Thursday, July 13, 2017

I'm not saying is military grade...but I'm almost certain its the NSA phones


This plugin will allow you to encrypt data with RSA algorythm in an Ajax request (client side) and decrypt in PHP (server side).
IMPORTANT: Unfortunately, this plugin does not provide a foolproof method against hacks
ONLINE DEMONSTRATION


How to use it ?

Downloads

Here are 3 downloads necessary to use AJAXRSA with Construct 2 :

RSA Keys Generator

Download and dezip the folder.
Execute the «index.exe».
(size: 18 Mo)
DownloadRSA Keys Generator

Plugin Construct 2

Download, dezip and put the folder called «ajaxrsa».
in the Construct 2 Plugin folder.
(size: 10 Ko)
DownloadPlugin Construct 2

PHP Library and Demo

Download and dezip the folder.
You will obtain 2 folders et 1 example script.
(size: 143 Ko)
DownloadPHP Library & Demo

RSA Keys

In first, you will need two keys : Public Key and Private Key
Launch the RSA Keys Generator (search an executable called «index.exe»).
You get this :

Construct 2 Plugin

Make sure your folder «ajaxrsa» is present in the Construct 2 Plugins folder.
C:/Program Files/Construct 2/exporters/html5/plugins/ajaxrsa/
Launch Construct 2, create a new project, add new object : AJAX-RSA.
Now, open your Event Sheet to add the following Events/Actions :

PHP Library & Demo

On server side, make sure your folders «Crypt» and «Math» are in the same folder.
Below, the demo script to process the data server side:

// Use it for local preview (localhost:50000)
// See : https://www.scirra.com/manual/107/ajax
//header('Access-Control-Allow-Origin: * '); 

ini_set("display_errors", 0);

session_start(); // Need session to store Token

require_once('Crypt/RSA.php'); // Math folders must be the same level as the folder Crypt

// IMPORTANT : Keep the complete syntax and the jump lines for Private Key
define("KEY_PRIVATE", "-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMrXPEVu4LxhOUvV2mreOoHIchPlJYgvRdpqkBd6t2sD7SM02DqP
n89eSj+oqG1ZR+l7Yj1SMCZMrav6257UivMCAwEAAQJAHHwerKl7dI46sO72iJdt
+UJ1iAcKlECp5e2dD+Rd1EXYNfIH26AyprDRXNTRoTYidiVaUH1Z8NxifWagf36j
gQIhAOKOTxjSwgDIWQxoMxw2AL8AAGF3g4uWXgRZKp4f9QghAiEA5TPn1H/j7AQW
NTW7WmM6PjV/Xdl0YI4y2OUTdw2E4JMCIQCvYFJCeQPM70pfnFnUQMmbETk6OfYO
nDvzScL/3OUlgQIgZop6RU+SIJ0Tcmq/jwilnf9BJDONJUV46iBSPQkHUZECIAnE
byHHtgYokdOrheh+O1FWUtq5q/xq28TR+tHUFa1i
-----END RSA PRIVATE KEY-----");

// Function to decrypt data
function decrypt($data) {
 $rsa = new Crypt_RSA();
 $rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
 $rsa->loadKey(KEY_PRIVATE, CRYPT_RSA_PRIVATE_FORMAT_PKCS1);
 $s = new Math_BigInteger($data, 16);
 return $rsa->decrypt($s->toBytes());
}

$arr_data = array(); // Array where we will store our data

// Check if the Ajax Request come from the game folder
// example : http://www.domain.com/folderGame/ or http://www.domain.com/folderGame/index.html
if(isset($_SERVER['HTTP_REFERER']) 
 && ($_SERVER['HTTP_REFERER']=="http://www.payondev.fr/projet/ajaxrsa/demonstration/" 
 || $_SERVER['HTTP_REFERER']=="http://www.payondev.fr/projet/ajaxrsa/demonstration/index.html"))
{

 // If "Post to URL"
 if(isset($HTTP_POST_VARS[d])) $data = $HTTP_POST_VARS[d];
 // If "Request URL"
 if(isset($HTTP_GET_VARS[d])) $data = $HTTP_GET_VARS[d];

 if(trim($data, " \t\n\r")!="")
 {
  // Decrypt Data
  $decrypted_data = utf8_decode(decrypt($data));
  parse_str($decrypted_data, $arr_data);

  // Check if there is a data called "token"
  if(isset($arr_data['token']) && trim($arr_data['token'], " \t\n\r")!="")
  {
   // Check if token exist (get key if exist)
   if( ($k = array_search($arr_data['token'], $_SESSION['token'])) !== FALSE )
   {
    // Remove current token (expired or not)
    unset($_SESSION['token'][$k]);

    $expiration = explode("_", $arr_data['token']); 
    $delayToken = time() - $expiration[1];
    if($delayToken<=2)
    {

     // *******************************************************************
     // ************************ YOUR CODE HERE ***************************
     // *******************************************************************
     
     // EX : www.domain.com/index.php?player=Vincent&score=150&token=123abc...
     // $arr_data["player"]  =  "Vincent";
     // $arr_data["score"]  =  "150";
     // $arr_data["token"]  =  "123abc...";
     foreach($arr_data as $key => $value) echo $key .": ". $value."   ";

    }else{ echo "Error : Token Expired"; }
   }else{ echo "Error : Invalid Token"; }
  }else{ echo "Error : Token missing"; }
 }else{
  // If no data in URL, generate Token and return it
  $token = md5(rand(1000, 999999));
  echo $_SESSION['token'][] = $token."_".time();
 }
}else{ echo "Error : It's not a call from the game"; }


Of course, the use of Tokens (either side Construct 2 or PHP) is not mandatory but recommended for browser games.

No comments:

Man in the Rain