Encrypt url paramters in ruby, decrypt in PHP. Logic issue

Question

Encrypted: http://example.com/3ISGSfzIiaAU+h2TwF0pNoKDKRenjKfRhehMMN3+OJw=

Decrypted: http://example.com/opens.php?subid=66

This url is a pixel which is fired when someone opens an Email.

Everything is working fine, when I load the pixel decrypted. I don't get the logic how to decrypt the link in the email so it can load.

My question: Where should I use the decryption function in order to load the url?

Ruby encryption:

 require 'openssl'
 require 'base64'

 class String
  def self.encrypt(plain_text)
    cipher = OpenSSL::Cipher.new('aes-256-cbc')
    cipher.encrypt
    iv = 'akjgkdladjgkadsw'
    iv64 = [iv].pack("m").strip
    key = 'o1diqwkadkfjg018jgkdja9194025123'
    key64 = [key].pack("m").strip

    cipher = OpenSSL::Cipher.new('aes-256-cbc')
    cipher.encrypt
    cipher.key = Base64.decode64(key64)
    cipher.iv = Base64.decode64(iv64)
    encrypted_data = cipher.update(plain_text)
    encrypted_data << cipher.final
    crypt64 = [encrypted_data].pack("m").strip
  end
end

Basic decryption.php:

<?php
class String {
    function decrypt($string) {
        $ruby_crypt = $string;
        $encrypted_data = base64_decode($ruby_crypt);
        $key = base64_decode("bzFkaXF3a2Fka2ZqZzAxOGpna2RqYTkxOTQwMjUxMjM=");
        $iv = base64_decode("YWtqZ2tkbGFkamdrYWRzdw==");
        $result = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encrypted_data, MCRYPT_MODE_CBC, $iv);
        $unencrypt = rtrim($result, "\x00..\x1F");
        //print "\nUnencrypted token:\n'$unencrypt'\n";
    }
}
?>

Grab the parameter and make the DB entries (opens.php):

<?php
require_once("./db_connection.php");
include("./decryption.php");

// Create connection
$conn = new mysqli($servername, $username, $password, $db);

// Check connection
if($conn->connect_error) {
 exit('Error connecting to database');
}
$conn->set_charset("utf8");     
// echo "Connected successfully";

$id = intval($_REQUEST['subid']);

$stmt = $conn->prepare("UPDATE rcpt SET has_opens = has_opens + 1 WHERE id = ? ");
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->close();

header('Content-Type: image/gif');
$img = imagecreatefromgif("px.gif");
imagegif($img);
imagedestroy($img);

mysqli_close($conn);
?>

I see little point in using *encryption* here. The value `66` and the encrypted version of it are equally opaque and meaningless to the outside observer, and they're equally usable too. What are you trying to protect against exactly? — deceze, Jan 19 '18 at 14:55
Well, I have to foward this date to 3rd party service and they could get a big picture more or less. Thats what I want to avoid. When I go to http://example.com/3ISGSfzIiaAU+h2TwF0pNoKDKRenjKfRhehMMN3+OJw= I get a 404 Not Found which is clear to me because there is no corresponding file. How can I make the Url work? I don't get it. — Peter, Jan 19 '18 at 16:10
What does "could get a big picture more or less" mean exactly? The only possible vulnerability here is that the id is rather easy to guess, and it's enumerable. To solve that, simply generate a longer random id, for example a UUID. — deceze, Jan 19 '18 at 16:12
Let's say a user makes a conversion at this 3rd party service so they just have to compare the id and the users email address. I don't want that. I don't need a longer ID. I just want to know, how can I avoid the 404 Not Found. The encrypted Url will not work because I don't get how to pass the hash to the decryption script. — Peter, Jan 19 '18 at 16:16
Then make up another *meaningless* id which you use for this purpose. Commonly known as a *token*. — deceze, Jan 19 '18 at 16:18
Would you know how to do it if the URL was `http://example.com/opens.php?id=3ISGSfzIiaAU+h2TwF0pNoKDKRenjKfRhehMMN3+OJw=`…? — deceze, Jan 19 '18 at 16:19
Yes. Just make your URL look like that then. You can do it the other way using [*"pretty URLs"*](https://stackoverflow.com/q/20563772/476), but that seems unnecessary. — deceze, Jan 19 '18 at 16:21

Encrypt url paramters in ruby, decrypt in PHP. Logic issue

0 Answers0