I have a small string of some data (less than 1kb) that I would like to have user agents pass to other sites when they are sent from my site. In order for the other sites to verify that I was the one that created the string I though of two options.
I don't want to setup HMAC because that would mean I have to use custom keys for each site which would be a pain.
Out of those two choices it seems that #2 would save on bandwidth which makes it seem like a better choice.
So how can you setup public/private key cryptography using PHP and are there any downsides?
I would create S/MIME public/private keypairs using OpenSSL and then use the OpenSSL command to do the encryption & decryption. I believe that this is superior to using PGP because openssl is included with most linux operating systems and PGP isn't. OpenSSL is also standards-based and generally easier to work with, once you have the commands down.
I recommended against a "pure-PHP" solution (by pure-PHP I mean doing the crypto in PHP, rather than using PHP to call an existing library or a separate executable). You don't want to do bulk crypto in PHP. Too slow. And you want to use OpenSSL, because it's high performance and the security is well understood.
Here's the magic.
To make an X.509 key:
$subj="/C=US/ST=California/L=Remote/O=Country Govt./OU=My Dept/CN=Mr. Agent/emailAddress=agent@investiations.com"
openssl req -x509 -newkey rsa:1024 -keyout mycert.key -out mycert.pem -nodes -subj $subj
That puts the private key in mycert.key and the public key in mycert.pem. The private key is not password protected.
Now, to sign a message with S/MIME:
openssl smime -sign -signer mycert.pem -inkey mycert.key <input >output
To encrypt a message with S/MIME:
openssl smime -encrypt -recip yourcert.pem <input >output
To decrypt a message with S/MIME:
openssl smime -decrypt -inkey mycert.key -certfile mycert.pem <input >output
I also have some demos on using OpenSSL from the C language bindings, but not from PHP.