Max Did It
Tagged , ,

Asymmetric Encryption with Flash and PHP

I have recently delved into the topic of encryption, since I wanted to send encrypted data from a Flash application to a PHP script. I had to implement this manually since I didn't have the option of using HTTPS on my web space.

In this article, I describe

  • how to generate an asymmetric encryption key in PHP,
  • decode the public key in Actionscript 3 and
  • use it to encrypt data which is then sent and decrypted on the server side.

Asymmetric encryption works by generating two keys, the public and the private key. The public key is used to encrypt data, while the private key is used to decrypt data.

In my case, I generate the key pair on the server, sending the public key to the Actionscript client, while the server keeps the private key. This way, the client is able to encrypt data with the public key, but only the server can read the encrypted data with the private key.

Intercepting the public key doesn't enable you to read the data sent by the client. This method is still vulnerable to man-in-the-middle attacks, since it still enables others to send their own encrypted data with the public key if they manage to intercept the communication between server and client. This means that there should be further authentication between server and client.

I am using the as3crypto library to encrypt the data on the Actionscript 3 side. Some missing features in the library still make it necessary to implement your own key decoding functionality. This is needed to actually use the public key sent by the server.