Encryption in Laravel and Decryption in javascript?

[tranvanhieu01012002]

Are there any ways to use encryption in Laravel and we can decrypt in javascript?
Can we use some package like: Crypto, CryptoJs...

[henzeb]

What you need that for? SSL is doing the encryption between server and end user...

[ghost]

An example for hashing:

example js:

const data = `your string`;
const hash = CryptoJS.HmacSHA256(data, secret);
const signature = CryptoJS.enc.Hex.stringify(hash);

equivalent in php:

\hash_hmac('sha256', 'your string', $secret);

I guess there should be something similar also for encryption/decryption.

[henzeb]

The problem with that is that the secret is known for both public as private here.

I really discourage the usage of this because:

1. the SSL protocol already does this for you.
2. By default laravel has one app key, sharing this on the frontend means anything that's encrypted on the server is compromised. Even when safe on the server.

If end to end encryption is the use case, just use a SSL certificate. They don't have to cost anything these days thanks to "let's encrypt".

[ghost]

You have a point there :)

[Sophist-UK]

There is a big difference between hashing for:

1. Hash encryption i.e. hashing a password before transmission so it is not readable by a sniffer on the basis that the password is hashed for comparison to the stored password when it gets to the server. Solution: IMO Send the entered password encrypted using SSL. Password hashing uses a seed and that seed needs to be kept private i.e. used only on the server and not shared in JS where you can use the JS console to get hold of it. For man in the middle there is no difference in risk between sending it hashed, or sending it as entered so it can be hashed on the server - in both cases if you can see the password you can fake a login, so SSL should be used to stop someone seeing the password.

2. Ensuring data has not been accidentally corrupted in transit - IMO there is no risk here however you should not use a seed (or if you do then use a public seed that is different to any seed used for encryption) because there is no need to use a private seed.

3. Ensuring that data has not been maliciously altered by a man-in-the-middle. If you has this, to check the hash, the seed will need to be known in JS and can be obtained through the JS console - if the seed is known then the hash value can be faked too. Using SSL should avoid man-in-the-middle.

If you have concerns about the safety of SSL being compromised e.g. by a man-in-the-middle, then you need to use ways of confirming the SSL Certificate (because a m-i-t-m needs to use a fake certificate) and so you should check the SSL certificate signature is a known value for example.

[valorin]

There isn't a method in the framework itself, however it can definitely be done, with one huge condition: you need to be happy for the decryption key to be sent to the browser and it's safe for the user to obtain it. You cannot decrypt (or encrypt) in the browser without the user having access to the key. Although using public/private keys would help in some ways.

If that's acceptable, pick your encryption type (symmetric or asymmetric), and algorithm, find a way to perform that in both JS and PHP (i.e. find a package), and then write the code.

Don't use Laravel's encryption tools, and definitely don't use Laravel's encryption keys. Generate custom keys specifically for this - unique per user.

All of that said, if you're not familiar with cryptography, you need to be really careful with this stuff - it's very easy to leave massive holes and vulnerabilities. Find someone with experience who can review your work and help you ensure you have a secure implementation.