Hello everyone,
It has been a long time since last time I posted something in this community. Things have changed a lot…
This is the remake of this post I’ve made in July 2017 for the classic platform.
After this tutorial, we’re are going to be able to implement a real security layer in applications using some PHP and Web interactions.
IDEA
The idea under the hood is the following:
-
we are going to send a message to a server containing the string we’re going to encrypt or decrypt and the password that we’re using to accomplish that.
-
in this message we’re going to send a 16 bytes seed.
-
The server is going to respond to our message with the encrypted or decrypted string. In case of failure, the status is going to be: “400 Bad Request”
SERVER-SIDE
For the server-side we have to do some PHP code, in that case is very easy:
For encryption:
<?php
if(!empty($_POST['iv']))
{
if(strlen($_POST['iv'])==16){
$string=$_POST['string'];
$password =$_POST['pass'];
$method = "AES-256-CBC"; //**
$iv = $_POST['iv'];
$encrypted_string=openssl_encrypt($string, $method, $password, 0, $iv);
response(200,"Valid Request",$encrypted_string);
}
else{
response(400,"Invalid Request. The seed is not 16 bytes long",NULL);
}
}
else
{
response(400,"Invalid Request. The seed is empty. It should be 16 bytes long.",NULL);
}
function response($status,$status_message,$data)
{
header("HTTP/1.1 ".$status);
//echo $status_message
echo $data;
}
?>
We have to save that code inside a .php file. Like NAES.php
For decryption:
<?php
if(!empty($_POST['iv']))
{
if(strlen($_POST['iv'])==16){
$string=$_POST['string'];
$password =$_POST['pass'];
$method = "AES-256-CBC";
$iv = $_POST['iv'];
$decrypted_string=openssl_decrypt($string, $method, $password, 0, $iv);
response(200,"Valid Request",$decrypted_string);
}
else{
response(400,"Invalid Request. The seed is not 16 bytes long",NULL);
}
}
else
{
response(400,"Invalid Request. The seed is empty. It should be 16 bytes long.",NULL);
}
function response($status,$status_message,$data)
{
header("HTTP/1.1 ".$status);
//echo $status_message
echo $data;
}
?>
We have to save that code inside a .php file. Like NAESD.php.
**Also, if we want, we can change method of encryption. The list is available on that page: http://micmap.org/php-by-example/manual/es/function.openssl-get-cipher-methods.html
The next step is to upload those files to some hosting service. In my case, I’m going to use a space that my University gives me for free.
https://ahsawa.upv.edu.es/files/AES/NAES.php
https://ahsawa.upv.edu.es/files/AES/NAESD.php
INTERACTION WITH PHP CODE
In case you have opened those links in your browser you would have seen the next image:
HTTP ERROR 400
That’s because by opening the link in the browser we’re not providing the message containing the string, the password or the seed. That’s the next step. We’re going to provide the message inside our Thunkable X app.
Thunkable block configuration
For encryption
When the user clicks the button encrypt “Web Api” is going to set the URL to the URL of the uploaded PHP.
The important part is the body; we are providing here the data. IV stands for initialization vector, (the seed), the string is the text we want to encrypt or decrypt. And the pass is the password we’re going to use.
Next to that, we’re going to call the post method of the web_api1 component. If the status is 200 we can be good. And we can set the text to the response, the response is the encrypted/decrypted string.
For decryption
That’s the same process than the encryption case.
COMMENTS
That’s some demo video:
PHP files that’ve used: https://drive.google.com/drive/folders/17IVIhymjXoIugdFNXa2ekJN2nVXX2Fj_?usp=sharing
The project page, where you can have a look inside, or mix it or whatever: https://x.thunkable.com/projectPage/5ef499c645b29371a36a0234
You should host the PHP files in your services (to have It under your control), but I don’t care if you use my page, I’m not going to do bad things
Lastly, be aware that the app is a simple implementation with no practical use. You can use the fundamental idea and PHP and the whole thing to implement an encryption/decryption function inside a complex and sensitive app, per example, a “secret diary”.
And that’s all.