Decoding encrypted data emailed from a server

Bringing the internet highway into your project? Building FTP, HTTP, email, chat or other client solutions?

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

Post Reply
trags3
Posts: 418
Joined: Wed Apr 09, 2014 1:58 am
Location: Las Vegas, NV

Decoding encrypted data emailed from a server

Post by trags3 » Fri Oct 21, 2016 10:27 pm

I have an app that sends data including a txt file to a server using the Post command.
The server takes some of the data ie email addresses, subject & message and uses it to send via email to the appropriate email addresses the txt file.
The txt file contains information that should be encrypted.
I have never worked with encryption before and don't quite understand how to decrypt when the file reaches the final email inbox.

jacque
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 7215
Joined: Sat Apr 08, 2006 8:31 pm
Location: Minneapolis MN
Contact:

Re: Decoding encrypted data emailed from a server

Post by jacque » Sat Oct 22, 2016 5:04 pm

Once the email is sent you have no control over it any more. I have seen sensitive documents sent as password protected PDF enclosures. The password is generally sent in a separate email.

Large companies like financial institutions usually send an email informing you there is a message waiting and ask you to log into your account to retrieve it.

Email is inherently insecure.
Jacqueline Landman Gay | jacque at hyperactivesw dot com
HyperActive Software | http://www.hyperactivesw.com

trags3
Posts: 418
Joined: Wed Apr 09, 2014 1:58 am
Location: Las Vegas, NV

Re: Decoding encrypted data emailed from a server

Post by trags3 » Sat Oct 22, 2016 5:16 pm

Thank you Jacque,
That helps. I think I can figure out a solution from this.

Tom

lilRalph
Posts: 25
Joined: Wed Aug 26, 2015 9:43 am

Re: Decoding encrypted data emailed from a server

Post by lilRalph » Mon Oct 24, 2016 8:50 am

G'Day Tom,

I have just been exploring something similar to this myself. I agree with Jacque that the best solution if you have to send to multiple email addresses is to just notify them that there is a message for them.

If you are only sending to a small number then there is another option using public/private keys.
Since the private key is usually used to verify that the message came from a certain party by encrypting the hash of the message this way around doesn't help you with the security of the message but if you reverse it and have the end user be the holder of the private key then you can encrypt with the public key and only the private key can decrypt the message.

You can create public/private key pairs with php, store the public key with the user details in your mySQL database (or similar) and hand the private key to the end user at registration time or get them to log in and pick one up then.

It seems to me though that your real security issue is from a potential man-in-the-middle attack between your app and the server. The transmission of the text file is open for theft. They only have to monitor traffic into your server to grab it.

My system currently logs into the server using https, verifies both the server and client are who they say they are with two sets of public/private keys, changes the password for a nearly random one every login, passes data between the two encrypted both ways. I don't know what the password is and nor does the end user, only the server and the client software know that. This system is not un-hackable but I'm hoping that any hacks only work once on a single client and then the change in password prevents the whole system getting hacked or compromised. You can't stop hackers but you can make it hard enough that the effort far outweighs the payoff.

Sorry, no I will not share the code. The only way to keep this as secure as possible is to not have it written down anywhere. The algorithm is there, play with it.

AxWald
Posts: 578
Joined: Thu Mar 06, 2014 2:57 pm

Re: Decoding encrypted data emailed from a server

Post by AxWald » Mon Oct 24, 2016 12:37 pm

Hi,

you could use GnuPG (OpenPGP). This is quite wide spread, for instance in the Enigmail addon for Thunderbird.

This way you use a working, tested and updated crypto tool without having to code anything yourself. And having installed this tool, you & partners additionally have a state of the art crypto solution at hand, usable in many other ways.

Have fun!
All code published by me here was created with Community Editions of LC (thus is GPLv3).
If you use it in closed source projects, or for the Apple AppStore, or with XCode
you'll violate some license terms - read your relevant EULAs & Licenses!

ghettocottage
Livecode Opensource Backer
Livecode Opensource Backer
Posts: 366
Joined: Tue Apr 10, 2012 9:18 am

Re: Decoding encrypted data emailed from a server

Post by ghettocottage » Mon Oct 24, 2016 5:36 pm

lilRalph wrote:G'Day Tom,

My system currently logs into the server using https, verifies both the server and client are who they say they are with two sets of public/private keys, changes the password for a nearly random one every login, passes data between the two encrypted both ways. I don't know what the password is and nor does the end user, only the server and the client software know that. This system is not un-hackable but I'm hoping that any hacks only work once on a single client and then the change in password prevents the whole system getting hacked or compromised. You can't stop hackers but you can make it hard enough that the effort far outweighs the payoff.

Sorry, no I will not share the code. The only way to keep this as secure as possible is to not have it written down anywhere. The algorithm is there, play with it.
@lilRalph I am trying something very similar to what you have described here. I realized you do not want to share your code, security through obscurity and all that, but I have run into a slight issue and am curious if you have the same problem:

I have the random password, salt and the aesEncrypt before I send. and then aesDecrypt on the server and then decode with salt and password..It works, but not every time, and sometimes it works on some things, but other items I am sending seem to not be decoded.

Is your system working for you every time? I am just wondering if my random password and salt is causing the issue.

ghettocottage
Livecode Opensource Backer
Livecode Opensource Backer
Posts: 366
Joined: Tue Apr 10, 2012 9:18 am

Re: Decoding encrypted data emailed from a server

Post by ghettocottage » Thu Oct 27, 2016 12:40 am

ghettocottage wrote:
lilRalph wrote:G'Day Tom,

My system currently logs into the server using https, verifies both the server and client are who they say they are with two sets of public/private keys, changes the password for a nearly random one every login, passes data between the two encrypted both ways. I don't know what the password is and nor does the end user, only the server and the client software know that. This system is not un-hackable but I'm hoping that any hacks only work once on a single client and then the change in password prevents the whole system getting hacked or compromised. You can't stop hackers but you can make it hard enough that the effort far outweighs the payoff.

Sorry, no I will not share the code. The only way to keep this as secure as possible is to not have it written down anywhere. The algorithm is there, play with it.
@lilRalph I am trying something very similar to what you have described here. I realized you do not want to share your code, security through obscurity and all that, but I have run into a slight issue and am curious if you have the same problem:

I have the random password, salt and the aesEncrypt before I send. and then aesDecrypt on the server and then decode with salt and password..It works, but not every time, and sometimes it works on some things, but other items I am sending seem to not be decoded.

Is your system working for you every time? I am just wondering if my random password and salt is causing the issue.
I seem to have it sorted. It was indeed my random password/salt that was causing the issue. I would generate the password and salt on my app, and send it (encoded) to the server, but this would randomly not work and cause everything else to stop.

I had to come up with a way to generate a password on the app and on the server independently, but come up with the same result for both.

Post Reply

Return to “Internet”