This is a proposal how a simple encryption could look like.
Securely querying remote_server¶
We take advantage of the fact that the client which connect to remote_server is already equipped with some shared key that can be used to encrypt.
Client and remote_server can have the same key for encryption/decryption, but the key can be different for each remote_server.
The process could be something like that:
- client AND remote_server have $encryption_key = '4343425ksdfg098dfg09dfgd';
- client wants to call „getExtensions” which is registered at remote_server.
getExtensions function can have 2 params „loaded”, „available”, so normally it could look like:
- but we want it to be secured before sending so we take GET params and encrypt it. We add one more parameter to it so after decryption we can check if it was successful. The marker we will check after decryption could be the $encryption_key. So we will encrypt:
$encrypted_command = encrypt('username=name&userident=password&serviceID=extKey::getExtensions¶m=loaded&marker=4343425ksdfg098dfg09dfgd',$encryption_key);
- and call remote_server:
- remote_server gets $_GET['command'] and decrypt it:
$decrypted_command = decrypt($_GET['command'],$encryption_key);
- remote_server checks if $decrypted_command contains our marker '4343425ksdfg098dfg09dfgd' to be sure decoding process was successful.
The process will be the same with the returned content. Returned content also must get some marker so we can be sure that after decoding we have proper data to process.
Question is how transparent this all encryption should be.
How does the client get the encryption key? The key can't be transferred on login.