Send data encrpted from one webserver (iis/asp) to another (apache/php) ?

Dear All

I have the following scenario:

I have a web server (IIS/ASP)  that operates on SSL in one Location (Called A)
I have a second web server (Apache/PHP) that does not operate on SSL in another location (Called B)

My customers enter date on server A, due to some business restrictions I need to complete processing of that data on server B.

I need to accomplish the following: I need to send the data encrypted through a POST form from server A to server B, server B must decypher the data and process it, and that is it.

I need to know how to accomplish sending the date from A -> B encrypted and process it once it reaches B. It does not need to use the certificate of server A, any possible solution is acceptable.

Any guidance ?
 

LVL 19
http:// thevpn.guruAsked:
Who is Participating?
 
ravs120499Connect With a Mentor Commented:
You will need to :
- generate a key pair on the apache server
- use a CA software to generate a certificate for the apache server. You can either create a separate CA certificate for signing the certificate, or create a self-signed certificate using the original keys generated for the apache server.
- configure apache to use this certificate for SSL
- configure IIS to trust this certificate (either the self-signed certificate, or the CA certificate you created in step 2).

- Ravs
0
 
NopiusCommented:
I don't know what cryptographic functions are available in ASP.
Very simple method is a XOR-ing (binary XOR operation) date with some common secret. Remote site should XOR it with the same secret to get original value.
With a secret having binary (0-254 codes) characters inside and with a length not less then original value (in bytes), it's impossible to guess a secret with a single data capture.

XOR exists in almost any language, but you should pay attention to date format. It's better to encode strings then integers due to possible difference in endianness
0
 
ravs120499Commented:
Why can't server B support SSL? That is by far the best and easiest solution. Any encryption solution will need some software to be installed on B - so why not SSL?

Alternatively, install a second web server in location B that handles the SSL communication, and pass the data to B across the local intranet in unencrypted form.

It all depends on what the data is, and what level of security is appropriate/contractually obliged.

- Ravs
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
http:// thevpn.guruAuthor Commented:
I was thinking more about some RSA method...encypt the data using asp..and decrypt it using php....
0
 
ravs120499Commented:
You could - but you would have to install the RSA package on B. Why would that be acceptable while SSL is not?
0
 
NopiusCommented:
If you like to use strong cryptographic, much easier (and faster) to use symmetric encryption (with shared secret, like AES, 3DES or DES) than slow RSA asymmetric RC encryption. But all these methods require third-party libraries in ASP.

At the same time XOR is available without any extra libraries: http://www.andyw.com/director/xor.asp

Note, that any of these methods is vulnerable to 'replay' attack. That's why SSL is better.
0
 
ravs120499Commented:
However, assuming there is some reason why RSA is OK but SSL isn't, here is what I think:

There are third party packages that give you VBScript bindings to RSA. Here is one I found on a Google search (I cannot vouch for this in any way)
http://www.example-code.com/vbscript/rsa_encryptStrings.asp

But AFAIK, all PHP - RSA bindings make use of the openssl package, so (presumably) falls foul of your no-ssl rule!

- Ravs
0
 
http:// thevpn.guruAuthor Commented:
Just to clarify things..I think I have mislead u guys..ravs in particular..when I said no SSL I mean they do not want to purchase a ssl certificate for the apache webserver.
I should have stated that in the question
0
 
ravs120499Commented:
Hmmm, I understand now. Ok, you can create your own SSL certificate using an open-source CA package. OpenSSL comes with some certficate management utilities, for example. This looks like your best option now.

It's best not get started with rolling your own encryption in the application - it's a can of worms!

- Ravs
0
 
ravs120499Commented:
A bit more detail you might find useful: a certficiate is required for any kind of public key encryption based communications, whether you use SSL out of the box in a web server, or use RSA libraries to roll your own. The alternative is to use "secret key" encryption. The issue with secret key encryption for communication is that the key has to be known to both the communicating parties, but has to be secret from everyone else. So people end up hard-coding the keys on both sides which is not a great thing to do.

Public key encryption relies on key pairs. Data that is encrypted by one of the keys in the pair can be decrypted only by using the other key in the pair. Used in a communication protocol, this solves the key exchange problem described above (but creates other problems).

- Ravs
0
 
http:// thevpn.guruAuthor Commented:
I am thinking about generating a public/private key pair on the apache server and the use the public key on the IIS to encrypt the data and send it to the Apache server where it can be deciphered.
 
0
 
Dave HoweSoftware and Hardware EngineerCommented:
I would suggest you approach the question from another angle - instead of encrypting the data for transit, send it directly from server to server... BUT encrypt the link between the two servers. there are several tools that can establish and hold an encrypted link between two hosts, and most are built in; i would suggest given you are speaking of asp you are using two windows hosts, so use the built-in support for VPN to open the connection; you then don't have to worry about encrypting the data as any data sent between the two hosts will be inherently and automatically encrypted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.