PHP Classes
PHP Classes
elePHPant
Icontem

Encrypt form data without SSL in PHP - PHP Form Encryption package blog

Recommend this page to a friend!
  All package blogs All package blogs   PHP Form Encryption PHP Form Encryption   Blog PHP Form Encryption package blog   RSS 1.0 feed RSS 2.0 feed   Blog Encrypt form data wit...  
  Post a comment Post a comment   See comments See comments (17)   Trackbacks (0)  

Author:

Posted on:

Package: PHP Form Encryption

Encryption is not just for large corporations. Small businesses and nonprofit organizations also need to protect their information, not just due to commercial or industrial concerns, but also about personal data that should be protected to enforce laws in many countries.

However, the ideal solution, which is to use SSL/TLS encryption is not always available in all scenarios.

Read this tutorial to learn how to implement encrypted form data exchange without depending on the availability of SSL/TLS connections.




Contents

Introduction

How does it work?

PHP Implementation

Conclusion


Introduction

The PHP Form Encryption offers an application level encryption solution implemented in PHP and JavaScript applications for encrypting form data.

SSL/TLS encryption provides a secure mechanism to protect information transmitted over public networks, but it is not always available.

A small business private network with Wi-Fi can expose sensitive information, for example. There are many situations where the technical infrastructure or economic resources do not allow the installation of secure communication protocols.

Some times the application level encryption may be sufficient, or can even complement the session and/or transport level security.

How does it work?

1. Server receives a client request of a Web page that contains a form.

2. Server generates a session RSA key pair, and send the public key included in the HTML response.

3. The browser  fills out the form and generates a AES-256 key that is returned to server encrypted with the received public key and the AES encrypted form data. The browser saves this AES key using browser local storage.

4. Server receives the RSA-encrypted AES key and decrypt it using the RSA private key. Then this AES key will be used to decrypt the received form data and to encrypt/decrypt future forms until it's changed or session expires.

PHP Implementation

A session must be started before using the Cryptopost class. Then, let's intercept an encrypted form:
session_start(); 

require_once './Cryptopost.class.php';

$crypto = new Cryptopost(1024'./openssl.cnf');
if (isset($_POST['cryptoPost'])) {
    $formId $crypto->decodeForm();
}

So, now we know the id of the submited form and the $_POST superglobal contains the decrypted data. Before that $_POST will only contain something like:

var_dump($_POST) result:
array(2) {
  ["cryptoPost_key"]=>
  string(256) "5df90b95ec4fab45d50d34c917c6578f939ccbfadf9486f133850d47a3d6b2c82a277a3468ca11fc7b9163c385eacc2a3a4d091cf8797e55d681b0279058a9f3e334092fb03791931d22ca3847f4f9d4dec0d0a47936f012b6be9723981088d0b049cff46a8e81ec93e2b4f7c3a387d36e2033754d1420a8dc800a4eec6cd0e9"
  ["cryptoPost"]=>
  string(242) "U2FsdGVkX1/53Ut6KFi36Ou/e3lIJz/5pf8FuPb1Yh//WdefKb0iyCke2/g0QPD5
BeknGV4L8dveRDbQ4kXm5YNi3nyG+/F8JWKDipA9ygHPf5KdFr6pYcfzNQjwwfd8
rIC19cl9IOJcs171tm0OBVknaloQWDwpLM/KjISdwwPiRGCtcBhkYrcdsgv6JcwD
aVuU4VunXdWJji9WAKD+1bJrThq2VLjEHhELl26y4vI="
}

Note that "crytoPost_key" entry will be received only once at first time that server receives a coded form. The following post requests will include only the "cryptoPost" entry unless the encryption keys are reset.

To send the form encrypted to the server, simply include a call to the JavaScript cryptoPost object like this:

<form id="form1" method="POST" action="test.php" onsubmit="return cryptoPost.encrypt('form1')">

The browser may need an encrypted record to edit. The server can send it in this way:

$record = array(
    "name" => $name,
"address" => $address, "zipCode" => $zip
);
$encrypted = $crypto->encodeData($record, $formId);

... and then, at the bottom of the HTML code:

<script>cryptoPost.decrypt('<?php echo $encrypted;?>')</script>

Conclusion

This package provides a simple and easy way to protect your data with cryptography even without SSL/TLS.

The PHP Form Encryption requires the OpenSSL extension and PHP 5.4+ .

It was made possible thanks to the work of Tom Wu, author of jsbn/RSA JavaScript library, and Mark Percival, author of Gibberish-AES JavaScript library.

If you liked this article, use the share buttons above to let other developers know about it. Post your comments here if you have questions about this solution to encrypt form data without requiring SSL/TLS. 




You need to be a registered user or login to post a comment

Login Immediately with your account on:

FacebookGmail
HotmailStackOverflow
GitHubYahoo


Comments:

6. Mobile Browsers - Al Style (2016-12-03 10:05)
Great Job, Thank you very much!... - 3 replies
Read the whole comment and replies

5. Congratulations with your win! - Johnny Mast (2016-11-03 07:24)
Inovation awards september 2016... - 1 reply
Read the whole comment and replies

4. Use in CakePHP - kouassi Jean (2016-10-08 08:37)
Encrypt form data without SSL in PHP... - 1 reply
Read the whole comment and replies

3. Caution: This is not a replacement for SSL/TLS - AVAS Technology (2016-10-05 14:23)
Encrypting data in the browser via JavaScript is pointless... - 1 reply
Read the whole comment and replies

2. if one already has ssl, but still wants to implement this, any d - Sam (2016-10-05 09:55)
if one already has ssl, but still wants to implement this, any d... - 5 replies
Read the whole comment and replies

1. CryptoPost - Theodore M Rolle Jr (2016-10-05 07:40)
I'm going to use this immediately.... - 0 replies
Read the whole comment and replies




  Post a comment Post a comment   See comments See comments (17)   Trackbacks (0)  
  All package blogs All package blogs   PHP Form Encryption PHP Form Encryption   Blog PHP Form Encryption package blog   RSS 1.0 feed RSS 2.0 feed   Blog Encrypt form data wit...