RSA encryption for C++/Delphi (CryptoAPI) and PHP (OpenSSL) [part 2]

In my previous post I explained that we needed to encrypt a communication messages between Windows C++/VCL client and PHP based web service. We cannot use SSL and decided to use RSA encryption with the help of low-level functions provided by CryptoAPI at the client side and OpenSSL PHP extension at the server.

We also faced and resolved the key incompatibility problem. See my post about this.

In this post I will describe implementation or RSA encryption/decryption and digital signing.

Read more

RSA encryption for C++/Delphi (CryptoAPI) and PHP (OpenSSL) [part 1]

This post provides an overview of RSA encryption implementation. Please, read my next post for detailed guidelines and code examples.

The purpose of this project was to protect communication between C++ (VCL) client application and PHP server script with encrypting and digital signing HTTP requests and responses.

Well, the simplest solution for the project task is a usage of SSL (HTTPS). However, this project is targeting shared hosting users that cannot afford HTTPS or SSL certificates.
That’s why we considered a possible usage of GnuPG but abandoned it as hard to implement. Instead, we decided to base our solution directly on the RSA algorithm PGP is based on.

At the beginning of the project I had no idea about cryptography and RSA in particular. I’m still not very familiar with it.
Thanks to the Wikipedia you can read all you need to know about RSA in a single place: http://en.wikipedia.org/wiki/RSA.

What I knew at the beginning is that cryptographic libraries provide tools for RSA encryption, decryption, signing and verification. Thus, I consider this project as a good work. However, it turns into completely nightmare.
Why? Because of incompatibility.
Thanks to standardization of SSL (TLS) all cryptographic libraries are compatible at the top level and can communicate without a problem. However, their low-level functions and key formats are just not compatible.

The conclusion is not very weird:

  • If you can use SSL at both sides then better to use it.
  • If you can use the same cryptographic library at the client and the server then use it.
  • If you’re going to use low-level functions of different libraries then prepare to have a very hard work dealing with incompatibility.

In this post I will cover main issues and conclusions made during the development. I’ll give more details and code examples in the second part of the post.

Read my next post for details and code examples on implementing RSA encryption/decryption and digital signing.

Read more