0

I want to encrypt my users ID with php, send them to javascript. and decrypt them in javascript.
Is there any common method for encrypting and decrypting between different languages ?

I am using node js. nodejs has server side javascript. actually it's server side decrypting. but it's javascript.

Spudley
  • 157,081
  • 38
  • 222
  • 293
Pars
  • 3,946
  • 8
  • 38
  • 77
  • what do you mean define ? – Pars Oct 31 '13 at 15:39
  • 2
    If you're decrypting client-side wouldn't the decryption sequence be available to anyone who wants it? – Popnoodles Oct 31 '13 at 15:39
  • Why decrypt client-side? – Jurgo Oct 31 '13 at 15:39
  • 1
    @tymeJV I am using node js. nodejs has server side javascript. actually it's server side decrypting. but it's javascript. – Pars Oct 31 '13 at 15:39
  • 3
    You should have said you're using node.js. Google node js encryption module – Popnoodles Oct 31 '13 at 15:40
  • I want it ( encryption method ) to be available in PHP, in fact I encrypt it in php. decrypt it in javascript. – Pars Oct 31 '13 at 15:42
  • Which kind of communication does these two servers have? – Darkhogg Oct 31 '13 at 15:42
  • I think it's tcp. if you mean protocol – Pars Oct 31 '13 at 15:43
  • 1
    If it's all server-side, why worry about encryption between two processes you control? – meager Oct 31 '13 at 15:43
  • I mean everything. Do they communicate over the internet or a local network? Do they use a custom TCP protool or HTTP/FTP/etc? – Darkhogg Oct 31 '13 at 15:44
  • no, when ever a user starts to chat with another, I should pass both id's to server side javascript. so both ids pass from client side to server side. – Pars Oct 31 '13 at 15:45
  • 1
    I don't know if you noticed, but you're disclosing information in these comments that should be in the original question. Update your question to include all the details, please. – Darkhogg Oct 31 '13 at 15:46
  • it's just a simple question. no need details. is there any method or not. the reason for encrypting decrypting is not needed. I think. – Pars Oct 31 '13 at 15:49
  • Can you please check this link, http://stackoverflow.com/questions/6617263/encryption-decryption-between-php-and-javascript?rq=1 – Krish R Oct 31 '13 at 16:07
  • no it's not just a simple question ;) there's a lot more to it than just encrypt and decrypt. It really depends on the use case, which protocols are used, what kind of data is being encrypted, etc etc. – giorgio Oct 31 '13 at 16:07

2 Answers2

4

I've done cross-language encryption before using PHP and Coldfusion. There were some tricks because of slight differences in their implementation, but it should be even easier in Javascript since Javascript has no native encryption functions. You will have to provide your own, so you can provide exactly what you need.

To encrypt in PHP you will need the mcrypt libraries installed. I chose Blowfish as my algorithm, and used the ECB mode since it is easier to work with--you don't need to worry about initialization vectors, but it is theoretically less secure. However, given that you are only encrypting a short user ID, this should be sufficient.

Here is an example of using mcrypt to encrypt a string:

$data = $user_id;
$data = base64_encode($data);
// Add PKCS5 padding to data string for compatibility
// This may not be necessary, depending on your Javascript implementation
$pad = 8 - (strlen($data) % 8);  
$data = $data . str_repeat(chr($pad), $pad);
$algorithm = MCRYPT_BLOWFISH;
$mode = MCRYPT_MODE_ECB;
$key = "SECRET";
$ciphertext = mcrypt_encrypt($algorithm, $key, $data, $mode, null);
$base64 = base64_encode($ciphertext);

Note that $ciphertext will be in binary, so you will need to encode it in base 64 to make it easier to transfer between languages.

Once you transfer the encrypted string to your Node JS app and convert it back into binary from base64, you should then be able to decrypt it with a blowfish implementation for Javascript. Here is one example that is easy to use: http://dren.ch/js_blowfish/

You can safely ignore the warning on that page, since it refers to client-side decryption of large strings (which is silly). If you're doing it on the server you can safely keep your secret key secret.

Note that in the above example the string was base64-encoded BEFORE it was encrypted, so you will have to base64-decode it again after decrypting.

Also be wary of the minimum and maximum key sizes for Blowfish ECB to save some headache. You can check this using the PHP mcrypt_enc_get_supported_key_sizes function.

Community
  • 1
  • 1
nullability
  • 9,851
  • 3
  • 41
  • 59
  • 1
    -1, Don't roll you own, why not just recommend HTTPS? This makes code harder more complicated while there are standards readily available that solve the problem. – Philipp Gayret Nov 01 '13 at 10:40
  • @Philipp I don't know the details of the OP's requirements, but I believe the intent here is not to encrypt traffic between two servers but to encrypt a piece of data which may have to be stored in a third-party system. In this case HTTPS would be of no help, so you are instead left with using reversible encryption to obfuscate this data. The above solution uses a well-known and secure encryption algorithm to accomplish this, so it's not at all accurate to describe it as "roll your own." – nullability Nov 02 '13 at 04:25
2

internet. tcp. http

Yes, the common method is SSL. If you want security between a server and client over HTTP, SSL is the solution you're looking for.

Yes, you can roll your own solution. No, it won't be any good. Properly implementing encryption is hard, very hard, to the point where if you have to ask a question about it on Stack Overflow, you have no chance of doing it right. Use SSL, or use nothing, because whatever other option you come up with will be no better than plain text.

meager
  • 209,754
  • 38
  • 307
  • 315