CODEWITHSUNDEEP
phpandroidencryptionaesrsa
PX Developer
PX Developer

Reputation: 8145

Android and PHP server: encrypt and decrypt data

I have an Android application that communicates with my own server. Since we don't have https, I want to implement my own data encryption. The server is implemented in PHP.

I wanted to use AES, but my main problem is sharing the server key with the local application, since it could be intercepted and then anyone could decrypt my messages.

Should I use RSA instead? or there is a secure way of sharing the key?

Thanks!

Upvotes: 4

Views: 1821

Answers (2)

Ricardo
Ricardo

Reputation: 31

You should use RSA and AES encrypting protocols.

  • RSA encrypts/decrypts short strings (it is heavy for CPU).
  • AES encrypts/decrypts large strings (it is faster than RSA).

So:

  1. the client creates a random AES key for each request (24 bytes is fine);
  2. the client encrypts the string request (any length) with the AES key;
  3. the client encrypts the AES key using RSA PUBLIC key;
  4. the client sends both encrypted (AES and string) to the server (POST is nice);
  5. the server decrypts the AES key with RSA PRIVATE key;
  6. the server decrypts the string with the AES key;
  7. the server processes the string request;
  8. the server encrypts the response string with the same AES key;
  9. the server response returns to the client;
  10. the client decrypts the response with the AES key.

Have a look at the following Open Source project at GitHub: github.com/rcbarioni/followzup

The server is implemented with PHP and there are APIs for PHP and Java. The communication between client and server uses AES and RSA.

PHP and Java encryption libraries are full compatible. Java for Android is compatible too.

Upvotes: 3

Francois Bourgeois
Francois Bourgeois

Reputation: 3690

Well, i would do one of the following - with decreasing priority:

  • Tell your boss that HTTPS is the way to go.
  • Use an SSL library like openSSL
  • Use AES for the message and RSA for the exchange of the session's AES key

The last one is the least preferrable since there are a lot of things, you could do wrong, and thus accidentally break security. Just one example: If you happen to use both encryption and compression, you're vulnerable to the CRIME attack...

Upvotes: 0

Related Questions