AES/DES Encryption

A place for users and developers of the Xataface to discuss and receive support.

AES/DES Encryption

Postby mikep » Tue Aug 25, 2009 8:34 am

Hi,

Sorry to create a forum post on this topic. I know I have seen either documentation or another forum post describing how to implement AES or DES encryption, however, for the life of me, I can no longer find it.

If someone could tell me how to go about implementing AES encryption for a particular field or point me towards the correct forum post or documentation I would appreciate it very much.

Note: I am NOT interested in md5 or sha1 encryption for passwords and login.

Thanks,
Mike
mikep
 
Posts: 44
Joined: Fri Apr 24, 2009 2:21 pm

Postby shannah » Tue Aug 25, 2009 1:39 pm

Depending on your needs you could just override the serialization for the password field using the delegate class method:

Code: Select all
function password__serialize(&$record){
    return my_encrypt_func($record->val('password'));
}


This example assumes that your password is stored in a field named 'password' and that you have elsewhere defined a function to encrypt passwords.

Xataface doesn't load passwords - just saves them so there shouldn't be a need to decrypt it at any point.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby mikep » Tue Aug 25, 2009 3:19 pm

Hi,
I need to be able to store social security numbers encrypted in the database and then decrypted when they are read by xataface. Is this possible?

Mike
mikep
 
Posts: 44
Joined: Fri Apr 24, 2009 2:21 pm

Postby shannah » Tue Aug 25, 2009 3:26 pm

OK. Yes. This is possible. There are quite a number of approaches you could take the first one that comes to mind is to override the serialization for encrypting, and override the display of a field for the displaying.

e.g.
Code: Select all
function ssn__serialize(&$record){
    $ssn = $record->val('ssn');
    if ( !isEncryptedSSN($ssn) ) $ssn = my_encrypt_func($ssn);
    return $ssn;
}

function ssn__display(&$record){
    return my_decrypt_func($record->val('ssn'));
}


Notice in the serialize method I only encrypt it if it hasn't already been encrypted. You would need to define a function to check to see if a value is encrypted or not.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby mikep » Wed Aug 26, 2009 9:57 pm

You would need to define a function to check to see if a value is encrypted or not.


Can't I just assume the data is not encrypted and leave out the if statement? I know for a fact no one will encrypt the SSN before hand and then attempt to enter it into the database.

Secondly. is
my_encrypt_func
to be replaced with the corresponding mysql function e.g. AES_Encrypt ?

Thirdly, where am I supposed to specify the password to be used for encryption and decryption? Is there a way for mysql to select a password and store it behind the scenes so that the password doesn't have to be stored as plain text in a php file somewhere?

Lastly, are these functions to be located in the delegate class for the table or the application delegate class?



Thanks,
Mike
mikep
 
Posts: 44
Joined: Fri Apr 24, 2009 2:21 pm

Postby shannah » Wed Aug 26, 2009 10:24 pm

I have added support for AES encryption in the latest Serializer.php file:
http://weblite.ca/svn/dataface/core/tru ... alizer.php

Replace your file with this one.

Then you can specify the encryption in the fields.ini file for your ssn field:
Code: Select all
[ssn]
   encryption=aes_encrypt
   aes_key=xxxxxx


For decryption you'll still need to implement the display method.

An example of your decrypt function might be:

Code: Select all
function aes_decrypt($value, $key){
    $res = mysql_query("select aes_decrypt('".addslashes($value)."','".addslashes($key)."')", df_db());
    if ( !$res ) throw new Exception(mysql_error(df_db()));
    list($out) = mysql_fetch_row($res);
    return $out;
}


For the next release of Xataface I may add support for decryption by using fields.ini directives, but for now you'll need to override the display for the field.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby mikep » Thu Aug 27, 2009 8:11 am

Ok. Thanks a lot. This feature enables me to use Xataface for a new client. Since May, I have implemented Xataface in three different businesses!

I will try this solution later tonight.

Thanks for all your support,
Mike
mikep
 
Posts: 44
Joined: Fri Apr 24, 2009 2:21 pm

Postby mikep » Thu Aug 27, 2009 9:43 am

I'm having a little trouble with the decryption,

I copied the decryption function you gave me as well as the display function.

My apache log says

PHP Fatal error: Call to undefined function aes_decrypt() in /srv/www/htdocs/Psychology/tables/Client/Client.php on line 15, referer: http://sc-database/Psychology/index.php ... e__lang=en


Here is my Clients.php

Code: Select all
class tables_Client
{

        function aes_decrypt($value, $key)
        {
        $res = mysql_query("select aes_decrypt('".addslashes($value)."','".addslashes($key)."')", df_db());
        if ( !$res ) throw new Exception(mysql_error(df_db()));
        list($out) = mysql_fetch_row($res);
        return $out;
        }

        function Social_Security_Number__display(&$record)
        {
        return aes_decrypt($record->val('Social_Security_Number'));
        }

}


I'm not very familiar with PHP but I'm guessing that aes_decrypt is being called with only one parameter while the function declares that it expects 2, $Value and $Key. Since the statement in the display function does not pass the key, I added the key as a parameter, however apache threw the same error.

Any ideas?

Mike
mikep
 
Posts: 44
Joined: Fri Apr 24, 2009 2:21 pm

Postby shannah » Thu Aug 27, 2009 11:05 am

A couple of things to note:
1. You placed your aes_decrypt function inside your tables_Client class. Therefore it would need to be called like:
$this->aes_decrypt()
or
tables_Client::aes_decrypt()

not just
aes_decrypt()

2. The aes_decrypt function takes 2 parameters: one for the thing you are decrypting, and the other for your decryption key.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby mikep » Fri Aug 28, 2009 8:13 am

You placed your aes_decrypt function inside your tables_Client class.

Should I place it inside my application delegate class to make it globally accessible? how should it be called in that case?

The aes_decrypt function takes 2 parameters...the other for your decryption key.


Because I defined
[ssn]
encryption=aes_encrypt
aes_key=xxxxxx

in my fields.ini file, is there a variable set up which contains the key?
mikep
 
Posts: 44
Joined: Fri Apr 24, 2009 2:21 pm

Postby shannah » Fri Aug 28, 2009 8:48 am

Should I place it inside my application delegate class to make it globally accessible? how should it be called in that case?


For things like this, my preference would be to create an include file named e.g. functions.inc.php and include it in the first line of your application's index.php file.
e.g.

Code: Select all
require_once 'functions.inc.php';


Then you could just call the function like aes_decrypt(...)


ecause I defined
Quote:
[ssn]
encryption=aes_encrypt
aes_key=xxxxxx

in my fields.ini file, is there a variable set up which contains the key?


Well, the way you defined the function, it takes 2 parameters. You must provide 2 parameters, or change the function to only require one - and then fetch the key from the fields.ini file. The better approach is to make the aes_decrypt function require 2 parameters, and then in the ssn__display() method load the key and provide it as the 2nd parameter.

e.g.
Code: Select all
function ssn__display(&$record){
    $field =& $record->_table->getField('ssn');
    $key = $field['aes_key'];
    return aes_decrypt($record->val('ssn'), $key);
}


It occurs to me that you will also have to override the pullValue method for the SSN field so that it decrypts it when loading into the form widgets.
Code: Select all
function ssn__pullValue($record){
    return $this->ssn__display($record);
}


-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby mikep » Sat Aug 29, 2009 7:58 am

Theres no more errors in my log, however the decryption is still not working. it just leaves the form blank in the edit tab. Also, the field is non-existent in my list tab. The field is of type Blob. The odd thing is that if I try to change the field type to text or anything else in my database, xataface won't load the stylesheets.

Here's my php file

Code: Select all
class tables_Client
{

        function aes_decrypt($value, $key)
        {
        $res = mysql_query("select aes_decrypt('".addslashes($value)."','".addslashes($key)."')", df_db());
        if ( !$res ) throw new Exception(mysql_error(df_db()));
        list($out) = mysql_fetch_row($res);
        return $out;
        }

        function Social_Security_Number__display(&$record)
        {
        $field =& $record->_table->getField('Social_Security_Number');
        $key = $field['aes_key'];
        return $this->aes_decrypt($record->val('Social_Security_Number'), $key);
        }

        function Social_Security_Number__pullValue($record)
        {
        return $this->Social_Security_Number__display($record);
        }

}



Thanks,
Mike
mikep
 
Posts: 44
Joined: Fri Apr 24, 2009 2:21 pm

Postby shannah » Sat Aug 29, 2009 9:07 am

The problem is that the field is type blob. Xataface doesn't load blob fields into memory as this would grind performance to a halt if there was large file stored in the blob field. Change it to a text or varchar field.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby mikep » Sun Aug 30, 2009 10:21 pm

Awesome. Its working. Thank you so much for your time.

I think it is worth including decryption in the fields.ini file for the next release, but thats just my opinion.


Mike
mikep
 
Posts: 44
Joined: Fri Apr 24, 2009 2:21 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 27 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved