How to have a verification mechanism on source and destination?

StackOverflow https://stackoverflow.com/questions/20749248

Question

I have some data that need to be sent to some other destination. The said data are in the string format. What I need is a mechanism to make sure that the data which is received at the destination ARE actually from my approved source.

My understanding is that I need to have a digital signature with a private key that only the source and the destination are aware of it. So how can I achieve that in PHP?

Was it helpful?

Solution

Yes, you can use public key cryptography for that task. Basically, your source needs a private and a public key certificate and generates a signature of the data with his/her private certificate, usually by encrypting the hash value of the data he/she wants to send with his/her private key. (The hash ensures the integrity of the senders data.) The receiver needs to know about the public key certificate and verifies the signature by decrypting the encrypted hash with the public key of the assumed sender and regenerating the hash of the data himself. If the decrypted value of the encrypted hash he received and the (re-)generated hash match, the client can assure that the data was sent by a sender who is in possession of the corresponding private key (which, of course, doesn't necessarily mean that he is the person you think he is, just that he has access to the legitimate private certificate). So technically:

  1. Sender generates hash of his data and encrypts it with his private key (the encrypted hash is the signature)
  2. The data is transmitted together with the signature to the receiver
  3. The receiver a) generates a hash of the received data himself b) decrypts the encrypted hash (the signature) with the public key of the sender c) assures that his generated hash value and the decrypted hash match.

As you may notice, the private key is the essential part of verifying the identity of the sender and therefore should kept secret. However, to make sure that the private key really belongs to the sender you expect you still need some source of trust: You may chose X.509 certificates (https://en.wikipedia.org/wiki/X.509) issued by a certification authority of your choice or find your own way of ensuring that you are communicating with the right person (like PGPs web of trust).

Concerning PHP there is a whole set of functions related to public key cryptography. Have a look at the openssl functions which are commonly used for these tasks here:

http://www.php.net/manual/en/book.openssl.php

Edit: If you wanted to have the sender as well as the reciever identified, as your question title implies, you would just reverse the roles in this scheme: Your receiver becomes a sender when sending his answer to the original sender who becomes a receiver then.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top