Back in June of 2003, I got sick and tired of listening to stupid commercial radio stations and the inability to listen to NPR radio shows when I wanted to listen to them. So, I did three things:
I asked NPR if they would like for me to create a playlist manager for their listeners for free, but they weren't interested, so I made my own website to do just that, but more. My goal is to let people listen to radio shows, music (legally), and radio stations (live) when they want to listen to them with the least amount of stupid commercials possible. So far, my website is actually working pretty good, but it still has a way to go.
So what does this have to do with encryption? Well, there are a lot of python scripts running on the website which get data from the web users. If you try to mess with some of the data, you could do things like listen to other people's music or shows without their permission. Also, you might try to delete other people's data. I take other precautions besides encrypting data, but encryption is a good first step at making it hard for people to change variables.
How does encryption help? If you encrypt data for the client to use, if the data is altered, it is very unlikely it can be decrypted properly, and hence any data that doesn't get decrypted properly, you can ignore. This makes it very very hard for someone to mess up data on your website. I have worked at many different companies and many of them had really bad security issues with their websites. I have seen problems where people could bring up other people's info or worse, delete other people's info.
The specs on the systems I am using are:
Why attach a random string? In theory, it might confuse them. By attaching a random string to be encrypted, it should make it harder for someone to try and crack your encryption key since they don't know what data has been encrypted and they never get the same result twice (hence they can't reproduce a response). Perhaps in mathematical theory my reasoning is BS, but I think it is cool anyways. There is one problem, I believe strings are encrypted at 8 byte intervals, thus, someone can guess where the timestamp and random keys are. There are ways to take care of this. For this article, I am not going to bother.
Why attach a timestamp? Well, you can make it so people will get an error message if they use outdated links. You have the option of ignoring timestamps in your programming, but sometimes it can be useful.
I have used many of the different encryption modules in Perl, but for this article, I will use Blowfish.
Save this code to a file called "MOR_Encrypt.pm".
In a separate file named Perl_Encrypt.pl, do this:
Then type in "perl Perl_Encrypt.pl" to test things out.
I have used many of the different encryption modules in Python, but for this article, I will use Blowfish.
Save this code to a file called "MOR_Encrypt.py".
In a separate file named Python_Encrypt.py, do this:
Then type in "python Python_Encrypt.py" to test things out.
I have used many of the different encryption modules in PHP, but for this article, I will use Blowfish.
Save this code to a file called "MOR_Encrypt.inc".
In a separate file named Php_Encrypt.php, do this:
Then type in "php Php_Encrypt.php" to test things out.
To see a real live webpage in action, http://www.tcu-inc.com/Articles/36/unprotected/Test_Encryption.py click on the link.
Encrypting data in webpages has been very useful for me. It helps to protect data which you don't want the clients to see. It shouldn't be the only security method you use on your website, but it is a great start.
Mark Nielsen works at Crisp Hughes Evans. He has picked up the hobby to try and bring the internet radio to the people through the www.myopenradio.com website. The people should control the internet, not the other way around. Please email him at firstname.lastname@example.org and put in the subject "ARTICLE:" or the message will be deleted and not even looked at -- to stop spammers.
Copyright © 11/2003 Mark Nielsen