On Tue, May 17, 2011 at 2:52 PM, G S <stokest...@gmail.com> wrote: > Hi all. > > I have an iPhone app that retrieves database info by issuing HTTP GETs to > PHP pages on a server. All I want to do is encrypt the parameters sent in > the URL, to prevent people from spoofing our app and abusing our database > (most likely with spam). I've seen people ask this question in forums, and > they usually get barraged with questions about why they want to do it, > rather than answers. Let me try to head a few off: > > 1. It's neither practical nor necessary to maintain sessions on the server. > We're not using cookies, certificates, or HTTPS. I don't even need the > returned data to be encrypted (it's just DB queries coming back as XML). > 2. I can't use GnuPG because of its license. > 3. I want to use a public-key mechanism because the key will be sent in the > clear from DB to app; I don't want to try to hide a private key in the app > itself. > > As I understand it, the typical procedure is as follows: > > 1. Generate a random key and initialization vector to encrypt the block of > text. > 2. Encrypt that random key with the RSA public key. > 3. Encrypt the data payload with the random key and IV, using Blowfish or > other encryption. > 4. Send the encrypted data payload, encrypted random key, and IV to the > server for decryption. > > I think I'm nearly there: I'm generating a random key and IV; I have the > public key coming back from the database and being loaded with > PEM_read_bio_RSA_PUBKEY(). Now I guess I need to use the EVP_encrypt > functions to encrypt the payload, but how do you calculate the size of the > output buffer that's required for the encrypted data? > > I assume a normal next step is to add the encrypted key, IV, and encrypted > payload as parameters in the HTTP GET and unravel all this using appropriate > functions (and the private RSA key) in PHP on the server. Correct? >
I'm probably being obtuse here, but I don't see how encrypting your request with a public key would help you with your original problem. What stops a rogue app from doing the same encryption? -- regards, kushal ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
