I recently had a need for cross language encryption and decryption of cookies. More specifically, I needed to encrypt cookies in perl and decrypt the same cookies in PHP. After many Google searches, I finally found a post on a mailing list and contacted the author, Josh Kuo.

I don’t always expect a response when e-mailing someone I don’t know because we’re all really busy but Josh was very kind in his replies. He sent me a link to his project Qrypto on SourceForge which can be used to encrypt and decrypt just about anything including cookies, files, url strings. Qrypto currently supports Perl, PHP and Python and there are plans for other popular languages in the future.

I had spent a couple of days trying to come up with a cross-language encryption and decryption solution on my own. With the use of the qrypto project and Josh’s kind help, I had it running in a single morning. Open source is a beautiful thing.

I’ll show you just how easy it was…

The Code

Perl

Implementing Josh’s solution was pretty easy. I downloaded Crypt.pm and added it to my perl library. Then I created internal methods to use the module. When a user logs in, an encrypted cookie is created with the information needed later in the application.

The perl code I added to use the module looks like the following:

use Crypt;

sub _php_encrypt {
my ($self, $value) = @_;
my $cipher = Crypt->new('01234567890123456789012345678901234567890000000000');
return $cipher->encrypt($value);
}

sub _php_decrypt {
my ($self, $value) = @_;
my $cipher = Crypt->new('01234567890123456789012345678901234567890000000000');
return $cipher->decrypt($value);
}

The advantage of using Crypt.pm from the Qrypto project is that the call to the constructor of CBC::Crypt is already configured in the module. This is the most crucial part of creating a cookie that is encrypted in a way that another language can read it due to differences in Perl and PHP.

The key has to be 56 characters in length. I’ve made my key numbers to make it easier to see the length, but the key could be alpha, numeric or a sentence. When you call Crypt->new(’My super secret passphrase’), the method handles sha256_hex encryption for you.

Note the documentation from Crypt.pm:

Blowfish requires two inputs, the IV (Initialization Vector) and the key. The key must be 56 in length. The easiest and secure way to provide both inputs is to take a single input (the pass-phrase) and run SHA256 on it to produce a hex string that is 64 in length. Use the first 8 for the IV, and the remaining 56 for the key. So it looks like this:

$passphrase = ‘this is a pass-phrase’;
$sha256 = ‘15343cba39004cd07d79ac972fa4bf50c7c504a8add5cb1c900e2263f82996f3′;
$iv = ‘15343cba’;
$key= ‘39004cd07d79ac972fa4bf50c7c504a8add5cb1c900e2263f82996f3′;

In my authentication module, I created a cookie using the _php_encrypt method. The user’s email was the second name/value pair in the cookie and I needed to extract that later in the application.

PHP

Next, I downloaded Crypt.php and added it to my projects include path. In this project, I have an init.php that is included on every page load. If a user isn’t logged in, the cookie is read and the values are extracted for the application. This was done using PHP5 and the following code:

 $encoded = $_COOKIE["mycookie"];
if($encoded) {
# decrypt and split on ::
$long_key = "01234567890123456789012345678901234567890000000000";
$crypt = new Crypt($long_key);
$decrypted = $crypt->decrypt($encoded);
$values = explode(';', $decrypted);

$email = explode('=', $values[2]);
$user_email = $email[1];
} 

What a great idea!

Cross-language encryption/decryption is a great idea and a much needed project especially in the Web 2.0 days of integrating multiple applications in different languages. If you ever look under the hood of encryption algorithms, it won’t take long to see that the methods are complex.

Qrypto has decrypted the method of communicating securely between certain languages. Thanks to Josh Kuo for spending time to decipher the details and make cross-language encryption communication easier for the rest of us.