User Tools

Site Tools


en-110-crypto


Encryption Process

Each time an information channel is created or a mobile device is registered, Followzup creates a pair of RSA asymmetric keys, composed of a public key and a private key. The private key is kept in the Followzup database and it is used to decrypt the content of the requests forwarded to the webservice.

Channel public keys are inserted into the API when the developer downloads the API. In the mobile devices, the public key is sent to the APP within a response string when it requests the registration of the device.

With this process, the developer has the assurance that only your application will be sending messages to your subscribers, unless there is some security violation in the API storage. Likewise, the device user is sure that no one will be sending requests on their behalf, unless there is a security violation in the public key storage of the device.

In case of a public key violation, the developer can requests a new RSA key pair and download the API again. In the case of devices, the users can register the devices again, receiving a new public keys.

As defined by the RSA encryption protocol, a string encrypted with the public key can only be decrypted with the corresponding private key, and vice-versa. Based on this concept, each requester (information channel and mobile devices) maintains its public key, and the Followzup database (followzup.com) maintains the private keys of the corresponding pairs. Due to the CPU resource demanded by the RSA algorithm, this protocol is indicated to encrypt limited size strings.

In addition to the RSA encryption protocol, the communication process with webservice also uses the AES encryption protocol. The AES protocol, in turn, is indicated to encrypt large size strings, due to the reduced CPU consumption demanded by its algorithm. In this process, AES encryption uses a 192-bit random key that is created for every request sent to the webservice. A string encrypted with an AES key must be decrypted with the same key.

The combination of the AES and RSA protocols forms the basis of Followzup's encrypted communication. The following is the sequence of the process of encrypting and decrypting webservice requests and response strings, starting from the requestor (application or device).


The requester sends its request:

  1. Creates a string containing the XML request to be forwarded to the webservice (command and parameters);

  2. creates a 192-bit random AES key;

  3. encrypts the string containing the XML request with the AES key, using the AES encryption protocol;

  4. encrypts the AES key with its public key, using the RSA encryption protocol.

  5. encodes the string containing the XML request and the AES key (both encrypted), to the BASE64 format.

  6. submits a POST to the webservice, including the parameters ID, KEY (encrypted AES key) and FRAME (encrypted XML request string).

Webservice processes the request:

  1. Extracts the ID, KEY and FRAME parameters received the POST, and decodes the KEY and FRAME parameters from BASE64 format;

  2. retrieves the requester's RSA private key in the database, identified by the ID parameter;

  3. decrypts the AES key from the KEY parameter with the corresponding private key, through the RSA encryption protocol, getting the decrypted AES key;

  4. decrypts the XML request string from the FRAME parameter, through the AES encryption protocol, getting the XML request string decrypted;

  5. processes the request and assembles the string containing the XML request response;

  6. encrypts the XML request response string with the same AES key received from the requester;

  7. encodes the XML request response (already encrypted), to the BASE64 format;

  8. computes the MD5 hash of the XML request response encrypted and encoded in BASE64;

  9. returns the XML POST response including the tags: retcode, retframe (XML request response encrypted and encoded in BASE64), and retmd5 (MD5 hash from retframe).

The requester receives the answer:

  1. Receives the XML POST response and checks the return code (tag retcode);

  2. computes the MD5 hash of the retframe tag and compares it to the retmd5 tag;

  3. decodes the XML request response string from BASE64 format (retframe tag);

  4. decrypts the XML request response string with the AES key, getting the result of its request;

  5. the XML response content varies depending on the requested command.



Webservice data handling

To help APIs and APPs development, the following is a part of the webservice handler to decrypt XML requests and encrypt XML requests responses. The webservice is written in PHP.

The decryption of the request is performed through the RSA private key stored in the Followzup database, which matches the RSA public key of the channel or device. Below is a pair of RSA keys for testing communication, encryption and decryption data:

//  Public RSA key (Base64)

$wpub64 = "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUExWU5qcGltUWxqczF6Qm9aNUhMcQozekFsMnR4cXE1aEFjK0E2ZVcreFE3TDRZNHZSWFBIZWdRSDV0WWJtU0FJclZiS3hGOE83VlFndWtIQmNqM1lUCmlCdzkvQ0dYbE5sekV1UkVNeHhITWZFQmNNdTdIVE1TeUJSOC80cmZvbVZZTWdoc3ZSOHVnSi82T1IzOThkZXgKV3ZiaDUxckhpWHdyOUZlcXN4Q3J3SmZvSStzMS85eVhEbUdOL2xaL1NwSjBZYjMyKytoR2J4VmtiRGZNSUNOdApPcytiTlJ2RFdiV0RjemxJK1E3SG8yZ0RrNjR3cEZuYlpNYW1mZ2VNaG5jelE2NjJhZ1g4ZEVzWTF0cHJXbFVoCkF2ejZyazFZOUNTSUpnakx2VXkvbWFlRnZzSGVJWnB1NUVhTXNZeDA3U2w0cFAxWjJxMVV6VThueHRxVTBYSjIKUlFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==";

//  Public RSA key (Binary - module)

$wpubmodule = "d58363a62990963b35cc1a19e472eadf3025dadc6aab984073e03a796fb143b2f8638bd15cf1de8101f9b586e648022b55b2b117c3bb55082e90705c8f7613881c3dfc219794d97312e444331c4731f10170cbbb1d3312c8147cff8adfa2655832086cbd1f2e809ffa391dfdf1d7b15af6e1e75ac7897c2bf457aab310abc097e823eb35ffdc970e618dfe567f4a927461bdf6fbe8466f15646c37cc20236d3acf9b351bc359b583733948f90ec7a3680393ae30a459db64c6a67e078c86773343aeb66a05fc744b18d6da6b5a552102fcfaae4d58f424882608cbbd4cbf99a785bec1de219a6ee4468cb18c74ed2978a4fd59daad54cd4f27c6da94d1727645";

//  Public RSA key (Binary - index)

$wpubindex = "010001";

//  Private RSA key (Base64)

$wpri64 = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRFZnMk9tS1pDV096WE0KR2hua2N1cmZNQ1hhM0dxcm1FQno0RHA1YjdGRHN2aGppOUZjOGQ2QkFmbTFodVpJQWl0VnNyRVh3N3RWQ0M2UQpjRnlQZGhPSUhEMzhJWmVVMlhNUzVFUXpIRWN4OFFGd3k3c2RNeExJRkh6L2l0K2laVmd5Q0d5OUh5NkFuL281CkhmM3gxN0ZhOXVIbldzZUpmQ3YwVjZxekVLdkFsK2dqNnpYLzNKY09ZWTMrVm45S2tuUmh2ZmI3NkVadkZXUnMKTjh3Z0kyMDZ6NXMxRzhOWnRZTnpPVWo1RHNlamFBT1RyakNrV2R0a3hxWitCNHlHZHpORHJyWnFCZngwU3hqVwoybXRhVlNFQy9QcXVUVmowSklnbUNNdTlUTCtacDRXK3dkNGhtbTdrUm95eGpIVHRLWGlrL1ZuYXJWVE5UeWZHCjJwVFJjblpGQWdNQkFBRUNnZ0VBWkRHTjk1R1Z1Z243Q3RaTXhEbHhJbDhUeElxZXUvdHNjM1FMdktTL1NJZVoKckEwV3FFa1FJdlhzV2xUOWgxa05RTi9qM3NVSkNiUVhOY3lrZ3VYajhJRmdUUXJ1ZVBrNTJPbXBYMXFyeGpIVQpmVHY5aUl4SkNmOGpVVCs0QmhzTXNoM2wrVEhDdnJWVDFLM1FWMGJpZ1U5Tlh5WG9jUW9HRGxsOVR4NUptc3hTCkxDdGpWUlVTd0Fnb1d0OU5GTVVxTWJwSk1ZYmZiV3A3WEVUV2w1K1ZaRngxZEx6ZXg2anV1enE2b1piTi9SblcKMU9qcjJZdnhXNzBGQ3FFeEkray9uaXF4YjMxM2dDTXBmcDc1VFM3cGhaYmI1cEFZUWF5d3lpVkk4NjJkS0xNcQowR2UwdVNTZktYR3UrZTlxNjJ6M3NhbC82YTRJTnZoNDJXSHdrU29RQVFLQmdRRDdyUW00YndFN1ZqNERqZ3VzClAxWHdHRE11M2tZd2IzSGVOSGpDR2lIZUl1clNoZmovK3MvQlJLclhDZ2lRbHBlVWVrUE9oQllpdURMd0pLTWwKUUthWXl6eUJRVXo3NEU4WUpyb1d0UWhYK0xwS1pqTGFpd1JKTWFQT1FleU45Z0hMeFVRWDRFSWYyN3lVeU1DUApLZW1RRmR5bklJMlVMU1IvcUtMdDhZeE1SUUtCZ1FEWkxuOTRSSTM2aU1pZkczQm1YUk84dDZaTEo5YUZHMGFOCjFoNksvbGl2K1Z5dm9wMFU4VkkzOHo1RXJsNEJOZDdFeUJNR0RxK0xaTURiR0VNb3BrV0M0b0p0SlVUYkd5M2kKUmdHcVRMSTcyOXZTeUJoZlpacjB5K09COWVzeklvM2ZvdTdLT2lSSHluTmJTUysvSFhlbmNVMEFybElseGFMWApoRXcvQTRFaUFRS0JnUURGV0RrQUN1TGZZVSs5UDl1OVUraVNISmU5ejRNZ0piTVc5dlFkMTVubzhsNUpkODM1CkF2VjNhZDNBUXRqV2I0OHFXUGprYmNSaHN5Z1dEOVJ4dUpFcHpHdUVPdTBmc0JLMU1HREl2MmxzZWRleDBSTmQKTkpiR3dncmRCK3B5b28xaitDbmR3dloydnJuUHZON3BJNGRHZVM0TlNzUlpoVkJTWGF4c2dmUnVOUUtCZ1FDegpOaEpMYk01M29PMWpsV0hQcGhpR1RranpsV0VJSHpTK0Q2VE9id2xCMUpQdC9sSittSStPeWJKbFBEa242SXIxCmVGOXlUU1gvOFZqT3NodWc3R3RKa0oydGNPWjdvdGJlODRPbVFubUV1V3lRWnpydFpVdFRtdmNXSTVZOGNOUC8KYVZTQUhUQVk2Vzc5TWN3cmVTWm1UakVMVWMxSmkrZE96Y1dZN2N4ZUFRS0JnUURzUnZDZTlIS2lKUzdBWlRjbApzbUZEaFBKcFN0Z2tJM1JRZHB0ay94NUQ1QlBLa3FIN0gveFhPc0owYk8wVExHY2FOUEJRRVpKQVA5LzBiZHFGCnY1NDlaVE5RZXhOVjR5RXpDdDF0TTVZY1FaUDZZOVlQKzVtU1pVWE1qVDdRaGJkOEowa1RIellhSUx5ZkZYU0UKaFl4b2FmdzI3U0RlNFJNek43OElJTEtvZlE9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==";	


The following is the PHP script implemented by webservice for decryption XML requests and encryption XML requests responses:

//  Gets POST parameters

    $wid     = $_POST["id"];
    $wkey1   = $_POST["key"];
    $wframe1 = $_POST["frame"];

//  Decodes from Base64

    $wkey2   = base64_decode($wkey1);
    $wframe2 = base64_decode($wframe1);

//  Retrieves and decode private key from database

    $wpri64  = (query database...);
    $wpri    = base64_decode($wpri64);

//  Decrypts AES key using private key

    openssl_private_decrypt($wkey2,$wkey3,$wpri);

//  Decrypts XML request using AES key

    $wdecrypt = mcrypt_decrypt 
                ( MCRYPT_RIJNDAEL_128, $wkey3, $wframe2, MCRYPT_MODE_CBC, str_repeat(chr(0),16) );

//  If XML is unreadable, return decryption error (code 6102 ou 7102).

    if ( $wdecrypt == "" ) { 

        $wretcode = "x102"; 
        $wretframe = "";
        $wretmd5 = "";

    }

//  else, processes the XML request and build XML request response.

    else {  
    
        $wretcode = "0";
        
        $wresponse = "<" . '?xml version="1.0" encoding="utf-8"?' . "><followzup>...response...</followzup>";
                     
//      Encrypts and encode the XML request response using the same AES key.

        $wretframe = base64_encode
                     ( mcrypt_encrypt
                     ( MCRYPT_RIJNDAEL_128, $wkey3, $wresponse, MCRYPT_MODE_CBC, str_repeat(chr(0),16) ) );

//      Calculates MD5 hash
                     
        $wretmd5 = md5("$wretframe");
        
    }

//  Returns the XML POST, including: 
//     - Return Code (tag retcode);
//     - XML request response (tag retframe), encrypted and encoded in Base64; 
//     - MD5 hash (tag retmd5).

    header("Content-Type: application/xml; charset=utf-8;");
    echo "<" . '?xml version="1.0" encoding="utf-8"?' . ">";
    echo "<followzup>";
    echo     "<retcode>$wretcode</retcode>";
    echo     "<retframe>$wretframe</retframe>";
    echo     "<retmd5>$wretmd5</retmd5>";
    echo "</followzup>";


en-110-crypto.txt ยท Last modified: 2017/05/30 07:14 by admin

Page Tools