stackoom
  简体   繁体   中英

how to achieve secure communication between 2 websites

 原文  2012-04-25 17:11:03       php/ security/ encryption/ openssl/ aes

Question

I am preparing communication & data-exchange system between 2 websites, and would like to enhance it using suggestion posted by Stackoverflow community members.

Let me explain how I am doing it right now, by following example.

There are 2 websites

  • server-example.com (will be referred now as SE.com)
  • client-example.com (will be referred now as CE.com)

Before performing data-exchange between sites, following steps are performed.

  • Using openssl_* functions, asynchronous key pairs are generated at SE.com
  • Private Key is kept at SE.com
  • Public Key is send to CE.com via normal HTTP request (detailed process below)
  • Public Key is encoded using json_encode function
  • Encoded data is pushed to CE.com

Further,

  • Once CE.com receives encoded data, using json_decode function it retrives PublicKey
  • CE.com generates a random string (called rkey) using custom function
  • rkey is encrypted using openssl_public_encrypt function
  • Encrypted data is pushed to SE.com

Further,

  • On receiving encrypted data, SE.com de-cryptes it using openssl_private_decrypt
  • Now, SE.com has same rkey (as CE.com)

Now, Let's assume that SE.com needs to send following string 'Hello World' to CE.com

Both sites have custom library for AES encryption-decryption.

  • SE.com uses rkey with AES encrypt function to generate encrypted text
  • Generated encrypted text is encoded using json_encode function and pushed to CE.com

Now, CE.com gets encrypted text

  • On receiving encrypted text, it's decodes using json_decode and gets 'Hello World' string

Questions

  • Is communication web-safe? Web-safe in sense, data which is being transmitted between SE.com and CE.com can be transfered in similar fashion as GET request?

  • If someone tries to read transmitted data on-way of transmission, whether he can decrypt it, and see what it contains or not?

    Also, provide suggestions to improve security & communication.

    Help appreciated.

2 answers

solution1
 1  2012-04-25 17:22:14

Implement client-side certificates. While using server-side certificates can prevent/deter interception of the message, it can't prevent someone spoofing SE from talking to CE in the first place.

solution2
 0  2012-04-30 09:54:26

您需要使用双向SSL身份验证

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Communication between websites How to secure communication between Laravel and Lumen? secure communication between two application Secure communication between PHP and C# Secure communication between JavaScript and a Web service in PHP Secure communication between Flash and PHP script Secure socket communication between PHP and C++ How to achieve a secure validation ticket in javascript How to exchange information between websites? How to share a form between 2 websites
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM