How to encrypt & decrypt strings with AES

Hello everyone,

It has been a long time since last time I posted something in this community. Things have changed a lot…

This is the remake of this post I’ve made in July 2017 for the classic platform.

After this tutorial, we’re are going to be able to implement a real security layer in applications using some PHP and Web interactions.

IDEA

The idea under the hood is the following:

  • we are going to send a message to a server containing the string we’re going to encrypt or decrypt and the password that we’re using to accomplish that.

  • in this message we’re going to send a 16 bytes seed.

  • The server is going to respond to our message with the encrypted or decrypted string. In case of failure, the status is going to be: “400 Bad Request”

SERVER-SIDE

For the server-side we have to do some PHP code, in that case is very easy:

For encryption:

<?php

if(!empty($_POST['iv']))
{
	if(strlen($_POST['iv'])==16){
	
	    $string=$_POST['string'];
    	$password =$_POST['pass'];
    	$method = "AES-256-CBC"; //**
    	$iv = $_POST['iv'];

    	$encrypted_string=openssl_encrypt($string, $method, $password, 0, $iv);
    	response(200,"Valid Request",$encrypted_string);
	
	}
    else{
    	response(400,"Invalid Request. The seed is not 16 bytes long",NULL);
    }

}
else
{
    response(400,"Invalid Request. The seed is empty. It should be 16 bytes long.",NULL);
}

function response($status,$status_message,$data)
{
	header("HTTP/1.1 ".$status);

	//echo $status_message

    echo $data;
}

?>

We have to save that code inside a .php file. Like NAES.php

For decryption:

<?php

if(!empty($_POST['iv']))
{
	if(strlen($_POST['iv'])==16){
	
    	$string=$_POST['string'];
    	$password =$_POST['pass'];
    	$method = "AES-256-CBC";
    	$iv = $_POST['iv'];

    	$decrypted_string=openssl_decrypt($string, $method, $password, 0, $iv);
    	response(200,"Valid Request",$decrypted_string);	
    }
    else{
    	response(400,"Invalid Request. The seed is not 16 bytes long",NULL);
    }
}
else
{
	response(400,"Invalid Request. The seed is empty. It should be 16 bytes long.",NULL);
}


function response($status,$status_message,$data)
{
	header("HTTP/1.1 ".$status);

	//echo $status_message

	echo $data;
}

?>

We have to save that code inside a .php file. Like NAESD.php.

**Also, if we want, we can change method of encryption. The list is available on that page: http://micmap.org/php-by-example/manual/es/function.openssl-get-cipher-methods.html

The next step is to upload those files to some hosting service. In my case, I’m going to use a space that my University gives me for free.

https://ahsawa.upv.edu.es/files/AES/NAES.php
https://ahsawa.upv.edu.es/files/AES/NAESD.php

INTERACTION WITH PHP CODE

In case you have opened those links in your browser you would have seen the next image:

HTTP ERROR 400

Captura de pantalla 2020-06-26 a las 12.13.49

That’s because by opening the link in the browser we’re not providing the message containing the string, the password or the seed. That’s the next step. We’re going to provide the message inside our Thunkable X app.

Thunkable block configuration

For encryption

When the user clicks the button encrypt “Web Api” is going to set the URL to the URL of the uploaded PHP.

The important part is the body; we are providing here the data. IV stands for initialization vector, (the seed), the string is the text we want to encrypt or decrypt. And the pass is the password we’re going to use.

Next to that, we’re going to call the post method of the web_api1 component. If the status is 200 we can be good. And we can set the text to the response, the response is the encrypted/decrypted string.

For decryption

That’s the same process than the encryption case.

COMMENTS

That’s some demo video:

PHP files that’ve used: https://drive.google.com/drive/folders/17IVIhymjXoIugdFNXa2ekJN2nVXX2Fj_?usp=sharing

The project page, where you can have a look inside, or mix it or whatever: https://x.thunkable.com/projectPage/5ef499c645b29371a36a0234

You should host the PHP files in your services (to have It under your control), but I don’t care if you use my page, I’m not going to do bad things :crazy_face:

Lastly, be aware that the app is a simple implementation with no practical use. You can use the fundamental idea and PHP and the whole thing to implement an encryption/decryption function inside a complex and sensitive app, per example, a “secret diary”.

And that’s all. :smiley:

1 Like

This is great @Ahmad_Saleh - Thank you so much for the update!