Securing webservices of PHP

Question

I'm developing a small project in android which is using php webservices' call.

I want my webservices to be protected, however by using GET/POST request methods I don't think its much protected. After googling I got RSA implementation in "phpseclib", Its having good documentation as well. But I'm confused so much, so thought post this here.

Basically what I need is:

1. from Android I'l call a url with "encrypted parameters merged in one string". (I'l first encode parameters in json and then I'l encrypt).
2. those parameters I'l extract in php, and process accordingly.

json string: {user_id:xyz@gmail.com, passwd: Password!}

encrypted to: XsjkhkjwehrkanmNXmnskjawrhjlljahdhuw

eg. http://my.domain.com/webservices/call.php?params=Xsjkhkjwehrkanm,NXmnskjawrhjlljahdhuw In php, I'l extract userID and Password, from that $_GET['params"']

This is possible in base64_encode(), base64_decode(), but base64 encoder will just obfuscate the string, it won't encrypt actually.

I need public/private key mechanism.

However I've tried this: (https://launchkey.com/docs/api/encryption/php/phpseclib)

<?
function rsa_encrypt($key, $message) {
    $rsa = new Crypt_RSA(); 
    $rsa->loadKey($key); 
    $encrypted = base64_encode($rsa->encrypt($message)); 
    return $encrypted;
}
?>

Its not returning any $encrypted string.

Any help would be really appreciated.

Thanks..! :)

Answer 1

If you're new to encryption, you should go the simple route and just go with HTTPS, as suggested in comments.

Also, as suggested in comments, don't send the passwords via GET from a web page because that shows in the address bar and passers by can read that off the screen.

HTTPS (SSL/TLS) provides end to end encryption of the entire connection between the web server and the client. This allows you to send all your data in clear text and not worry about it because it's being encrypted at a lower level.

Since it's not a web browser calling your web server, you don't even need to pay for an SSL certificate. You can create a self-signed certificate. Just ensure you verify the signature on every connection to prevent man in the middle attacks. This is a bit trickier though, so again, if you're new to this, just pay for the SSL certificate and let Android take care of the certificate verification for you.

In response to your direct question:

Encoding is not encryption, as you may have discovered. Base64 is encoding and provides no security.

You cannot simply generate an RSA public/private key pair, encrypt data with the private key, and send it to your server. You have to first share your public key with the server. Well, anyone who sniffs the public key off the wire can decrypt it.

You could potentially have the client generate a random symmetric key and encrypt it with the server's public key. The server would then decrypt it with the private key, and have a shared secret key to use to encrypt data and send it to you.

The problem with that is an attacker could simply replay all your data to a server to see the same output. These random things need to be generated by the server to ensure they're actually random, so you're stuck with the server generating the key, but if the server simply encrypts with the private key, anyone with the public key could decrypt it.

So, you'd need some method of securely deriving a shared secret key, some complicated mathematical way of sharing some data that both the server and the client could use to calculate the same shared key.

You could do this yourself, but you'll be calling complicated procedures and functions, when you could just use SSL, which does the same thing for you.

Answer 2

I think you can use POST web service to make it more secure and if possible then please don't encrypt parameter just encrypt value of parameter and then also if you face issue then try to retrive value using

$_REQUEST['parameter_name']