Using Zend_Crypt_Rsa – small example of how to use it

PHPMay 05 20120 Comment

For a recent project I needed to use RSA encryption to encrypt some sensitive data that was being sent from a client to a (JSON) service. Both the client and the service are written in PHP using Zend Framework, so the obvious place to look for classes implementing this functionality is… well the Zend Framework library of course.

I was happily surprised finding the class Zend_Crypt_Rsa in the Crypt folder of the Zend Framework. When I wanted to check the online documentation at http://framework.zend.com/manual/en I was less happy, because it turns out there is no documentation for this class. Luckily it’s really not that hard to use. If you check out the code of the class itself it’s pretty self explanatory. However to save someone else some time it might be useful to post the steps I took to get it working, so here we go.

1. First of all you will need to have OpenSSL installed and the openssl PHP extension loaded, because the Zend_Crypt_Rsa class is dependent on it.

2. You have to generate the private and public keys that you’re going to use for the encryption (public key) and decryption (private key). You do this using the ssh-keygen command:

bender:~ ruben$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/ruben/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
e4:ec:fc:ae:b4:8e:6a:b0:85:6e:1f:72:58:56:ec:1e ruben@bender
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|     .           |
|      o .        |
|     o +         |
|   .o E S        |
|  o+.. +         |
| .o+o . +        |
|  +o.. o o       |
| . oo...+oo      |
+-----------------+
bender:~ ruben$

As you can see you have to specify a passphrase, note that this should be longer than 4 characters.
At this point you should have two files: id_rsa – the private key and id_rsa.pub – the public key.

3. Now move those two files to a folder inside your project, *outside* of the webroot(!), for instance “keys”.

4. Now you’re ready to encrypt something. Here’s a small example:

$crypt = new Zend_Crypt_Rsa(array("passPhrase"=>"mypassphrase", "pemPath"=>"../keys/id_rsa"));
$authString = $crypt->encrypt('secretword', $crypt->getPublicKey(), Zend_Crypt_Rsa::BASE64);

What this does is encrypt the word ‘secretword’ using your public key (located at ../keys/id_rsa). Note that the passPhrase parameter of the constructor should match the passphrase you used to create the keys. The output of the encryption will be in Base64 format. You can also choose to use binary (Zend_Crypt_Rsa::BINARY), but that’s less convenient for transferring purposes.

5. Decrypting is just as simple:

$crypt = new Zend_Crypt_Rsa(array("passPhrase"=>"mypassphrase", "pemPath"=>"../keys/id_rsa"));	
$decrypted = $crypt->decrypt($encryptedString, $crypt->getPrivateKey(), Zend_Crypt_Rsa::BASE64);

In this case the variable $encryptedString contains a Base64 string representing a previously encrypted string.

That’s all there’s to it, pretty easy right?