Encrypting Data in Webpages

By Mark Nielsen

  1. Introduction
  2. Computer Setup
  3. Encryption Strategy
  4. Perl encryption
  5. Python encryption
  6. PHP encryption
  7. Test
  8. Conclusion
  9. References

Introduction

Back in June of 2003, I got sick and tired of listening to stupid commercial radio stations and the inability to listen to NPR radio shows when I wanted to listen to them. So, I did three things:

  1. I setup a method of organizing my mp3s into a database and then I used a python script to spit out my mp3s in a random order, just like a radio station.
  2. I setup www.myopenradio.com to play a list a of daily updated radio shows from NPR and other sources. Try it. The public playlist is the sort of stuff I like to listen to.
  3. Hooked up the output of my sound card to a radio transmitter which works for about 300 ft. Then I set my radio to the same FM station my transmitter is set to, and now I get music and NPR shows 24 hours a day without stupid commericals.

I asked NPR if they would like for me to create a playlist manager for their listeners for free, but they weren't interested, so I made my own website to do just that, but more. My goal is to let people listen to radio shows, music (legally), and radio stations (live) when they want to listen to them with the least amount of stupid commercials possible. So far, my website is actually working pretty good, but it still has a way to go.

So what does this have to do with encryption? Well, there are a lot of python scripts running on the website which get data from the web users. If you try to mess with some of the data, you could do things like listen to other people's music or shows without their permission. Also, you might try to delete other people's data. I take other precautions besides encrypting data, but encryption is a good first step at making it hard for people to change variables.

How does encryption help? If you encrypt data for the client to use, if the data is altered, it is very unlikely it can be decrypted properly, and hence any data that doesn't get decrypted properly, you can ignore. This makes it very very hard for someone to mess up data on your website. I have worked at many different companies and many of them had really bad security issues with their websites. I have seen problems where people could bring up other people's info or worse, delete other people's info.

Computer Setup

The specs on the systems I am using are:

  1. Python : You have to love Python! If you don't, we will brainwash you. I still end up programming in PHP and Perl all the time for clients, but when I have a choice to decide which langague I get to use, I always choose Python.
  2. Linux : Besides FreeBSD, what else would you even consider to use?
  3. Html and Javascript: Lots of ugly javascript.
  4. Real Player: Only really works in Mozilla as an embedded feature on Windows using IE or Mozilla, but since I read something recently about Real open sourcing Real Player, I hope Real Player will be installed by default with Mozilla for Linux at some point in the future.
  5. PostgreSQL: I use MySQL also, but I need to use stored procedures for my GUPPS standard. I have been using PostgreSQL stored procedures for years, so I am sticking with it.
  6. Apache 2.0 web server: I switched to Apache 2.0 a while ago. I use mod_php and mod_perl with Apache 2.0. This website is written in Python (I have other websites written in PHP and Perl) so that doesn't help me much. I really don't like any of the python mods for Apache, so for now, each script runs a brand new instance for each webpage hit -- yuck.
  7. Zope web server: Parts of the website are served by the latest Zope server. I have been switching python scripts to Zope for some time now. Rather than using python mods for Apache, I am using Zope for current and future projects. I have been using Zope for over 3 years, and I really like it a lot.
  8. The hardware is based on an AMD cpu. At one point I sold hardware including other cpus from the other company, and from my experience, I can say I will never buy anything but AMD cpus for PC based systems (if I have the option).

Encryption Strategy

Here is the strategy:
  1. Encrypt critical data which gets sent to the web browser. Make sure binary data is converted to ascii code.
  2. Decrypt critical data returned to your server. Remember to first convert the data back to binary format from ascii code.
  3. When encrypting data, attach a random string to vary the data.
  4. Attach a time stamp to the data.
What is critical data? Any data which can result in the reading, inserting, updating, or deletion of entries in your database.

Why attach a random string? In theory, it might confuse them. By attaching a random string to be encrypted, it should make it harder for someone to try and crack your encryption key since they don't know what data has been encrypted and they never get the same result twice (hence they can't reproduce a response). Perhaps in mathematical theory my reasoning is BS, but I think it is cool anyways. There is one problem, I believe strings are encrypted at 8 byte intervals, thus, someone can guess where the timestamp and random keys are. There are ways to take care of this. For this article, I am not going to bother.

Why attach a timestamp? Well, you can make it so people will get an error message if they use outdated links. You have the option of ignoring timestamps in your programming, but sometimes it can be useful.

Perl encryption.

I have used many of the different encryption modules in Perl, but for this article, I will use Blowfish.

Save this code to a file called "MOR_Encrypt.pm".
In a separate file named Perl_Encrypt.pl, do this:
Then type in "perl Perl_Encrypt.pl" to test things out.

Python encryption.

I have used many of the different encryption modules in Python, but for this article, I will use Blowfish.

Save this code to a file called "MOR_Encrypt.py".
In a separate file named Python_Encrypt.py, do this:
Then type in "python Python_Encrypt.py" to test things out.

Php encryption.

I have used many of the different encryption modules in PHP, but for this article, I will use Blowfish.

Save this code to a file called "MOR_Encrypt.inc".
In a separate file named Php_Encrypt.php, do this:
Then type in "php Php_Encrypt.php" to test things out.

Test.

To see a real live webpage in action, http://www.tcu-inc.com/Articles/36/unprotected/Test_Encryption.py click on the link.

Conclusion

Encrypting data in webpages has been very useful for me. It helps to protect data which you don't want the clients to see. It shouldn't be the only security method you use on your website, but it is a great start.

References

  1. http://www.postgresql.org
  2. http://www.apache.org
  3. http://www.python.org
  4. http://service.real.com/help/library/earlier.html
  5. If this article changes, it will be available here http://www.tcu-inc.com/Articles/36/encrypt.html

Mark Nielsen works at Crisp Hughes Evans. He has picked up the hobby to try and bring the internet radio to the people through the www.myopenradio.com website. The people should control the internet, not the other way around. Please email him at articles@tcu-inc.com and put in the subject "ARTICLE:" or the message will be deleted and not even looked at -- to stop spammers.

Copyright © 11/2003 Mark Nielsen
Article