Tag: RSA

Automated Rsync – without compromising security

Rsync is one of the most popular tools to synchronize data between two computers, and used mostly in taking backups using this sync feature. It’s easy to use and only uploads the changed files when a sync is necessary, so it’s effective in saving bandwidth and time too. To run rsync, you need root or a properly privileged user which can access that specific path in the remote machine. And to setup this privilege, you can either use a should-never-be-used root account or an user chrooted using a jail shell. But if, by any chance, current machine is compromised then remote machine is compromised too. Because anyone can connect to your remote machine using those credentials from the current machine. To avoid plain text credentials (or the credentials written in a shell script), people usually use ssh keys to establish a connection between two machines. Still, your remote machine is unsecured if anything goes wrong in the current machine from where you’re taking the backup.

So a fullproof solution is to use ssh keys and properly chroot the remote user so that it can only access the backup files and nothing else. However, setting up a jailed shell is a not-for-everyone type task and takes time and experience to accomplish properly. So here is a quick work around that you can implement in your remote machine to prevent the connecting user from doing anything malicious but only tasks those are needed to perform the rsync backup. Let’s see how we can do that

Before continuing, let’s name our two machines. The one which should be backed up, lets name that Workstation. And the one which is storing the backups is BackupServer. Also for now, let’s assume that you are backing up complete “/var/www” folder in the WorkStation.

Step 1: Create SSH key in the BackupServer
Log into the BackupServer and run the following command in ssh terminal. But remember, if you already have a key in ~/.ssh/id_rsa.pub then IGNORE IGNORE IGNORE this step.

[sourcecode language=”shell”]
ssh-keygen -t rsa
[/sourcecode]

It will prompt for a passphrase, REMEMBER to just hit the enter without typing anything.

Step 2: Display and Copy the SSH key from BackupServer
Run the following command to display the ssh public key in the terminal, and then copy it.
(more…)

RSA Encrypting and Decrypting data with Zend_Crypt_Rsa Library

Public/private key based encryption is very popular because of the strength it sets in encryption, specially above 1024 bits. Now there are external library to encrypt data using RSA encryption like RSA in phpclasses.org – the fun is we were also using this library in one of our ZF based project. But last week I’ve found that there is a hidden gem in the Library/Zend/Crypt folder (Zend_Crypt_Rsa) which can do the same thing using openssl library. The bad thing is that there is no official documentation on how to use this library 🙁 Thats why I’ve decided to write a blog post to show you how to use Zend_Crypt_Rsa and encrypt your data with your public/private key and decrypt to get it back in original form.

Step 1: Create your RSA public/private key using ssh-keygen
[sourcecode lang=”bash”]
cd /path/to/keyfolder/
ssh-keygen -t RSA
[/sourcecode]

When it will ask for the path of the key file, input “./id_rsa” . It will then prompt for passphrase which actually works like a password and you cant retrieve your data if you forget this. So input something like “MySecretWord” – This will output something like this
[sourcecode lang=”bash”]
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/hasinhayder/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
c8:dc:cd:a8:90:98:67:42:65:45:20:f8:58:39:74:66 [email protected]
The key’s randomart image is:
+–[ RSA 2048]—-+
| oo.E+o |
|. +B |
| +.. |
|…o + o + |
| + = + S o |
| + . . |
| . |
| |
| |
+—————–+
[/sourcecode]

After a while you will see that there are two files in the same directory named “id_rsa” and “id_rsa.pub”. First one is your private key and the second one is the public key.

Step 2: Encrypt data using your public key
As we have our RSA public and private keys in our hand, its time to start playing with these. We will now encrypt our data with our public key. In that way you can only decrypt it with your private key. I hope it is clear now that why we should encrypt using public key only? If now, let me clarify it a bit more. Your public key is “public” to the world. Now if you encrypt your data with your private key, anyone will be able to decrypt it with your public key – so that’s plain meaningless 🙂

[sourcecode lang=”php”]
public function encAction(){
$this->_helper->viewRenderer->setNoRender();
$this->_helper->layout->disableLayout();
$zrsa =new Zend_Crypt_Rsa(array("passPhrase"=>"MySecretWord","pemPath"=>"/path/to/your/keyfolder/id_rsa")); //thats the path to the private key file
$string = "Yeah, this is my SECRET MESSAGE";
$enc = $zrsa->encrypt($string, $zrsa->getPublicKey(),Zend_Crypt_Rsa::BASE64);
echo "Secret Message: {$enc}";
}
[/sourcecode]

In the code above, we are generating output in BASE64 format, because that is readable to everyone 🙂 – after you execute this action in your browser, you can see something like the following (it will differ based on your key)

[sourcecode lang=”shell”]
jYMRM4jQedQgCdN7T9y6gNfLYZ49F+cSMz2tgLPsflQOE2XhVg98yvoQ/
PvUtBYGceEubYLuhYufgQE6VZpsOvvGcXt6WWE97HDGisQXXHhvnvQBzb
QQyF0WphCGH/0y2JviVb5zcQGhFIQ6oazztHonIxtdF4Fgaa0
M++jCymMSSI8vfOMUoL8s00fxVcqvJ7EVbYrFvUUMCH77HtBAYMziQotS
YddiMzb5AqEl8cN0N5Aao7dpOSzzumyuiRRoAA0NGtXnSlqQr5hAfdQ0V
vUKkqQHfd64Cfs+T8U9FmPTZUi7XE8jGgYFD0k4H9CJHl1EoVRNsqr3kt
4CNntQ==
[/sourcecode]

Thats your encrypted string in base64 format. Plain gibberish, eh? 🙂

Now its time to decrypt the ciphered text 🙂

Step 3: Decrypt the cipher
Well, now we have our encrypted string. Lets decrypt it

[sourcecode lang=”php”]
$dec = $zrsa->decrypt($enc, $zrsa->getPrivateKey(),Zend_Crypt_Rsa::BASE64);
echo $dec;
[/sourcecode]

Now it will output the original message “Yeah, this is my SECRET MESSAGE” 🙂

So here is everything together 🙂
[sourcecode lang=”php”]
public function encAction(){
$this->_helper->viewRenderer->setNoRender();
$this->_helper->layout->disableLayout();
$zrsa =new Zend_Crypt_Rsa(array("passPhrase"=>"MySecretWord","pemPath"=>"/path/to/your/keyfolder/id_rsa")); //thats the path to the private key file
$string = "Yeah, this is my SECRET MESSAGE";
$enc = $zrsa->encrypt($string, $zrsa->getPublicKey(),Zend_Crypt_Rsa::BASE64);
echo "Secret Message: {$enc}";
echo "<hr/>";
$dec = $zrsa->decrypt($enc, $zrsa->getPrivateKey(),Zend_Crypt_Rsa::BASE64);
echo $dec;
}
[/sourcecode]

Hope you’ve enjoyed this article. I just wish that the documentation team of Zend Framework would have added this in the manual of Zend Framework for the rest of us 🙂

Shameless Note 🙂 : By the way, if you are looking for a beautiful Admin Panel Theme for your PHP based projects/web-applications, you may want to check out Chameleon Circuit, which is developed by our Themio Team 🙂

Box.net widget in MiproApps – why did it require special care…

In MiproApps, our Visual Facebook Fanpage Desiger from Leevio, everything is built on top of a scalable plugin based architecture. Every plugin manages it’s data using a central plugin manager. Most of these data are isolated from each other, stored and served by the plugin manager without any special coding required from plugin developers. That makes everything simple. As storage and serving is fully managed by Plugin Manager, it helps us to cache, validate and sanitize user data properly from a single place.

But when we decided to add support for box.net, there comes a challenge. We have asked for username and password for box.net account from our users to pull out the data from their shared folders and files. “PASSWORD” – and that is the thing everyone thinks twice before providing to a third party. Everyone cares about their personal data security.

In MiproApps every data collected from user are submitted to storage service via Ajax request. And we simply cant send plain password collected by users in an Ajax request. What we did in this case is we had signed user’s sensitive information using a 128 bit public key (RSA) in client side. The private key is stored securely in our server and that encrypted information is decrypted only in server side. So client application has just the public key.

Box.net widget in Facebook Fanpages powered by MiproApps
Box.net widget in Facebook Fanpages powered by MiproApps

There were other challenges as well, while we went to implement this encryption in client side by Javascript and Decryption by PHP. Unfortunately PHPs Mcrypt doesnt support RSA, and Zend Framework doesnt provide any component for that. And there was a trick when you encrypt your data in JS. You must add a null byte at the end of your data, otherwise PHP cant decrypt it.

We have used RSA library (a combination of RSA, BigInt and Barett Library) from Ohdave and used the Crypt_RSA library from PEAR. And it also required us to install bigint PECL extension.

You can see some example code at here and you can use the RSA public/private key pair either by openssl shell command or the RSA key generator from ohdave.

The service layer is working smooth. Plugin developers doesnt need to bother about encryption and decryption. Everything was managed transparently under the hood. And so far we are only developing our plugins, data is secured and safe. Users can add their publicly shared box.net files directly in their facebook fanpage. For a sample output, you can check out my page. You will find the box.net component at the bottom right corner.