Providing encrypted data, and the means to decrypt it, insecure?

Question

I'm developing an add on to a system I have that will allow my clients websites to pull data from it to display on their sites.

Now, most of the time the information being stored in the system is not in any way sensitive (because its just published to their website) but some users have set up tables that they want to manage in the system out of convenience, but not publish on their website - though they might want to make a request on it (ie, to check a customer has a login to their website perhaps, or to grab an email address). So I need to encrypt the responses to reduce the chances of someone getting the data that shouldn't have it.

My plan is that the user will identify themselves with a user ID, a public key, and the name of a query they want to run (which they will have defined in the system itself beforehand) - and the request will take a form something like this:

require("backend-api.php");

$myUserID = "bobs-restaurant.com";
$myPublicKey = "sdg136MAGHYasfadgHGQ"; //send this with the request
$myPrivateKey = "adgljavd8i1356avdilj"; //never send this anywhere
$queryName = "LIST_OF_DISHES";

$backend = new backend-api();
$response = $backend->getData($myUserID,$myPublicKey,$queryName);

$list_of_dishes = $backend->decrypt($response,$myPrivateKey);

//user then goes on to use the data in their code or maybe just display it as-is.

It has to be simple, because the users are either not going to be seasoned PHP'ers or they're going to be time poor, and using the system to instead of having to write their own content management solution.

Assuming the above user ID and public key were a match, and the query existed and returned data - I was going to have my system encrypt the response to a private key which is known to the user ($myPrivateKey) and which is known to my system, but never exchanged between the two in a request so that it couldn't be intercepted, and I was going to use something like this reversible encryption class to do the encryption.

The problem is, I'm going to have to provide users with the decryption class so that they can get the data out of the response.

So if Mr Malicious somehow obtains a user ID and public key belonging to someone else, and he has downloaded a copy of the decryption class from the tutorial/user manual on my systems website, am I right in saying that he wouldn't need to know the private key, because he could just work out how to decrypt it from studying the code?

If the answer is yes, what is it that I haven't thought of that will prevent that from happening?

Answer 1

Mr Malicious wouldn't know how to decrypt anything from simply studying the code. The best he could do would be to brute force the "private key".

I put that in quotes because this actually isn't public key encryption or cryptography. This would only be public key cryptography if your server encrypted the data using the client's public key, then the client decrypted that using their private key. If that were the case, the server would have no need to know the private key at all. But it sounds like you're using the public key for something entirely different.

What you seem to be talking about here is symmetric key cryptography (using the same key to encrypt and decrypt the data).

If you use a strong encryption / decryption method, your method seems fine, but I would go with an existing algorithm such as Blowfish or AES.

Answer 2

A good encryption method never relies on people not knowing how it works for its security. In fact, if you're going to use encryption, you never want to try and make your own. If the method used to encrypt something is simple, like ROT13, then yes, knowing the method will allow an attacker to decrypt it pretty easily.

However, an encryption method like AES is widely known, published, and used all over the world. Everyone knows how it works, but without knowing the keys used to encrypt and decrypt, it's hard to break.

The biggest issue that you have is that both the encryption class that you linked, and AES are symmetric or pre-shared key encryption methods. This means that you must use the same key to encrypt and decrypt the data. This doesn't work for your purposes, because you and your users don't know the same key. If you have a way to know the same key, check out mcrypt for PHP

Otherwise, use asymmetric key cryptography. This works using the method you described, where something can be encrypted using a public key that anyone can know, but only decrypted by the person with the private key. The easiest version of this to use is GPG, and it's possible to use it in PHP, although probably more work to setup. See this article