Communicate Securely in PHP

Hi, thanks for your suggestion about HTTPS, as you said, its best and easy way to do as I have read complex solutions before.

About the second part, its good to check for a password or something but in this way, the customer able to open and read the functions on the PHP file in his server and then he could send requests to the file instead of me? do you have other solutions ?
Regards.

I'm not sure what you meant by the last paragraph. What do you mean about the customer able to open and read functions in the PHP file?

@CSecurity - 100% assured? :)

Grate, thank you all for your useful comments, Mr Ray_Paseur, Thanks for the code, but as you know the words for example cat, is readable to the customer as it will be in his PHP file and then he can figure out what is the password. I don't have any control in customer server which I will only send the PHP file to him.
Regards

@gr8gonzo, I'll give you an RSA key pay, no no... Just I'll give you a 250 digit number, try to factor it and find it's both prime factors, huh? Forget it man! It's simply impossible

* I means key pair.

@G_API, also you can simply encrypt it with a fixed key and an encryption algorithm like AES, then change the key in both sides some often, huh?

Thank you all :)

@CSecurity - I'm not saying it's trivial to crack, but it's not 100% uncrackable. They used to say 128-bit encryption could never be cracked, either. Again, it wasn't trivial, but where there's a will, there's a way. It's just a matter of who has the will. :)

I have the will, I've ruined my life for a year, but you can't crack an RSA key pair when for example you have an E with 300-400 digit and N modulus with 200-300 digit, you should forget it. It's really really really impossible to do it. Mathematically impossible, logically.

Just because you haven't been able to do it doesn't mean that it's impossible. I'm not debating how difficult it might be, either. Nor am I trying to be a snob about security.

The big picture of this question was to figure out a way to do something securely. Given that security was the important thing here, saying that there is a way to encrypt something in a way that is completely, 100% uncrackable may give the asker a false sense of "eternal security." It's important that people revisit their security solutions from time to time to make sure that they are staying secure, and not just relying on an idea that something will never be cracked.

Given that a roughly 400-bit RSA key was cracked with a LOT of horsepower back in 1994, it's just a matter of time until a 1024-bit key pair is cracked, and as computers continue to exponentially increase in power, it will become less and less difficult to do and will require a smaller quantity of computers.

The computer I have today can crack a simple ZIP password in a single day using a brute-force approach. The computer I had 8 years ago would have taken months, if not years, to do the same. I'm just trying to illustrate that anything that seems mathematically impossible today might be feasible in a year or two.

And again, I'm only saying all this because this question was about security. I probably wouldn't have commented if it had been a comment on an unrelated topic, but people tend to grab onto concepts like "100%" and get illogical ideas stuck in their head about something being bulletproof, and then they become lax in other areas of security. It's important for people who are asking about security to know the difference between unlikely and impossible.

I should also point out that I'm fully aware that it's very unlikely that G_API's customer would go through the trouble of assembling a large network of computers running 24 hours a day to crack the RSA key pair or anything like that. Like I said, I'm not really a security snob who throws practicality out the window.

I'm just wary of G_API taking an idea with him to future projects where security may be even more paramount, and perhaps when cracking such a key pair is not so unlikely (perhaps by then, there will be a better, different way of doing things), or becoming so reliant on something being uncrackable that he neglects to take other measures to protect the key itself. Good security is a combination of good technology and good habits.

Again I say, mathematically, cracking 400 digit RSA is impossible. Go to see what GMP forum are talking about. Literally, that's impossible. For the asker who's not going to deal with greatest hackers or greatest code breakers of the world, that would be 100%.

I can tell to rest of the world also 100%. I have a 17 RSA key, all is same length. Nearly 400 digit. If anyone in the world can crack it, I'm ready to pay a good money for it.

I tried that on a lot of forums, I tried that myself, with a lot of computers... Anyway! Forget it, I already left that stuff... Just again I do emphasize, nobody can crack 400 digit RSA key. Let's leave 400-digit. Why 400 digit? We can have a 1024 digit N and E for our RSA. I say, that's impossible to crack even using BlueGen or more powerful computers. For more discussion, goto GMP forum and Math experts will prove it to you. Here is not suitable.

if this is a 1536 bit RSA key it will be betwwen 21535 (=1.205*10462) and 21536 (=2.410*10462). Since we assume its RSA key it will be 2 factors of 232 digits each, so lowest of the 2 factors will be between 1.000*10231 and 1.553*10231 (which is squareroot of 21536 or 2768).

The number of primes between x = 1.000*10231 and y = 1.553*10231 is roughly:
y / ln y - x / ln x = 2.916*10228 - 1.880*10228 = 1,036*10228

So 1,036*10228 primes to trialdivide. Lets say we wanted to be done before the sun explodes in about 5 billion years, we would have to test:
1,036*10228 / ( 5*109 yr * 31536000 sec/yr) = 6.57 * 10210 numbers every second or 3.5*10167 numbers every planck time (5.39*10-44 sec), which is the smallest time interval that has any meaning.

-shrug- Over and over again, people (often times, "math experts") have said X is impossible, only to have it proven possible later with new theories and better technology. History has always been the best indicator of the future - don't ignore it. I'll leave that as my final comment on this - this is going off on a pretty wide tangent.

It is impossible for man to fly.  This is a well known fact, and the historical record proves it.  Quoting from the record, http://www.1902encyclopedia.com/A/AER/aeronautics-04.html

Having constructed a set of wings, composed of various plumage, he undertook from the walls of Stirling Castle to fly through the air to France. This feat he actually attempted, but he soon came to the ground, and broke his thigh-bone by the violence of the fall - an accident he explained by asserting that the feathers of some fowls were employed in his wings, and that these had an affinity for the dunghill, whereas, if composed solely of eagles' feathers, they would have been attracted to the air.

And there is this, too.
http://www.the-impossible-project.com/

There are two things that need to be distinguished here - those things which are impossible and those things which are computationally impracticable.

The two are not the same.

The cracking of a 400 digit RSA is possible with enough time and effort, but it is at present computationally impracticable if the time required to do it would be (say) 1000 years. It is nonetheless do-able.

On the other hand, the number 4 can be calculated by an infinite number of combinations - 2x2, 4x1 8x0.5, etc and with no further information I cannot say which pair of numbers where used so determining those original number is impossible rather than impracticable.

For the interested reader I suggest some reading on computational complexity and NP-completeness

http://en.wikipedia.org/wiki/NP-complete