Is This 'Safe'?
I'm develing a set of services and controllers to allow to installations to communicate with each other. I want the comms to be 'safe' and 'secure'. Baring in mind I'm sending passwords, api token and bank details - but GPS data could be getting sent.
The heavy lifting is done in two services ServerToServer.php and PkiManager.php. The first dealing with the communications the second with the actual encryption using PHP's openssl
pki functions.
The public keys will have already been exchanges manually.
Here's and example of the data to be sent before encryption:
Array
(
[protical] => 0.0.1
[origin] => http://localhost/
[timestamp] => 1587700000
[data] => Array
(
[version] => 20200000000000
[className] => App\Entity\FitStepsIntraDay
[event] => persist
[data] => Array
(
[DateTime] => 1587700000
[Duration] => 60
[Hour] => 17
[Patient] => @App\Entity\Patient|{"Email":"test@example.com"}
[TrackingDevice] => @App\Entity\TrackingDevice|{"Guid":"00000000"}
[Value] => 13
)
)
)
This is the actual data that will be transmitted:
Array
(
[protical] => 0.0.1
[origin] => http://localhost/
[timestamp] => 1587700000
[data] => vk0ar8824......K0g==
[keys] => V1uLEA1BD......ObQ=
[signature] => QMPwMLavH......Prc=
)
- The
data
andkey
eliments are generated using theopenssl_seal
function - see code section - The
signature
is an signed sha256 hash ofprotical.orgin.data.timestamp
- see code section
The a packet is received thse checks are done, in order:
- Check to see if we know who
origin
is - Make sure our
protical
version matches the packet, communication between different version is dropped to allow forward security - The
signature
is verified - The
data
is then decypted
As I said above, I'm trying to protect the crown jewels but I also do not want to impliment an fundemtally insecure process. I need a second pair of eyes to double check my logic.