Hi all. I have an iPhone app that retrieves database info by issuing HTTP GETs to PHP pages on a server. All I want to do is encrypt the parameters sent in the URL, to prevent people from spoofing our app and abusing our database (most likely with spam). I've seen people ask this question in forums, and they usually get barraged with questions about why they want to do it, rather than answers. Let me try to head a few off:
1. It's neither practical nor necessary to maintain sessions on the server. We're not using cookies, certificates, or HTTPS. I don't even need the returned data to be encrypted (it's just DB queries coming back as XML). 2. I can't use GnuPG because of its license. 3. I want to use a public-key mechanism because the key will be sent in the clear from DB to app; I don't want to try to hide a private key in the app itself. As I understand it, the typical procedure is as follows: 1. Generate a random key and initialization vector to encrypt the block of text. 2. Encrypt that random key with the RSA public key. 3. Encrypt the data payload with the random key and IV, using Blowfish or other encryption. 4. Send the encrypted data payload, encrypted random key, and IV to the server for decryption. I think I'm nearly there: I'm generating a random key and IV; I have the public key coming back from the database and being loaded with PEM_read_bio_RSA_PUBKEY(). Now I guess I need to use the EVP_encrypt functions to encrypt the payload, but how do you calculate the size of the output buffer that's required for the encrypted data? I assume a normal next step is to add the encrypted key, IV, and encrypted payload as parameters in the HTTP GET and unravel all this using appropriate functions (and the private RSA key) in PHP on the server. Correct? Thanks! Gavin
