As you are planning to use symmetric encryption for payload, encrypted data length will be same as that of payload assuming your payload is properly padded.
On 17 May 2011 14:54, G S <stokest...@gmail.com> wrote: > Re-sending. Forgot to finish the subject... > > Hi all. > > I have an iPhone app that retrieves database info by issuing HTTP GETs to > PHP pages on a server. All I want to do is encrypt the parameters sent in > the URL, to prevent people from spoofing our app and abusing our database > (most likely with spam). I've seen people ask this question in forums, and > they usually get barraged with questions about why they want to do it, > rather than answers. Let me try to head a few off: > > 1. It's neither practical nor necessary to maintain sessions on the > server. We're not using cookies, certificates, or HTTPS. I don't even need > the returned data to be encrypted (it's just DB queries coming back as XML). > 2. I can't use GnuPG because of its license. > 3. I want to use a public-key mechanism because the key will be sent in the > clear from DB to app; I don't want to try to hide a private key in the app > itself. > > As I understand it, the typical procedure is as follows: > > 1. Generate a random key and initialization vector to encrypt the block of > text. > 2. Encrypt that random key with the RSA public key. > 3. Encrypt the data payload with the random key and IV, using Blowfish or > other encryption. > 4. Send the encrypted data payload, encrypted random key, and IV to the > server for decryption. > > I think I'm nearly there: I'm generating a random key and IV; I have the > public key coming back from the database and being loaded with > PEM_read_bio_RSA_PUBKEY(). Now I guess I need to use the EVP_encrypt > functions to encrypt the payload, but how do you calculate the size of the > output buffer that's required for the encrypted data? > > I assume a normal next step is to add the encrypted key, IV, and encrypted > payload as parameters in the HTTP GET and unravel all this using appropriate > functions (and the private RSA key) in PHP on the server. Correct? > > Thanks! > > Gavin >
