Two Way Encryption

devxtech

I am looking to learn how to do two way encryption with PHP. What I am looking for is an encryption algorithm which can be encoded and then decoded but at the same time provides strong security against unauthorized viewers (Will be encrypting perscription information). This encryption method must be able to be encrypted by a PHP script and decrypted by a program written in C & C++. So I was thinking Blowfish encryption. (If you have any other suggestions let me know.)

Anyway could someone point me in the right direction of a tutorial or something on how to do something of this nature? I would use mcrypt but the production server doesn't have this feature compiled into the PHP.

laserlight

Blowfish is probably okay, though one might consider Twofish, which is pretty much its successor.

EDIT:
Okay, so mcrypt is not installed. Have you tried getting it installed?

devxtech

laserlight;10881863 wrote:
Blowfish is probably okay, though one might consider Twofish, which is pretty much its successor.

EDIT:
Okay, so mcrypt is not installed. Have you tried getting it installed?

I tried to get authorization to install mcrypt, however; my supervisor instructed me not to use the production server as a playground. So right now I'm hunting for a spare box to load up with test data. In the mean time I didn't know if something like PEAR would be of any use in trying to get around mcrypt.

EDIT:
Just to make sure I'm totally correct that mcrypt isn't installed; how can I test to see if it is installed or not?

cahva

Just to make sure I'm totally correct that mcrypt isn't installed; how can I test to see if it is installed or not?

Make a page with contents like this

<?php
phpinfo();
?>

In that you'll see every module installed and other usefull info.

devxtech

cahva;10881871 wrote:
Make a page with contents like this
<?php
phpinfo();
?>
In that you'll see every module installed and other usefull info.

Looked through that information it outputted and found nothing saying anything about mcrypt. So what are my options if I can't compile mcrypt into PHP?

bpat1434

If you can't compile mcrypt into php I think there might be some things you could purchase from RSASecurity; however, that will cost you a pretty penny. The other option would be to literally read up on exactly how certain algorithms work (like Diffie-Hellman-Merckle Key Exchange).

It's not the safest; however, it's better than hashing 🙁 The only other thing I can think of is signing messages with PGP or GPG (see: Zend DevZone Article). Not sure if that is anything you want to look in to, or if you have that kind of time.

To be honest, if they don't have mcrypt installed, and they're not willing to install it, there's something wrong. You don't really lose anything by installing it, and you can gain a lot.

As for a dev server, nothing beats getting an older computer (like Dell, Gateway, HP) from Craigslist or Freecycle and throwing CentOS or Ubuntu on there and using that as your dev server. It's what I do. I test locally, upload, final test remotely and then make it "live".

Weedpacket

devxtech wrote:
I tried to get authorization to install mcrypt, however; my supervisor instructed me not to use the production server as a playground.

Okay, so what do you use as a playground? Surely you don't do all your work on the production server?!

Is this for something your supervisor expects you to do or is it something for your own edification?

bpat1434 wrote:
To be honest, if they don't have mcrypt installed, and they're not willing to install it, there's something wrong. You don't really lose anything by installing it, and you can gain a lot.

Exactly. And if they WANT encryption and aren't willing to ALLOW encryption, then there is something even more wrong.

Krik

devxtech;10881866 wrote:
I tried to get authorization to install mcrypt, however; my supervisor instructed me not to use the production server as a playground. So right now I'm hunting for a spare box to load up with test data.

Have you tried WAMP

I installed it on my laptop so I can do work as I travel without having the need to find internet. Just make sure your versions match what your procutions server has As well you may need to change a few of the default setings. But I found it way easier to install than I could have ever imagined (easier to install than windows).

Anyway hope that helps

NogDog

There are a number of encryption packages in the PEAR repository: http://pear.php.net/search.php?q=crypt&in=packages

devxtech

Weedpacket;10881942 wrote:
Okay, so what do you use as a playground? Surely you don't do all your work on the production server?!

Is this for something your supervisor expects you to do or is it something for your own edification?

Exactly. And if they WANT encryption and aren't willing to ALLOW encryption, then there is something even more wrong.

It's more for my own education than it is a requirement by HIPPA and my company. Since the information being encrypted is prescription numbers and the patient name, I am not required to encrypt it by HIPPA standards since their is no personal patient information being transmitted.

As far as a dev box I use my local vista machine in my office and my SuSE 11.0 box for development.

NogDog wrote:
There are a number of encryption packages in the PEAR repository: http://pear.php.net/search.php?q=crypt&in=packages

I will definitely take a look at these as I know it's fairly easy to implement PEAR. Thanks.

bretticus

Switch to Debian or Ubuntu Server

$ sudo apt-get install php5-mcrypt

😃

Stinger51

WAMP gets 5 stars in my book. I've been using it since last April (2008) when my web hosting co. finally migrated to PHP 5. WAMP allows me to test everything locally before I FTP my new files to their server. Great stuff!

thepeccavi

If you use Mac, there is also MAMP, but it isn't so good as WAMP. I think on a Mac, it might just be better to install Apache, pHP and MySQL separately, but I am a Mac newbie, so I haven't got round to trying this yet.