Solved

Encrypting Email

Posted on 2000-02-29
6
227 Views
Last Modified: 2006-11-17
I am developing a PHP application which collects information from a web based form & emails it to a recipient. The data is very sensitive so I am using a mod_ssl & will be getting a Verisign certificate before the site goes live.

The information is secure (I trust) between the browser & the server, but how can I ensure it stays secure as it is transmitted by email? Ideally I'd like the recipient to have a private key, then I could get PHP to encode it using the corresponding public key. Looking at the manual there seems to be a million ways to encrypt data - which is best?
0
Comment
Question by:bergsy
  • 2
  • 2
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
us111 earned 100 total points
ID: 2568994
USE PGP (private & public key)
it's the best solution to encrypt your message or data

http://www.pgpi.org
There, you'll find source, and exe

Before sending your email, crypt it with PGP and  then send it.

below a piece of code
of course you need pgp installed on your server


<?

$PGP_TEMP="/www/pgpmail/temp";
$PGP_PROG="/bin/pgpe";

#### Encrypt a string with PGP      
#### Param:
#### $userid : User ID
#### $msg    : String which be encrypted
#### Return encrypted string
function pgp_encrypt($userid, $msg)
{      if (file_exists($PGP_PROG) == false)
      {      print "<h1>Cannot find $PGP_PROG</h1>";
            exit();      
      }
      
      if (is_dir($PGP_TEMP) == false)
      {      print "<h1>Cannot find $PGP_TEMP</h1>";
            exit();      
      }
      
      # Put message into file
      $f = fopen("$PGP_TEMP", "w");
      fputs($f, $msg);
      fclose($f);

      # Encrypt this file with pgp
      exec("$PGP_PROG -r $userid -af $PGP_TEMP -o $PGP_TEMP.asc > /dev/null");
                        
      # Get file into $msg
      $f = fopen("$PGP_TEMP.asc" ,"r");
      $msg = fread($f, filesize("$PGP_TEMP.asc"));
      fclose($f);
            
      # Delete temp files
      unlink("$PGP_TEMP.asc");
      unlink("$PGP_TEMP");

      # Return encrypted message
      return $msg;
}
?>
0
 
LVL 8

Expert Comment

by:us111
ID: 2569001
USE PGP (private & public key)
it's the best solution to encrypt your message or data

http://www.pgpi.org
There, you'll find source, and exe

Before sending your email, crypt it with PGP and  then send it.

below a piece of code
of course you need pgp installed on your server


<?

$PGP_TEMP="/www/pgpmail/temp";
$PGP_PROG="/bin/pgpe";

#### Encrypt a string with PGP      
#### Param:
#### $userid : User ID
#### $msg    : String which be encrypted
#### Return encrypted string
function pgp_encrypt($userid, $msg)
{      if (file_exists($PGP_PROG) == false)
      {      print "<h1>Cannot find $PGP_PROG</h1>";
            exit();      
      }
      
      if (is_dir($PGP_TEMP) == false)
      {      print "<h1>Cannot find $PGP_TEMP</h1>";
            exit();      
      }
      
      # Put message into file
      $f = fopen("$PGP_TEMP", "w");
      fputs($f, $msg);
      fclose($f);

      # Encrypt this file with pgp
      exec("$PGP_PROG -r $userid -af $PGP_TEMP -o $PGP_TEMP.asc > /dev/null");
                        
      # Get file into $msg
      $f = fopen("$PGP_TEMP.asc" ,"r");
      $msg = fread($f, filesize("$PGP_TEMP.asc"));
      fclose($f);
            
      # Delete temp files
      unlink("$PGP_TEMP.asc");
      unlink("$PGP_TEMP");

      # Return encrypted message
      return $msg;
}
?>
0
 

Author Comment

by:bergsy
ID: 2571622
Perfect!
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 2

Expert Comment

by:gravity
ID: 2571637
I think you need a quick modification to the program so that if the $PGP_TEMP.asc file already exists, PHP loops until it is deleted... just think what would happen if two people accessed it at the same time :)
0
 

Author Comment

by:bergsy
ID: 2571711
Gravity : My program has session handling happening already - each $PGP_TEMP.asc is actually given a unique name for each session.

The main problem I have found is that PGP is looking for the keyrings on user 'Nobody', as that's who has permissions at run time. I think I will create a user for this host and use the suEXEC feature of apache to get around this - it also means that anyone else who is on the server at the time cannot grab a copy of the file before it is encrypted, which is very unlikely but just about possible.
0
 
LVL 2

Expert Comment

by:gravity
ID: 2574156
Aha, that certainly makes life easier :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now