[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Send data encrpted from one webserver (iis/asp) to another (apache/php) ?

Posted on 2007-08-08
12
Medium Priority
?
501 Views
Last Modified: 2012-06-21
Dear All

I have the following scenario:

I have a web server (IIS/ASP)  that operates on SSL in one Location (Called A)
I have a second web server (Apache/PHP) that does not operate on SSL in another location (Called B)

My customers enter date on server A, due to some business restrictions I need to complete processing of that data on server B.

I need to accomplish the following: I need to send the data encrypted through a POST form from server A to server B, server B must decypher the data and process it, and that is it.

I need to know how to accomplish sending the date from A -> B encrypted and process it once it reaches B. It does not need to use the certificate of server A, any possible solution is acceptable.

Any guidance ?
 

0
Comment
Question by:http:// thevpn.guru
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 27

Expert Comment

by:Nopius
ID: 19653900
I don't know what cryptographic functions are available in ASP.
Very simple method is a XOR-ing (binary XOR operation) date with some common secret. Remote site should XOR it with the same secret to get original value.
With a secret having binary (0-254 codes) characters inside and with a length not less then original value (in bytes), it's impossible to guess a secret with a single data capture.

XOR exists in almost any language, but you should pay attention to date format. It's better to encode strings then integers due to possible difference in endianness
0
 
LVL 7

Expert Comment

by:ravs120499
ID: 19653932
Why can't server B support SSL? That is by far the best and easiest solution. Any encryption solution will need some software to be installed on B - so why not SSL?

Alternatively, install a second web server in location B that handles the SSL communication, and pass the data to B across the local intranet in unencrypted form.

It all depends on what the data is, and what level of security is appropriate/contractually obliged.

- Ravs
0
 
LVL 19

Author Comment

by:http:// thevpn.guru
ID: 19653957
I was thinking more about some RSA method...encypt the data using asp..and decrypt it using php....
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:ravs120499
ID: 19654007
You could - but you would have to install the RSA package on B. Why would that be acceptable while SSL is not?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 19654069
If you like to use strong cryptographic, much easier (and faster) to use symmetric encryption (with shared secret, like AES, 3DES or DES) than slow RSA asymmetric RC encryption. But all these methods require third-party libraries in ASP.

At the same time XOR is available without any extra libraries: http://www.andyw.com/director/xor.asp

Note, that any of these methods is vulnerable to 'replay' attack. That's why SSL is better.
0
 
LVL 7

Expert Comment

by:ravs120499
ID: 19654089
However, assuming there is some reason why RSA is OK but SSL isn't, here is what I think:

There are third party packages that give you VBScript bindings to RSA. Here is one I found on a Google search (I cannot vouch for this in any way)
http://www.example-code.com/vbscript/rsa_encryptStrings.asp

But AFAIK, all PHP - RSA bindings make use of the openssl package, so (presumably) falls foul of your no-ssl rule!

- Ravs
0
 
LVL 19

Author Comment

by:http:// thevpn.guru
ID: 19654107
Just to clarify things..I think I have mislead u guys..ravs in particular..when I said no SSL I mean they do not want to purchase a ssl certificate for the apache webserver.
I should have stated that in the question
0
 
LVL 7

Expert Comment

by:ravs120499
ID: 19654163
Hmmm, I understand now. Ok, you can create your own SSL certificate using an open-source CA package. OpenSSL comes with some certficate management utilities, for example. This looks like your best option now.

It's best not get started with rolling your own encryption in the application - it's a can of worms!

- Ravs
0
 
LVL 7

Expert Comment

by:ravs120499
ID: 19654270
A bit more detail you might find useful: a certficiate is required for any kind of public key encryption based communications, whether you use SSL out of the box in a web server, or use RSA libraries to roll your own. The alternative is to use "secret key" encryption. The issue with secret key encryption for communication is that the key has to be known to both the communicating parties, but has to be secret from everyone else. So people end up hard-coding the keys on both sides which is not a great thing to do.

Public key encryption relies on key pairs. Data that is encrypted by one of the keys in the pair can be decrypted only by using the other key in the pair. Used in a communication protocol, this solves the key exchange problem described above (but creates other problems).

- Ravs
0
 
LVL 19

Author Comment

by:http:// thevpn.guru
ID: 19654425
I am thinking about generating a public/private key pair on the apache server and the use the public key on the IIS to encrypt the data and send it to the Apache server where it can be deciphered.
 
0
 
LVL 7

Accepted Solution

by:
ravs120499 earned 1500 total points
ID: 19654604
You will need to :
- generate a key pair on the apache server
- use a CA software to generate a certificate for the apache server. You can either create a separate CA certificate for signing the certificate, or create a self-signed certificate using the original keys generated for the apache server.
- configure apache to use this certificate for SSL
- configure IIS to trust this certificate (either the self-signed certificate, or the CA certificate you created in step 2).

- Ravs
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 19671461
I would suggest you approach the question from another angle - instead of encrypting the data for transit, send it directly from server to server... BUT encrypt the link between the two servers. there are several tools that can establish and hold an encrypted link between two hosts, and most are built in; i would suggest given you are speaking of asp you are using two windows hosts, so use the built-in support for VPN to open the connection; you then don't have to worry about encrypting the data as any data sent between the two hosts will be inherently and automatically encrypted.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question