1. 技术文章
  2. Android and PHP server: encrypt and decrypt data

Android and PHP server: encrypt and decrypt data

和自甴很熟 提交于 2019-12-10 16:34:52

问题


I have an Android application that communicates with my own server. Since we don't have https, I want to implement my own data encryption. The server is implemented in PHP.

I wanted to use AES, but my main problem is sharing the server key with the local application, since it could be intercepted and then anyone could decrypt my messages.

Should I use RSA instead? or there is a secure way of sharing the key?

Thanks!


回答1:


You should use RSA and AES encrypting protocols.

  • RSA encrypts/decrypts short strings (it is heavy for CPU).
  • AES encrypts/decrypts large strings (it is faster than RSA).

So:

  1. the client creates a random AES key for each request (24 bytes is fine);
  2. the client encrypts the string request (any length) with the AES key;
  3. the client encrypts the AES key using RSA PUBLIC key;
  4. the client sends both encrypted (AES and string) to the server (POST is nice);
  5. the server decrypts the AES key with RSA PRIVATE key;
  6. the server decrypts the string with the AES key;
  7. the server processes the string request;
  8. the server encrypts the response string with the same AES key;
  9. the server response returns to the client;
  10. the client decrypts the response with the AES key.

Have a look at the following Open Source project at GitHub: github.com/rcbarioni/followzup

The server is implemented with PHP and there are APIs for PHP and Java. The communication between client and server uses AES and RSA.

PHP and Java encryption libraries are full compatible. Java for Android is compatible too.




回答2:


Well, i would do one of the following - with decreasing priority:

  • Tell your boss that HTTPS is the way to go.
  • Use an SSL library like openSSL
  • Use AES for the message and RSA for the exchange of the session's AES key

The last one is the least preferrable since there are a lot of things, you could do wrong, and thus accidentally break security. Just one example: If you happen to use both encryption and compression, you're vulnerable to the CRIME attack...



来源:https://stackoverflow.com/questions/14621646/android-and-php-server-encrypt-and-decrypt-data

标签
php
android
encryption
aes
rsa
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!