I just began to develop a android-app which needs to communicate with a server/database. On server side I use PHP to collect data or execute queries. I read a lot about security (XSS, SQL injection, etc.). Because I also would like to encrypt data sent between client & server I began to deal with openssl-functions in PHP.
The openssl_seal- and openssl_open-functions seem to be good for this purpose. I wrote these two functions:
function encryptRnd($data) {
$pubKey = file_get_contents("public.key");
$publicKeys = array(openssl_pkey_get_public($pubKey));
$res = openssl_seal($data, $encryptedData, $encryptedKeys, $publicKeys);
retu开发者_StackOverflow社区rn array("data" => base64_encode($encryptedData), "rndKey" => base64_encode($encryptedKeys[0]));}
function decryptRnd($credentials) {
$privateKey = openssl_get_privatekey(file_get_contents("private.key"));
$result = openssl_open(base64_decode($credentials["data"]), $decryptedData, base64_decode($credentials["rndKey"]), $privateKey);
if (!$result) echo "ERROR during decryption.\n";
return $decryptedData;}
"a" is the data (to encrypt/encrypted) while "b" is the random-key produced by openssl_seal and used for the decryption.
The two keyfiles habe been produced on Windows by using
- "openssl.exe genrsa -out private.key 1024" for the privateKey file
- "openssl.exe rsa -in private.key -out public.pem -outform PEM -pubout" for the publicKey file
Within PHP this all works as expected.
But how to implement the same technique in Android (and I'm a beginner!)?
I searched the web for examples to use in conjunction with openssl_seal on PHP side but didn't find anything working.
- I would like to be able to encrypt data on Android side and decrypt it on PHP.
- And when the server is sending encrypted data, this shall be decrypted on Android side (with a second public/privateKey pair I assume)
I also implemented the example mentioned here but that didn't work (openssl_private_decrypt was always FALSE on PHP side). So that didn't help me whereas it would be only Android=>PHP encryption without the other way round.
In sum: I'm looking for a way to encrypt and decrypt data sended between Android and PHP on each side where only the receiver can decrypt the data. Can somebody give me an example or even a clue?
The usual way to do this would not be (direct) asymmetric encryption, but using an encrypted (and authenticated) channel to send the data, for example using SSL/TLS.
On the server side, you simply have to configure your web server to also offer HTTPS access.
On the client side, I suppose the easiest would be to use an HTTPS URL to send the data:
URL url = new URL("https://example.com/myscript.php");
URLConnection conn = url.openConnection();
conn.setDoOutput(true);
OutputStream out = conn.getOutputStream();
// write data to stream
out.close();
InputStream in = conn.getInputStream();
// read answer from input stream
in.close();
I'm not sure on how to configure the accepted server certificates for Android, though.
This will (under the hoods) use the server's RSA key (in its certificate) to authenticate the connection and negotiate a session key for symmetric encryption.
If you really want to do the encryption manually, this is possible, too.
The javax.crypto package contains the necessary classes needed here (together with some from java.security and subpackages), primarily the Cipher class.
This page named RSA encryption in Java shows an example of doing this.
Instead of loading the public key from a file in serialized format, you could use Java's KeyStore mechanism (and include the keystore in your jar or whatever format is used on Android).
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论