PHP Classes

PHP Form Encryption: Encrypt and decrypt forms with AES and RSA

Recommend this page to a friend!
  Info   View files Example   Demos   Screenshots Screenshots   View files View files (9)   DownloadInstall with Composer Download .zip   Reputation   Support forum (13)   Blog (1)    
Ratings Unique User Downloads Download Rankings
StarStarStarStar 76%Total: 1,394 This week: 1All time: 2,795 This week: 560Up
Version License PHP version Categories
cryptopost 1.1MIT/X Consortium ...5.4HTTP, PHP 5, Cryptography
Description 

Author

This package can encrypt and decrypt forms with AES by JavaScript and PHP.

It can create private and public RSA keys used for client/server AES key interchange.

The class can take a submitted form with values that were encrypted on the browser side using JavaScript, and can send encrypted results back to the browser.

Innovation Award
PHP Programming Innovation award winner
September 2016
Winner


Prize: One downloadable copy of PhpED Professional
When you need to submit security sensitive data to a Web site, you should always use encrypted connections. However, over time older SSL versions have been discovered to be vulnerable, to the point that SSL is not longer synonym of security.

Nowadays you should use at least TLS and we don't know until when the current TLS versions will be safe to use to protect the transmission of private data.

This class provides an additional layer of security by using JavaScript to encrypt data before transmitting form values using RSA public key, and then having the server to decrypt the data with a private key.

This way, eventual man in the middle attacks will not be able to decrypt the data because they don't know what is the private key that the server uses to decrypt it.

Manuel Lemos
Picture of Francisco del Aguila
  Performance   Level  
Name: Francisco del Aguila <contact>
Classes: 2 packages by
Country: Spain Spain
Age: 58
All time rank: 167842 in Spain Spain
Week rank: 411 Up13 in Spain Spain Up
Innovation award
Innovation award
Nominee: 2x

Winner: 1x

Example

<?php
/**
* Test script for Cryptopost PHP class
*/
session_start();
if (isset(
$_GET['destroySession'])){
   
session_destroy();
   
session_start();
}

require_once
'./Cryptopost.class.php';
$crypto = new Cryptopost(1024, './openssl.cnf'); // Session MUST be started.

if (isset($_GET['resetKeys'])) $crypto->reset();

// Check for FORM encrypted data
if (isset($_POST['cryptoPost'])){
   
$cryptedPost = $_POST; // Save crypted data for debug
   
$formId = $crypto->decodeForm(); // Decrypt $_POST contents
   
    // Do stuff here (database record, etc).
    // Dont forget to secure filter $_POST values.
    //
    // DON'T USE received $_POST values in the HTML code! This will transmit
    // data as clear text to the browser: Use javascript 'cryptoPost.decrypt()'
    // method to fill your form, so data is decrypted locally at client's browser.
   
if (isset($_POST['data1'])){
       
$data['data1'] = filter_var($_POST['data1'], FILTER_VALIDATE_INT);
       
/* ... etc ... */
   
}
   
   
// Encrypt processed data if you need to fill form again:
   
$encrypted = $crypto->encodeData($_POST, $formId);
}
?>
<!DOCTYPE html>
<html lang="en-EN">
    <head>
        <meta charset="UTF-8">
        <title>Cryptopost</title>
        <meta name="sessionkey" content="<?php echo $_SESSION['RSA_Public_key'];?>">
        <script src="./javascript/rsa_jsbn.js"></script>
        <script src="./javascript/gibberish-aes.js"></script>
        <script src="./javascript/cryptopost.js"></script>
    </head>
    <body>

        <h1>Testing Cryptopost class</h1>
        <form id="form1" method="POST" action="test.php" onsubmit="return cryptoPost.encrypt('form1')">
            Data 1: <input type="text" name="data1" value="" /><br />
            Data 2: <input type="text" name="data2" value="" /><br />
            Data 3: <input type="text" name="data3" value="" /><br />
            Data 4: <textarea cols="40" rows="5" name="data4"></textarea>
            <br />
            <input type="submit" name="submit" value="Submit" /> &nbsp;
            <input type="reset" name="reset" value="Reset" /> &nbsp;
            <a href="test.php?resetKeys=1" onclick="cryptoPost.reset();">Reset keys</a> &nbsp;
            <a href="test.php?destroySession=1">Destroy session</a>
        </form>
        <!-- Fill form input fields -->
        <?php if (isset($encrypted)) { ?>
<script>cryptoPost.decrypt('<?php echo $encrypted;?>');</script>
        <?php } ?>
<br />
        <br />
        <?php
           
// Debug
           
echo '<h2>Session keys:</h2>';
            if (isset(
$_SESSION['RSA_Public_key'])){
                echo
'RSA public key (hex) = '. $_SESSION['RSA_Public_key'];
                echo
'<br /><br />';
            }
            if (isset(
$_SESSION['aesKey'])){
                echo
'AES key (hex) = '. bin2hex($_SESSION['aesKey']);
                echo
'<br />';
            }
            if (isset(
$cryptedPost)){
                echo
'<h2>Received POST data:</h2><pre>';
               
var_dump($cryptedPost);
                echo
'</pre><br />';
                echo
'<h2>Decrypted POST data:</h2><pre>';
               
var_dump($_POST);
                echo
'</pre><br />';
            }
       
?>
</body>
</html>


Details

SSL encryption provides a secure mechanism to protect information over public networks, but it is not always available: A small business private network with Wi-Fi can expose sensitive information, for example. There are many situations where the technical infrastructure or economic resources do not allow the installation of secure communication protocols. Some times the application level encryption may be sufficient, or can even complement the session and/or transport level security. PHP Form Encryption offers a application level encryption solution to implement in PHP and Javascript apps development. How does it works: 1. Server receives a client request of a web page that contains a form. 2. Server generates a session RSA key pair, and send the public key included in the html response. 3. Client fills out the form and generate a AES-256 key that is returned to server encrypted with the received public key and the AES encrypted form data. Client saves this AES key using browser local storage. 4. Server receives the RSA-encrypted AES key and decrypt it using the RSA private key. Then this AES key will be used to decrypt the received form data and to encrypt/decrypt future forms until it's changed or session expires. PHP Implementation: Session must be started before using Cryptopost class. Then, let's intercept an encrypted form: session_start(); require_once './Cryptopost.class.php'; $crypto = new Cryptopost(1024, './openssl.cnf'); if (isset($_POST['cryptoPost'])){ $formId = $crypto->decodeForm(); } So, now we know the id of the submited form and $_POST superglobal contains the decrypted data. Before that $_POST will only contain somethig like: var_dump($_POST) result: array(2) { ["cryptoPost_key"]=> string(256) "5df90b95ec4fab45d50d34c917c6578f939ccbfadf9486f133850d47a3d6b2c82a277a3468ca11fc7 b9163c385eacc2a3a4d091cf8797e55d681b0279058a9f3e334092fb03791931d22ca3847f4f9d4dec0d0a47936f01 2b6be9723981088d0b049cff46a8e81ec93e2b4f7c3a387d36e2033754d1420a8dc800a4eec6cd0e9" ["cryptoPost"]=> string(242) "U2FsdGVkX1/53Ut6KFi36Ou/e3lIJz/5pf8FuPb1Yh//WdefKb0iyCke2/g0QPD5 BeknGV4L8dveRDbQ4kXm5YNi3nyG+/F8JWKDipA9ygHPf5KdFr6pYcfzNQjwwfd8 rIC19cl9IOJcs171tm0OBVknaloQWDwpLM/KjISdwwPiRGCtcBhkYrcdsgv6JcwD aVuU4VunXdWJji9WAKD+1bJrThq2VLjEHhELl26y4vI=" } Note that "crytoPost_key" will be received only once at first time that server receives a coded form. Following posts will include only the "cryptoPost" value unless keys are reset. To send the form encrypted to the server, simply include a call to the javascript crytopost class: <form id="form1" method="POST" action="test.php" onsubmit="return cryptoPost.encrypt('form1')"> Client may need an encrypted record to edit. Server can send it in this way: $record = array( "name" => $name, "address" => $address, "zipCode" => $zip ); $encrypted = $crypto->encodeData($record, $formId); ... and then, at the bottom of the html code: <script>cryptoPost.decrypt('<?php echo $encrypted;?>')</script> That's a simple and easy way to protect your data even with no SSL. PHP Form Encryption requires openssl extension and PHP 5.4+ Thanks to: - Tom Wu, author of jsbn/RSA javascript library. - Mark Percival, author of Gibberish-AES javascript library.

  PHP Form encryption testExternal page  
Screenshots  
  • screencap.jpg
  Files folder image Files  
File Role Description
Files folder imagejavascript (3 files)
Accessible without login Plain text file LICENSE.txt Lic. License
Accessible without login Plain text file openssl.cnf Conf. openssl config file
Accessible without login Plain text file test.php Example Test script
Accessible without login Plain text file changelog.txt Doc. Package history
Plain text file Cryptopost.class.php Class Main php class
Accessible without login Plain text file Readme.txt Doc. Documentation

  Files folder image Files  /  javascript  
File Role Description
  Plain text file cryptopost.js Class Javascript class
  Plain text file gibberish-aes.js Class Javascript AES
  Plain text file rsa_jsbn.js Class Javascript RSA

 Version Control Unique User Downloads Download Rankings  
 0%
Total:1,394
This week:1
All time:2,795
This week:560Up
User Ratings User Comments (4)
 All time
Utility:97%StarStarStarStarStar
Consistency:95%StarStarStarStarStar
Documentation:86%StarStarStarStarStar
Examples:97%StarStarStarStarStar
Tests:-
Videos:-
Overall:76%StarStarStarStar
Rank:60
 
very usefull package
6 years ago (zinsou A.A.E.Moïse)
77%StarStarStarStar
Thats a good class ;-)
7 years ago (José Filipe Lopes Santos)
80%StarStarStarStarStar
Thats a good class ;-)
7 years ago (José Filipe Lopes Santos)
80%StarStarStarStarStar
The first non-trivial package I've seen on this site.
7 years ago (Theodore M Rolle Jr)
80%StarStarStarStarStar