I have an web site and i'm trying to make my forms secure. I've done some research and even though I'm not no programmer, i'm authenticating users via a home made challenge-response mechanism and I'm encrypting form values using aes encryption from mcrypt library. All good so far. Except that my aes password need to be sent from client to server...securely. I thought that RSA would do the trick. So i'v downloaded phpseclib, I've successfully encrypted/decrypted on server-side. Now, I needed a client-side code to encrypt RSA. I've used this library here http://www.ohdave.com/rsa/. Now...here's my problem.
- I generate a pair of keys in php using phpseclib.
- I extract the private exponent, the public exponent and the modulus (public).
I send the public exponent and modulus (public) to the javascript.
include('Scripts/phpseclib/Crypt/RSA.php'); require_once('Scripts/phpseclib/Math/BigInteger.php'); session_start(); $rsa = new Crypt_RSA(); extract($rsa->createKey(512)); $priv = $rsa->_parseKey($privatekey,CRYPT_RSA_PRIVATE_FORMAT_PKCS1); $privExp = $priv['privateExponent']->toHex(); $pubExp = $priv['publicExponent']->toHex(); $pubMod = $priv['modulus']->toHex(); $rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1); $_SESSION['privatekey']=$privatekey; $_SESSION['publickey']=$publickey;
The javascript generates a random number which will become the password that i will further use for aes-encryption. The javascript will use the public exponent and the modulus (public) sent from php from the server in order to encrypt the randomly-generated string in javascript (that will become the aes-key), and will send it back to the php server for decryption.
password = random();
key = new RSAKeyPair(
"<?php echo $pubExp; ?>",
"",
"<?php echo $pubMod; ?>"
);
x = encryptedString(key,password);
y = decryptedString(key,x);
document.write(" text cryptat = "+x);
document.write(" text decryptat = "+y);
window.location = "rsa.php?text="+x;
</script>
The php server will receive the encrypted string and using the private exponent generate from start will be able to decrypt the aes-key (randomly generated by the client-side javascript), thus generating a key-agreement between client-server without outside intervention.
PROBLEM: The javascript encrypts the random string....but not PKCS#1 v1.5.....the phpseclib accepts only PKCS#1 v1.5 padding so the php script is unable to decrypt correctly.
Please help me with finding or modifying the JavaScript in order to output to the php script the encrypted string format PKCS# v 1.5 that it expects.