your own private cert has its own use. For the purpose of encryption and decryption, there is no advantage in not using a authentic cert sine your purpose is only between two parties. You can generate ssl private cert using command line Openssl library. I will skip this part as it does not involve using PHP.

A certificate has two keys (a set of strings that can be used for encryption/decryption). One is Private key the other is Public key. By its name, you can see that the former is only used by one party. The Public key can be distributed to many others. Its uses is discussed below.

The user that has a private key uses it to encrypt a string. Any one with the corresponding Public key can decrypt it. Any one with Public key can use it to encrypt a string but only the one with the corresponding Private key can decrypt it. The former is for sending common data to many people that has the Public key. Its actual use is for a specific purpose detailed later. The latter is for many people to send data to a central person. This means people can sent personal data to a site but only the site can read it.

Lets talk about using Public Key to encrypt and decrypt data. First we do public key encryption.

$aok = openssl_public_encrypt($data. $encrypted, $pubvlicpemkey);

$aok is just for checking whether the encryption is successful. $data is the raw data to be encrypted. $encrypted is simply the variable to store the encrypted data. $publicpemkey is the Public Key in PEM form.

To prevent data transmission error, we need to convert the encrypted data into a special text format using "base64_enconde($encrypted)".

On the receiving end, we need to use bse64_decrypt($encrypted) to return back the encrypted string before using

$aok = openssl_private_decrypt($encrypted, $data, $privatepemkey);

As usual $data is the decrypted data.This method is basically used by sites to let customer send personal data or banking transaction. Since only the site is able to decrypt, the transaction is secure.

Next we use private key to encrypt. Its use is to ensure that the sender is authentic (if it uses recognized cert authority certs or has a understanding between sender and receiver.) Its main use is just to sign the data that was send in plain or encrypted text. It usually involve two certs each exchange their public cert with the other.

The method use is

openssl_private_encrypt($data, $encrypted, $privatepemkey);

The other party then uses the following to decrypt the data.

openssl_pubhlic_decrypt($encrypted, $data, $publicpemkey);

Since only the sender that has the private key can encrypt the data to be decrypted by the receiver with the public key, the receiver basically can be sure that the data is from the sender with the private key.

Another use of the Openssl is to send a signature. A signature generally follows a text and is used to prove that the text is authentic from a specific person. It is similar to sending a private key encrypted message but with a layer of security added called hashing (a method of mapping a data to a specific size).

$hashed = hash($method, $data, false);

There are many methods of hashing. Usually we uses 'sha256'. The last parameter specify using raw output to ensure that nothing is changed.

The next method encrypts the data using a different functtion

openssl_sign($hashed, $signature, $privatepemkey);

Obviously, by sending the above does not quite let the receiver know how to identify the signature. The signature is basically used to accompany a plain text or an encrypted text. If it is encrypted then the receiver has to decrypt it first using methods previously discussed above.

On the receiving end, the following decrypts the signature. Before doing anything, the receiver has to hash the text (plain or encrypted) that comes with the signature. If the text is encrypted then the receiver has to decrypt it first. The following function then is used to verify that the hash matches the signature.

$hashed = hash($method, $data, false);
openssl_verify($hashed, $signature, $publicpemkey, OPENSSL_ALGO_SHA256);

The last parameter specify 'sha256' hash method.

Note that if the text is encrypted, it usually use a public key from the receiver otherwise the encrypted text is already proving that the sender is authentic.





No comments:

Post a Comment