There are two different things you might want, ensure that the data is not seen by eavesdroppers while in transit or ascertain that the data comes from who says it is.
The first, you manage with SSL as with any other secure transaction, as already sugested. For the second is what you might want to use a digital signature, that's why someone might have sugested it to you. As a sample of how this would work you read the file into memory, add a long string, the signature, that is never transmitted but that both ends know, and pass it all through an algorithm like MD5 or such. At the receiving end, you get the data and the MD5 but, as I said, the signature is never transmitted, but you know it as well. You do the same process as in the sending end and you should reach the same MD5. Since MD5 is not reversible, knowing the MD5 of this long string, the data plus the signature, cannot reveal the signature even if the data is transmitted in clear text, but no other except someone who has the signature can produce the right MD5. Notice that the data itself is transmitted in clear text, the goal is to ensure that who sends it is who is meant. A similar process has been in use in the banking industry for wire transfers when they were really sent via telex. As mentioned PGP is a far better solution since it covers both requirements and it uses two keys, one for encoding and one for decoding so that each end knows just half of the information and won't require you to use SSL, the problem is that you have to do some processing at the client side and JavaScript alone won't allow you to access the file system. You would have to deploy ActiveX controls or Konfabulator widgets (plust the widget runtime). On the other hand, many eMail clients can send PGP protected messages. Finally, you could get your users to ZIP the files with a password before sending them, which is not so secure but is good enough for many uses. IT all depends on what you want. Satyam ----- Original Message ----- From: John A DAVIS To: php-general@lists.php.net Sent: Friday, July 27, 2007 10:21 PM Subject: [PHP] need insights on encrypting and uploading ASCII file using PHP We have various labs that submit coliform sample results in an ASCII file, quoted/comma delimited. We are being asked to encrypt this file for internet transfer. We are also being asked to create a secure process by which to transfer this file across the interent. Currently: the lab pushes and button and generates the ASCII file (12 columns) the lab logs in to a PHP webpage and uses the file upload input to submit the file. If data is valid, file is saved on our server in a folder where we can pull it into the respective tables. Be nice to have some insights on how to encrypt this file at the source and how to transfer the file securely. We keep hearing the words, "digital signature". Thanks in advance, John A. Davis Programmer State of Oregon DHS OIS CNE, MCSE "Don't think of the problem, think of the solution" ------------------------------------------------------------------------------ No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.10.22/921 - Release Date: 26/07/2007 23:16
