Programming and Technology
RSS icon Home icon

  • Portable File Encryption with PHP and Java

    Posted on June 9th, 2010 brandon No comments

    I had a client project come up recently that required HIPAA compliance which meant encryption was going to be involved. The goal was to collect patient information and then store it in encrypted pdf files so they could be downloaded, decrypted, and entered into another system. It did not sound like the most efficient system however that was the spec I was given. I had never worked with symmetric encryption before although it has always been a topic of interest so I jumped at the opportunity to expand my knowledge of cryptography.

    The first few days of my attempt to implement this process was spent doing research into some cryptography fundamentals and sifting through documentation on AES and php’s mcrypt module as well as evaluating third party crypto utilities. My initial understanding gave me the wrong impression that a file encrypted with one utility could be easily decrypted with another utility using the same algorithm. This assumption lead to endless frustration as I attempted to decrypt files that I had encrypted with php/mcrypt with no success. Eventually I realized that file encryption worked much the same way media files worked (actual media data encoded with a codec and stored in a container format). Now that I understood that, I was able to come up with a workable end to end solution.

    My first attempt was to implement the file format used by AESCrypt described here.  I liked this utility because it was cross platform and integrated into the file manager for Windows (This translated to minimal learning curve for the client). My inexperience with pack() and creating binary file formats lead me to fail in this endeavor although I would like to come back to this as I think the php world could benefit from a AESCrypt module. The solution that eventually succeeded was to forego the container format all together and just write a custom decrypter that expected raw encrypted data.

    I was pleased to learn that java had a readily available crypto module that was compatible with mcrypt’s AES implementation so it seemed the natural solution to write a Swing application that powered the custom decrypter. The application I ended up writing supported decrypting single files, or entire folders full of encrypted files of any type. Here’s the meat of my solution.

    The server side part of the solution was a class that encrypted a pdf that had been generated by a parent class:

    1.  
    2. <?php
    3.  
    4. class Form_Submission_EncryptedPdf_Adapter extends Form_Submission_Pdf_Adapter {
    5.  
    6.     protected function pkcs5_unpad($text){
    7.         $pad = ord($text{strlen($text)-1});
    8.         if ($pad > strlen($text)) return false;
    9.         if (strspn($text, chr($pad), strlen($text)$pad) != $pad) return false;
    10.         return substr($text, 0, -1 * $pad);
    11.     }
    12.  
    13.     protected function pkcs5_pad($text, $blocksize) {
    14.         $pad = $blocksize(strlen($text) % $blocksize);
    15.         return $text . str_repeat(chr($pad), $pad);
    16.     }
    17.  
    18.     public function output(array $pOptions=null){
    19.         /* parent class creates pdf file */
    20.         parent::output($pOptions);
    21.  
    22.             $source_filepath = FP::get(‘docroot’) . FP::get(‘baseUrl’) . ‘/pdfs/’ . $this->_filename;
    23.             $encrypted_filepath =  $source_filepath . ‘.enc’;
    24.  
    25.             $pdf_data = file_get_contents($source_filepath);
    26.  
    27.             $key = trim(file_get_contents(realpath(FP::get(‘docroot’) . ‘/../secret.txt’)));
    28.  
    29.             $iv = ’1234567812345678′;
    30.  
    31.             $size = mcrypt_get_block_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
    32.             $pdf_data = $this->pkcs5_pad($pdf_data, $size);
    33.             $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, , MCRYPT_MODE_CBC, );
    34.             mcrypt_generic_init($td, $key, $iv);
    35.             $encrypted_data = mcrypt_generic($td, $pdf_data);
    36.             mcrypt_generic_deinit($td);
    37.             mcrypt_module_close($td);
    38.  
    39.             file_put_contents($encrypted_filepath, $encrypted_data);
    40.  
    41.             unlink($source_filepath);
    42.      }
    43. }
    44.  
    45. ?>
    46.  

    There’s nothing particularly special happening here. I read in the binary data of the generated pdf file. Specify a 128 bit initialization vector and read in a 128 bit key from a file that leaves above the document root of the server (The IV could be read in from a dynamic source as well allowing it to be changed by the client but I chose to hard code it for simplicity). The binary data is than encrypted with the Rijndael 128 algorithm and then stored in another file with the ‘enc’ extension. When i’m done i make sure to delete the original pdf. Now the client can periodically log into the server and download the encrypted pdfs for processing.

    On the client end, the java/swing application wraps around the decrypter class which looks like this:

    1.  
    2. import java.io.*;
    3. import java.security.InvalidAlgorithmParameterException;
    4. import java.security.InvalidKeyException;
    5. import java.security.NoSuchAlgorithmException;
    6.  
    7. import javax.crypto.Cipher;
    8. import javax.crypto.CipherInputStream;
    9. import javax.crypto.NoSuchPaddingException;
    10. import javax.crypto.spec.IvParameterSpec;
    11. import javax.crypto.spec.SecretKeySpec;
    12.  
    13. public class AESDecrypter {
    14.  
    15.     protected String key = null;
    16.     protected String iv = null;
    17.     protected Cipher cipher = null;
    18.  
    19.     public AESDecrypter(String pKey, String pIV) throws Exception {
    20.         this.key = pKey;
    21.         this.iv = pIV;
    22.  
    23.         try {
    24.             this.cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    25.         } catch (java.security.NoSuchAlgorithmException x){
    26.             throw new Exception("AES Decryption algorithm is not supported on this system");
    27.         } catch (javax.crypto.NoSuchPaddingException x2){
    28.             throw new Exception("AES Decryption algorithm is misconfigured");
    29.         }
    30.     }
    31.  
    32.     public Boolean decryptFile(File pFile) throws Exception{
    33.  
    34.         try {
    35.             SecretKeySpec keySpec = new SecretKeySpec(this.key.getBytes(), "AES");
    36.             IvParameterSpec ivSpec = new IvParameterSpec(this.iv.getBytes());
    37.             this.cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
    38.         } catch (java.security.InvalidKeyException x3){
    39.             throw new Exception("Invalid key");
    40.         } catch (java.security.InvalidAlgorithmParameterException x4){
    41.             throw new Exception("AES Decryption algorithm is misconfigured");
    42.         }
    43.  
    44.         try {
    45.             FileInputStream fis = new FileInputStream(pFile);
    46.             CipherInputStream cis = new CipherInputStream(fis, this.cipher);
    47.  
    48.             String sourceFileName = pFile.getName();
    49.             String decryptedFileName = null;
    50.  
    51.             if (sourceFileName.endsWith(".enc")){
    52.                 decryptedFileName = sourceFileName.substring(0, sourceFileName.lastIndexOf(‘.’)) ;
    53.             } else {
    54.                 return false;
    55.             }
    56.  
    57.             String decryptedFilePath = pFile.getParent() + File.separatorChar + decryptedFileName;
    58.             File decryptedFile = new File(decryptedFilePath);
    59.  
    60.             FileOutputStream fos = new FileOutputStream(decryptedFile);
    61.  
    62.  
    63.             byte[] b = new byte[32768];
    64.             int i;
    65.  
    66.             while ((i = cis.read(b)) != -1) {
    67.                 fos.write(b, 0, i);
    68.             }
    69.  
    70.             fos.flush();
    71.             fos.close();
    72.             cis.close();
    73.             fis.close();
    74.         } catch (java.io.IOException x){
    75.             return false;
    76.         }
    77.         return true;
    78.     }
    79. }
    80.  

    The class is instantiated with the key and iv which are read in dynamically and then is passed a File object through the decryptFile() method which does the actual work of decrypting the file. The implementation reads in the encrypted binary data and decrypts it with a CipherInputStream which is configured with the same algorithm, key, and initialization vector as our php class was. The method will only decrypt the file if it has a file extension of .enc which prevents files that are not encrypted or have already been decrypted from being processed again (essentially turning them to garbage).

    It’s not a very complex solution however I struggled to find good information on this type of problem. It seems every symmetric encryption solution is a custom solution in itself so hopefully this will save other developers the huge frustration I experienced when learning this.

    • Share/Bookmark
    Cryptography, Java, PHP , , , , , , ,

    Related Topics

    Leave a reply

Latest Tweets

  • Trying #rekonq for the week. So far performance is great. bookmark mgt. make me want to cry. Anticipating chrome extension support 2 days ago
  • How many wireless service providers can you name? How many broadband providers service your home? Did you use more than 1 hand? For both? 2 days ago
  • So what are you doing to protect your right to free choice online? http://dropgoogle.com 2 days ago
  • How does an identity in Zend_Auth session go null for one request and then magically reappear!? #wtf #fml 3 days ago
  • RT @brandonsavage: YOU COMCAST PIECES OF SHIT THINK HANGING UP ON CUSTOMERS IS GOING TO KEEP US? FUCK YOU @COMCASTBONNIE AND @COMCASTCARES 4 days ago
  • More updates...

Posting tweet...

Powered by Twitter Tools

 

June 2010
S M T W T F S
« May   Aug »
 12345
6789101112
13141516171819
20212223242526
27282930  

Topics of Interest

Programming Blogs - BlogCatalog Blog Directory
Designed by My Mobiles
Get Adobe Flash playerPlugin by wpburn.com wordpress themes