Solved

Encrypting Email

Posted on 2000-02-29
6
225 Views
Last Modified: 2006-11-17
I am developing a PHP application which collects information from a web based form & emails it to a recipient. The data is very sensitive so I am using a mod_ssl & will be getting a Verisign certificate before the site goes live.

The information is secure (I trust) between the browser & the server, but how can I ensure it stays secure as it is transmitted by email? Ideally I'd like the recipient to have a private key, then I could get PHP to encode it using the corresponding public key. Looking at the manual there seems to be a million ways to encrypt data - which is best?
0
Comment
Question by:bergsy
  • 2
  • 2
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
us111 earned 100 total points
ID: 2568994
USE PGP (private & public key)
it's the best solution to encrypt your message or data

http://www.pgpi.org
There, you'll find source, and exe

Before sending your email, crypt it with PGP and  then send it.

below a piece of code
of course you need pgp installed on your server


<?

$PGP_TEMP="/www/pgpmail/temp";
$PGP_PROG="/bin/pgpe";

#### Encrypt a string with PGP      
#### Param:
#### $userid : User ID
#### $msg    : String which be encrypted
#### Return encrypted string
function pgp_encrypt($userid, $msg)
{      if (file_exists($PGP_PROG) == false)
      {      print "<h1>Cannot find $PGP_PROG</h1>";
            exit();      
      }
      
      if (is_dir($PGP_TEMP) == false)
      {      print "<h1>Cannot find $PGP_TEMP</h1>";
            exit();      
      }
      
      # Put message into file
      $f = fopen("$PGP_TEMP", "w");
      fputs($f, $msg);
      fclose($f);

      # Encrypt this file with pgp
      exec("$PGP_PROG -r $userid -af $PGP_TEMP -o $PGP_TEMP.asc > /dev/null");
                        
      # Get file into $msg
      $f = fopen("$PGP_TEMP.asc" ,"r");
      $msg = fread($f, filesize("$PGP_TEMP.asc"));
      fclose($f);
            
      # Delete temp files
      unlink("$PGP_TEMP.asc");
      unlink("$PGP_TEMP");

      # Return encrypted message
      return $msg;
}
?>
0
 
LVL 8

Expert Comment

by:us111
ID: 2569001
USE PGP (private & public key)
it's the best solution to encrypt your message or data

http://www.pgpi.org
There, you'll find source, and exe

Before sending your email, crypt it with PGP and  then send it.

below a piece of code
of course you need pgp installed on your server


<?

$PGP_TEMP="/www/pgpmail/temp";
$PGP_PROG="/bin/pgpe";

#### Encrypt a string with PGP      
#### Param:
#### $userid : User ID
#### $msg    : String which be encrypted
#### Return encrypted string
function pgp_encrypt($userid, $msg)
{      if (file_exists($PGP_PROG) == false)
      {      print "<h1>Cannot find $PGP_PROG</h1>";
            exit();      
      }
      
      if (is_dir($PGP_TEMP) == false)
      {      print "<h1>Cannot find $PGP_TEMP</h1>";
            exit();      
      }
      
      # Put message into file
      $f = fopen("$PGP_TEMP", "w");
      fputs($f, $msg);
      fclose($f);

      # Encrypt this file with pgp
      exec("$PGP_PROG -r $userid -af $PGP_TEMP -o $PGP_TEMP.asc > /dev/null");
                        
      # Get file into $msg
      $f = fopen("$PGP_TEMP.asc" ,"r");
      $msg = fread($f, filesize("$PGP_TEMP.asc"));
      fclose($f);
            
      # Delete temp files
      unlink("$PGP_TEMP.asc");
      unlink("$PGP_TEMP");

      # Return encrypted message
      return $msg;
}
?>
0
 

Author Comment

by:bergsy
ID: 2571622
Perfect!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 2

Expert Comment

by:gravity
ID: 2571637
I think you need a quick modification to the program so that if the $PGP_TEMP.asc file already exists, PHP loops until it is deleted... just think what would happen if two people accessed it at the same time :)
0
 

Author Comment

by:bergsy
ID: 2571711
Gravity : My program has session handling happening already - each $PGP_TEMP.asc is actually given a unique name for each session.

The main problem I have found is that PGP is looking for the keyrings on user 'Nobody', as that's who has permissions at run time. I think I will create a user for this host and use the suEXEC feature of apache to get around this - it also means that anyone else who is on the server at the time cannot grab a copy of the file before it is encrypted, which is very unlikely but just about possible.
0
 
LVL 2

Expert Comment

by:gravity
ID: 2574156
Aha, that certainly makes life easier :)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now