2

Essentially what I'm attempting to do is within my cURL API I would like clients using the API to have specific sensitive data encrypted on their server, before it leaves their server, then decrypted on my server.

I saw that you can use the openssl_encrypt() function, though I can't really find anything that's explaining it clear enough.

An example of the process is below:

ON THE CLIENT'S SERVER SIDE:

$dataToSend = 'mysupersecretstring';
// encrypt data
// connect and send to my server

ON MY SERVER'S SIDE:

$receivedString = '39bfy4f28d30g74fb34g79';
// string above is received
// string is decrypted decrypted
// $receivedString is now plaintext and can now be used on this server

I hope I'm explaining this clearly enough. If you have any questions please don't hesitate as it's rather important I have a valid solution to this.

Improve this question
10
  • 2
    Can you use an SSL certificate? Commented Aug 23, 2015 at 22:34
  • 1
    As I believe user2182349 is leading you, proper cryptography is hard to get right; using something that already exists, is well-understood and mature like SSL/TLS is a good idea if you don’t want to have subtle-but-critical failures of security. Commented Aug 23, 2015 at 22:38
  • possible duplicate of PHP, Simplest Two Way Encryption Commented Aug 23, 2015 at 22:39
  • Yes, you can use OpenSSL in PHP to encrypt and decrypt a string, but you should ask yourself how you want to manage the encryption/decryption keys. Do you want to utilize asymmetric crypto or only symmetric? How will you securely distribute the keys? Commented Aug 23, 2015 at 22:41
  • Well, yes I can use an SSL but I can't expect every single one of my clients to be using an SSL, unless my SSL encrypts their connection? Commented Aug 23, 2015 at 22:48

1 Answer 1

Reset to default
1

Put simply: Don't.

Use HTTPS instead of relying on application layer cryptography for this specific use-case.

Unless you are a professional cryptographer with a specific use case for why you wish to avoid TLS (with public key pinning) and have a plan in place to manage encryption keys, you probably shouldn't write your own cryptography. Or if you do, don't deploy/publish it.

And if you do find yourself needing to encrypt information at the application layer (there are many valid use cases for encryption here), learn all the pitfalls that you will encounter and maybe consider using libsodium instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.