How to store keys (RSA) ?

The last post was about handling RSA cryptosystem in PHP. This post is covering a small aspect of the last post.

Once keys (Public and Private) are generated there should be a method of storing the keys, both private and the public keys to use later. Since the keys are having a specific format you are not able to store them in a raw format. It doesn’t work the next time when you try to use them.

There are few formats and methods we can use. In the last post, the generated keys are in PEM (Privacy Enhanced Mail) format. Dont get confused with that. I am suggesting a technique to store the keys. There are many other ways to get this accomplished. Among them base64 encoding/ decoding would be quite handy and easy.

PEM formatted private key is noted below.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CEC7DF536C0F4B98

sOBuGCgafYqmuOwzmG+HKD9Rq1fkL5PCt1ZfDF2lwKLoSjS3Ao68Sb3vrelkF7Df
3RwUOXL+G9HOMgmEmS6e+DacesaPHipvdjTca7k5z6A2ndRaDPB+6GuuswVBzbwm
CbRerep9G1BEyRY0z/3LKCgr1IbcpiPGAtmfEr/aTuqZURkY3eEosGP9Mn66b7Tr
bYaQOYE0tX2hI6GkQHJP9JGBsVLOA9iQ/QYtF3CjxFUTB3fWR3qPV/36SucBxlPx
pNWHPoXQixIAl9wvmJ0lA+y6mkWe0GBPBRWAF1Xum28Ujaw3E+95Vcxp7e2HvehX
xwpG10Xq5OdO0F+Ov4YULGe/VvJuQh6Lwb96qjserkzdfPNRxXm5vudPCRSQylxz
6N4xYUxtZoOOZ0A3znpTS13F+pTHAjAfHEutd17qTAApSlnOUz/CX7NI070pw+Eq
4QjQ9IJju14XBFqjbK8bdsaIAhZvZgTZY995t5F9R30Rf99XpIWTcPIVpX9Zb8nx
Lfxw0ok0Io2mdymy4jttopXgbrt+mky3zf7d2oxengefreuHH0SUYwrCVk5xKZju
NVZPPXP0Sx/f6nyHdv+MFh9mB1YrbuMeP4LSK3tsgVb2P4k3FOaQGwMU32k5KaBP
R97i7RowhiALljGvMouxo87QxdYUZJTVvcDj/42PiGZP6fQO1X35TWkr8INvGAqB
sUKMLZPsZahaSxWZ5uoIiOfjB8RdvmNB6D5DHUviIavkAFLUtZOT18apXhLzrKMO
f9p7WZP5yGVdD0AnWX9NP157VHQYZGNOu6ZHzPMJ38R4+uEtv7mf55A9FQPrYAXK
NOqxpXd5XNmM2Yl+MVlZJ7IXf1TCZicbG+DjQYyQHg9nK43eG61waZCM4EmjF0Vs
hx/FtelrmV5pw1vna0N8rmF4WG6+e6ruZ0ovFOFCsqb5630UJkkRqWKxkN/2t3FW
2LMjNchpswSoe4WQwIAoM+piv31VR+rGYcreDsJprXVPyzTVUZgxUdb7ku2HN1KH
9z336Aot9snJkkdZrsoqoOMCpQuUP987aMS5bQyHmJDWTo7XxPW2BxLYUjTeeqRA
GAk0LVOzTVP57TYi4Ay6cmrdnBsmv6qlCIxOspx83MzYqjOLqQuEpvag1YYTIgzX
6kc5LGpiP4Itd8EEqSdBkRUTetuDsoHdRfHna16i8YS3HwHTei2eF3BbpLXPAt26
aPsSnACs+fTz1GP/Rr7s2kMmnChh/z6afTJVGG1E6fXBOHozY+S2MO3wNr6hupPp
dtP23x88Gjh3TaPdQ7qkg2j0SqDdLLCekvmGhGyT3gKLCAF60NxrJETlHKfyrPHO
BM26pGB22KsYwUlihXTxFlSfP81tY9NQxpu/GjBCutWvQl74BvghHFQUJKIQuqa+
IgtkY+l4zTZ+meSjYvSzA/r3KfLdTIQt5eIVhDs1Jhont2zPBZ1x7n7T+eevj7FP
zVrV5H8ukp38KhtlJ05ufy6628qBOlelsfMExxGxNZICIh40sGaQO3DsBrNlgAln
D+XcWPK81uBIN9jYeRbtTu00n7/bQrJyIHAbKeU+wAb0TF87ets2VPzIwTpdxzc2
-----END RSA PRIVATE KEY-----

Base64 encoded key (note that it appears as a single line, no line breaks).

LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KUHJvYy1UeXBlOiA0LEVOQ1JZUFRFRA0KREVLLUluZm86IERFUy1FREUzLUNCQywwRTc5NTEyREZBRjJBRTE2DQoNClN3Qllra3J4OTAxTzVMa0M2aUowUWVTNGNLUFRtVm92L1hjRzE2Z1dSZE9HbEdqNkg1blAyRnkzRkFoQSs2SGUNCmllZzV0SXBoWHljV1ZST3Nta2FMbXJxb1hoZ3NjZDJ6cE9DM1RHQ1JqZ0xnUkovcXJyczRhM2dwM3JOVityN3ANCmg1L0MwS0ZmR3hPWHRrOWFXZGRVOW5MY0F5WUdWQXI0Ui9Sdkc4YkowMDZpZ3RwNzgrVG00SW9IendYZy9udmcNCkZqNjJ6NGRFQ1B1U0lvZWswL3pxYVVlcVJuelppTlgxaWtwMmNBTisyN1JadnpBY1lBUk5pdmpEMWdTM0tXL1gNCmJoblhoYjFWQnFjbks5NE90My9SZ090cGRjOVJFVW5INk9na3RJOTBKK0ZKelM4Y21KMzhvUi9EdEtrM040QVANCnBNM2lXWTd0Qmg3OE42TVpFa2Fna0hxUzYxTGEvVFBmSE5Sb1ZyVW9sNExVZCtrMHhjT1RBWmxLbjJyOXZVWHkNCjhWaGRwc1NlNVRqSFlaWXJkU3BBTlA1MXV0RHFxTFhwSkx3ZkE4ZXVKQ0dOUU9IZDFjdER2WFEvc0xDUm1UT0cNCjJqN0Z6YXMwRThrdlh4a0hQYUkvdFA4Ull2Y3lkUFJyQUZ0RFBXTkxQQnE1VHBhYit5V0RZbUE3bGs5c0Z2c0ENCjNEY2VaRzI3QllBYmNoRCtDTUFTSEpNMk5jem54WkRvajBOQlMvZFp6Q1R0QU9vcVZZSnNSU01kR0JuQXBSVS8NCmpPRVUrYVNGKzRtMyt1RTJOUlJTOXhRcVBTMUt1azVzdFZLcWdVYzdwVmtGWndZYTZPWFNDTTBQOVE5UVFCa3ENCkNvRG1CSG5SU1MybFdTNXkyVkN0b0VWaFlCMDV6aFV4Y3pXWWR0eG9DVmx2RzcrM0FDL0luU1NHVGVYeXhzeTYNCkkzRUg5NHhZM25yamtPZ1ZRU1RkWjc1akJxS3FHdmNQVTlLSjBRVzJqTjAyUHJxNWFXRkNkbkliYTVjRS9yaTQNCjVEOURvcys4ZnNDNGdiYXJyK21ZOTl3KzdSaWZadEUybGlzaWVCZEFxR1NiRDg0MWJ0TERXOUl4cU5yOXl0eWYNCjgrOS9kWUhhTG9ySHRXYXgySkJ0SVhOdHpSVjUwQVhrTDk2ekhXMFVhSExRaFZqcEt5alhaWTNrSWV2amxkZjUNCkVuc2JLemxCeENOdmJON3NIdDhBWFVYL3E5Sk9ENHowNkdnMmJPOW5mWngraUx6QklnQVBDcGpFQTdQZlBMWHgNCiswRmJuR3QvWHozUjd0dHM2ejhvSWZMLzN4aURnSWdBZkxjSi84L3Vqa2JGMEVtMzlJZ25tWU5JemVrNDlZVTINCllOTFo2clJiL1RtZDVRRWQxNzcxRHhaZWFKdFdxdzAySUNBQnpjelV1NjNhSFdyRkZDZVlPOWRxRWFUa3EzTmwNClR2bFNyYlNyV0E2by9GUlR0Tks5NEZzZG9QbFlXU09zb3Y5bHE0bzNDNjJIZ3NubnQ2VkNob2FXa2VlRDRUajYNCkErV2FIVHVkbklseWM1NXlKSm4xRkd6dWRUaitDc3owL3JMSTMyLy96V1BUZHdVY3FnZVVjL0FCWnNVMFBhOXQNCjNiQTlnTmQ2ZE55aW5pcVVKYStYS2d2b0pHb0M3eTNPc3hMcHIvRnRnMDZRZ0lJQjlmckhHRzJZcHY4VHFoTFcNCnJkaWpCWnBLaE1HUFBTSVI5VmFzUVd0UnphZTdCYzVqd0Q3b09BVmU0b010ME5XdVo5d2gzQ2pFOWRNTVVFYkQNClNDRzIwYkVBd2xSV2RrMzQvZ2hWVmFVSHdlc1J1cTNmRUlqbTA3aytOYVdhMGU2SmxsSnliOThMZVE5SWYvUloNCndjRVo4T3NpN0lsQnJHOHRsanJPbnNuYTM3M0dsZFIyNDN4UUp2VGw2V1lxWCtPampMQjd0dUtvUzJkWTJsVk8NCmxwUEUzdEVwL2U5NGtaMEx3Yk9FQWxTSkVHdjk5eG84MzJ5TG90ZmZGTG40cURFbnY4dUh2aDBDQ2VsY1hKVjENCjBXdmFoOWMwaCtUZGVydWgvZFJoa0NpZjBuMUUyN25hbFBMeS9oQVJJSHpZQUtGbmRUZjZyNGVESmpqalUrcTQNCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t

You can simply use a “TEXT data typed” filed in MySQL table to store base64 encoded key pair and then when it is needed just base64 decode and use it. Even you can apply further encryption against the base64_encoded string to make the key much more secure. You can hash the base64_encoded string and create signatures of the keys as another security measurement.

Simply use the base64_encode( ) and base64_decode( ) functions in PHP.

$encoded_key = base64_encode(myRSA::$privateKey);

$private_key = base64_decode($encoded_key);

NOTE: base64 encoding doesn’t provide any additional security, it is purely assisting towards storing/ passing the keys in a more comfortable way. Therefore you need to use an additional security layer (eg: database data encryption) on top of the stored keys to make it much more secure.

RSA cryptography in PHP (How To?)

Being security is one of the utmost considerations in current web site/ application development process, I am sure you have spent a lot of time writing codes to handle encryption in your applications.

In this article I am trying to present one of my favorite ways to solve this issue, the RSA encryption/ decryption handling in your PHP development.

This is quite straight forward as I am using PHPSecLib package. I was using openSSL library for PHP for few years and recently started dealing with this package. It is pretty cool implementation so I started loving it.

First of all you need to get the package, it is available to download[1] and it comes with MIT license[2], GPL compatible[3].

If your intention is to use PHPSecLib only for RSA encryption and decryption I suggest including only two directories which are Crypt and Math in your production environment.

First step towards the RSA encryption is to create the public and private keys. Note that I have secured the keys with a passphrase.

$rsa = new Crypt_RSA();
$rsa->setPassword('pa$$wrd5');
$keys=$rsa->createKey(1024);

echo $keys['privatekey'];
echo $keys['publickey'];

The code is self explaining. createKey() method is taking the bit value of the key and output an array which contains the Private and Public keys. setPassword() is optional, you can omit it if you dont want to create the keys with a passphrase. If you want to use 2048 bit key then provide 2048 as an argument in createKey() instead 1024.

Once keys are ready you can start the encryption. I am using using the public key. Passphrase is not required when encrypting.

$rsa->loadKey($keys['publickey']);
$plaintext = 'Text to be transmitted securely !!!';
$ciphertext = $rsa->encrypt($plaintext);
echo $ciphertext;

Decryption goes as follow (using the private key), note that the passphrase is mandatory:

$rsa->loadKey($keys['privatekey']);
$rsa->setPassword('pa$$wrd5');
$re_plaintText =  $rsa->decrypt($ciphertext);
echo $re_plaintText;

I have written a static class to demonstrate how encryption can be carried out. Please check the following:

***DO NOT use this code in your production env as the code lacks lot of fine tuning and security measures***

This is just to illustrate how the PHPSecLib can be used in a code


<?PHP

include('Crypt/RSA.php');

class myRSA
{
	public static $privateKey = '';
	public static $publicKey = '';
	public static $keyPhrase = '';
	
	public static function createKeyPair()
	{
		$rsa = new Crypt_RSA();
		$password = base64_encode(sha1(time().rand(100000,999999)));
		$rsa->setPassword($password );
		$keys=$rsa->createKey(2048);		
		myRSA::$privateKey=$keys['privatekey'];
		myRSA::$publicKey=$keys['publickey'];
		myRSA::$keyPhrase=$password;
	}

	public static function encryptText($text)
	{
		$rsa = new Crypt_RSA();
		$rsa->loadKey(myRSA::$publicKey);
		$encryptedText = $rsa->encrypt($text);
		return $encryptedText;
	}

	public static function decryptText($encryText)
	{
		$rsa = new Crypt_RSA();
		$rsa->setPassword(myRSA::$keyPhrase);
		$rsa->loadKey(myRSA::$privateKey);
		$plaintext = $rsa->decrypt($encryText);
		return $plaintext;
	}
}
?>

<?php

//create keys
myRSA::createKeyPair(1024);

//Text to encrypt
$text = "A secret lies here, send the text via a secure mode";
echo 'Text : '.$text;

$secureText = myRSA::encryptText($text);
echo 'Encrypted : '.$secureText;

$decrypted_text =  myRSA::decryptText($secureText);
echo 'Decrypted Text : '.$decrypted_text;
?>

PHPSecLib API Documentation is available here.[4] A handy reference to check when you get stuck or need more info on methods.

[1] http://phpseclib.sourceforge.net/index.html

[2] https://en.wikipedia.org/wiki/MIT_License

[3] https://www.gnu.org/licenses/license-list.html#X11License

[4] https://api.phpseclib.org/master/

Think before calling an unknown number, you will be hacked ?

Interesting security advice is being circulated these days. It says;

Apparently “many are getting a missed call from the number +17675027697. Looks like a virus where calling back this number might hack your phone or something. Be Careful !

Can this be true?

When you got a missed call, you might call the number and check who the hell it is. Or at least you in return make another missed call. Can this act lead to a hacking of your mobile? Indeed NO, it is not possible. So you can rule out the risk of being hacked. In that context the message is a bloody hoax. But yes there is a BUT, there are some risks. In fact a social engineering attacks. Being more specific, a type of vishing[1].

Well first, the attackers can deceive you with a recording, imitating that you have reached to a lottery or a draw and you have won a grand prize (most probably some dollars) and then you will be directed through some menu options to select this and that and finally may ask for you credit card details (or some personal information such as social security number{NIC in SL} etc) and so on. Or else even it is possible to request your details such as email address via voice, so that the bot can record it and convert to text. There can be endless possibilities but the main motive is to collect your personal and/or financial information.

When you respond calling back the attacker, it get to know your phone number is real. That means he earns a real phone number. Real phone numbers are expensive than a real email. He can sell it for a good price in deep web. Advertisers or even hackers are interested in such info as they can flood you with advertisements or use social engineering to exploit more info from you. What if you provide your personal info such as age, city you are live in etc. A partially complete profile of you.

Other than that an attacker can do nothing. He cannot hack you via a call as there is no way to access your mobile phone OS or any other installed application via a phone call (unless you use such an app or an OS which enables such, surely not Android nor iOS). But if your mobile is infected with a virus that enables such functions, need not to mention that, you are in a grave. But in that case I dont think the attacker will use such a dumb technique to gain control. He can simply connect the phone via internet and access your mobile and check what you are doing via the phone’s camera. Sounds like a sci-fi movie scene but this is 100% practical and possible.

No party can charge you an extra amount (other than the standard tariffs) for the call you make, unless there is an pre-agreed agreement. Even the carrier itself cannot subscribe you to a service and charge you because you called a number. If such things in place you need to be informed once the call has been answered and seek your consent/ verification to move forward.

Finally, the message seems quite exaggerated. But better you refrain calling unknown numbers, doesnt matter local or foreign. Even you called back do not give any private information unless the person on the other side is verified, May be you are not going to provide any information but simply calling back the number and hanging the line (another missed call by you in that case) hints that your mobile number is real. You may be a target of a bot generating random phone numbers with miss calls and then try to check if the number is real.

Better you worry about above facts rather than worrying about getting your phone hacked.

Ref 1 : https://en.wikipedia.org/wiki/Voice_phishing

Time Zone Conversions (after Google lies)

Google is at my disposal, easy to use and pretty accurate. Hence I use Google frequently to check time in other countries and also use it pretty much to convert time. However once Day Light Saving (DST) has started the time conversion seems to be not correct,

For an example, the time difference is 3.5 hrs in CET to IST when DST is in effect. But Google still thinks the difference is 4.5 hrs.

google_search_results

Search Link

I prefer www.timeanddate.com which is one of the best tools to work with time zones. Time zone conversion is pretty handy, I would say it is pretty CooL.

Having said that, I also came across WolframAlpha.com which is handy and smart as well.

wolframalpha

Search Link

WolframAlpha is amazing, it comes with some useful tools.

wolframalpha_tools

I played with few and still exploring the other tools. Firefox add-on, Chrome extension are also available. Just give it a try. You wont get regret, I m pretty sure.

PS: found the following article when I google – Google Lies, pretty funny and interesting, have a look guys !

Google abandoning “Google Code”

It is Googles’ fashion to shutdown services which are not popular enough. The latest victim was Google Code project [1] which was started in 2006. Google was very frank on the press release I suppose. I would like to quote the following.

When we started the Google Code project hosting service in 2006, the world of project hosting was limited. We were worried about reliability and stagnation, so we took action by giving the open source community another option to choose from. Since then, we’ve seen a wide variety of better project hosting services such as GitHub and Bitbucket bloom. Many projects moved away from Google Code to those other systems.

It is true that GitHub gained increase popularity among developers for code hosting and many developers are comfortable with it too. However as Google claimed it was true that in 2006 the choices were limited, even GitHub started in 2008 [1]. However the large picture is quite astonishing. In 2006, Google was a giant company and Google Code was one of the projects they have started. They could have done something better than GitHub, I believe.

However it is good to see the dynamics of Google, other than few, most of their interests never seems fixed. It quite sounds like the open source way too.

I worked closely with Google Code repositories few years back and it is quite sad to hear that it is getting shutdown. But I think it is the right decision they took. Need to move forward with new interests and causes.

Good Bye, Google Code for the support hosting open source projects through the decade of service.

Reference

[1] http://google-opensource.blogspot.com/2015/03/farewell-to-google-code.html

[2] https://en.wikipedia.org/wiki/GitHub

Do we really need free WiFi?

As per the media release by ICTA, soon Sri Lankans will be enjoying free WiFi facility in selected locations. It was decided to allow 100 mb per person per month at a speed of 512 kbps initially.

It will take around 16 minutes to download 1 mb of data using a 512 kbps (kilobits per second) connection link assuming the connectivity guarantee the maximum speed all the time.  In contrast Dialog claims their 4G speed around 20 mbps (2.5 mega bytes per second). 512 kbps connection would be similar to the dial-up connections we had few years back.

While there are questions regarding the data limitation and speed limitation, such initiative could be timely important basic need for a developing country, I believe. Empowering public places with (free) Wi Fi would be really necessary and at the same time proper management of those networks is very important too. Techniques such as bandwidth limitations for content (limit bandwidth for social media sites, music and video streaming) would be really required to maintain Fair Usage policy. Such content could be made available for a nominal rate.

Wi Fi zones are not a new concept in Sri Lanka since some prominent ISPs maintain several thousands of Wi Fi hotspots covering the island. However those are not free.

We are in an information era, everything is all about information. Therefore free access to information would be a good step forward. We should be looking forward to improve such services as much as possible by preserving the quality of the networks, it is not only the government officials duty but also the responsibility of civil citizens too.

Wifi Security : In a nutshell

Wifi Security is a vast subject and of course a tiny sub set of cyber security which of course a sub set of IT security as a whole.

Well, no system in this world is safe. Therefore it is better to employ some security over your wifi router before someone steals your expensive data bundle. The best part is, smart intruders consume, may be 10% of your quota, even you dont have a chance to notice it.

“Is that the end of the story? Who cares about data, I have enough so it is better someone uses it”…..

I know you are person with a big heart. BUT do you know what the intruder is doing? May be he gets access to deep-web, running a web site that sells drugs or running a brute force bot, manning a DoD attack bot, or simply maintain a fake FB account, who knows? By the law, you are responsible for all this traffic, because you are the owner of the router. Scared enough? Good !!

So before it is too late, use some security features to block the unwanted access. Bear in mind, something is better than nothing. A mantra in security. Fortunately we are not living in Singapore, so anyone can try accessing any wifi network (not using the traffic but there is no law refrain the attempts to access the wifi network).

I composed a list of few security measurements that can be employed in your family Wifi router. Most of them are easy to employ. Just check the list below….

Choose the SSID wisely and dont make it public

SSID – Service Set Identifier. SSID is the name of the network you see. Do not use a SSID which is easy to guess. For an example dont use your home number or your name or your pet’s name. They are easy to guess. I mean the owner of the router. Use some arbitrary SSID which is not easy to crack using social engineering techniques. Then dont make it public. As an additional feature, broadcasting the SSID can also be stopped. In that case you need to enter the SSID manually as it is not visible when wifi is turned on in your device. It facilitates invisibility of the network for those who dont know youe SSID. Ideal for your home network.

Save energy, switch the router off when you leave home

Do not keep your wifi router running 24×7. Switch it off when you dont use it. Even before you sleep. This is a good practice.

Wifi router is not an ornament

Keep the router in a safe place where the public cant reach. Ideally not the living room.

Why? I did remove the sticker which was on the router which had the password and details. So cant I keep it in the living room? so that my neighbors know I have a wifi router.”

This is good. I would do the same if I owned a wifi router in 1980’s or 1990’s. But no more. Because, if they can see your router it reveals the model of the router. It is a good info and it narrows down the effort of the intrusion.

Never keep using the routers default password

Change the password of the router as soon you start using it. Never use the default password even though it seems very strong. It is very easy to crack it if the intruder knows the model of the router you are running.

Use a strong password and change it frequently

Are you a fan of “abc123” password or “1234567890” or ……………………………….??

Well it is time for a change, use a strong password. I mean a password with a higher entropy. And change it frequently. Lets say at least once a month. Higher the frequency, it is much safer.

Use MAC Filtering

This is a standard security feature to prevent intruders (at least theoretically). If you need more info just google.

Use strong encryption 

Fan of WEP (Wired Equivalent Privacy). God bless you. Less than 5 minutes the encryption can be broken. Not sure, ok try using a free tool like aircrack. Use WPA/ WPA-2 (Wi-Fi Protected Access) instead. At least it is better than WEP.

Use a firewall

Using a firewall is a good idea, go for a software firewall if you cant afford a hardware firewall. Some routers are equipped with firewalls. Check it !

Use extra layers/ tools/ hardware

This is the best security measurement, but very expensive. May be not suitable for a home but must have for the wifi network in your office.

Update firmware of the router

Keep the router’s firmware up to date as much as possible, this is very important and not that difficult too.

Be vigilant and keep monitoring

Even though the above measurements are in place, they are useless without proper monitoring. So make it a habit of checking the device history log in your router, at least. It tells you which devices has been connected to the router in past few days. If there is a suspicious device check for it.

Well this is the list I came up with. If you have anything which has not been listed here please use comments.