[ACCEPTED]-Two-way encryption in PHP-encryption
PHP 5.3 has introduced a new encryption 22 method that is really easy to use:
openssl_encrypt and 21
openssl_decrypt. It's not well-documented here, so here's 20 a simple example:
$textToEncrypt = "My super secret information."; $encryptionMethod = "AES-256-CBC"; // AES is used by the U.S. gov't to encrypt top secret documents. $secretHash = "25c6c7ff35b9979b151f2136cd13b0ff"; //To encrypt $encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $secretHash); //To Decrypt $decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $secretHash); //Result echo "Encrypted: $encryptedMessage <br>Decrypted: $decryptedMessage";
I chose 256-AES because 19 it's solid and fast. It's been adopted 18 by the U.S. gov't to encrypt top secret 17 documents. It's fast considering machine 16 and software. Here's a list of available 15 encryption methods:
AES-128-CBC, AES-128-CFB, AES-128-CFB1, AES-128-CFB8, AES-128-ECB, AES-128-OFB, AES-192-CBC, AES-192-CFB, AES-192-CFB1, AES-192-CFB8, AES-192-ECB, AES-192-OFB, AES-256-CBC, AES-256-CFB, AES-256-CFB1, AES-256-CFB8, AES-256-ECB, AES-256-OFB, BF-CBC, BF-CFB, BF-ECB, BF-OFB, CAMELLIA-128-CBC, CAMELLIA-128-CFB, CAMELLIA-128-CFB1, CAMELLIA-128-CFB8, CAMELLIA-128-ECB, CAMELLIA-128-OFB, CAMELLIA-192-CBC, CAMELLIA-192-CFB, CAMELLIA-192-CFB1, CAMELLIA-192-CFB8, CAMELLIA-192-ECB, CAMELLIA-192-OFB, CAMELLIA-256-CBC, CAMELLIA-256-CFB, CAMELLIA-256-CFB1, CAMELLIA-256-CFB8, CAMELLIA-256-ECB, CAMELLIA-256-OFB, CAST5-CBC, CAST5-CFB, CAST5-ECB, CAST5-OFB, DES-CBC, DES-CFB, DES-CFB1, DES-CFB8, DES-ECB, DES-EDE, DES-EDE-CBC, DES-EDE-CFB, DES-EDE-OFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-CFB1, DES-EDE3-CFB8, DES-EDE3-OFB, DES-OFB, DESX-CBC, RC2-40-CBC, RC2-64-CBC, RC2-CBC, RC2-CFB, RC2-ECB, RC2-OFB, RC4, RC4-40, SEED-CBC, SEED-CFB, SEED-ECB, SEED-OFB, aes-128-cbc, aes-128-cfb, aes-128-cfb1, aes-128-cfb8, aes-128-ecb, aes-128-ofb, aes-192-cbc, aes-192-cfb, aes-192-cfb1, aes-192-cfb8, aes-192-ecb, aes-192-ofb, aes-256-cbc, aes-256-cfb, aes-256-cfb1, aes-256-cfb8, aes-256-ecb, aes-256-ofb, bf-cbc, bf-cfb, bf-ecb, bf-ofb, camellia-128-cbc, camellia-128-cfb, camellia-128-cfb1, camellia-128-cfb8, camellia-128-ecb, camellia-128-ofb, camellia-192-cbc, camellia-192-cfb, camellia-192-cfb1, camellia-192-cfb8, camellia-192-ecb, camellia-192-ofb, camellia-256-cbc, camellia-256-cfb, camellia-256-cfb1, camellia-256-cfb8, camellia-256-ecb, camellia-256-ofb, cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb, des-cbc, des-cfb, des-cfb1, des-cfb8, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-cfb1, des-ede3-cfb8, des-ede3-ofb, des-ofb, desx-cbc, rc2-40-cbc, rc2-64-cbc, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb, rc4, rc4-40, seed-cbc, seed-cfb, seed-ecb, seed-ofb
Thanks 14 Hobo and Jorwin for pointing out that in 13 PHP 5.3.3 > there is a new parameter 12 that makes this function a little more secure.
Jorwin 11 referenced this link in his comment, and here is an 10 excerpt that is applicable:
In 5.3.3 they 9 added a new parameter,
string $iv(initialization vector) Real 8 parameters are:
string openssl_encrypt ( string $data , string $method , string $password, bool $raw_output = false, string $iv )
$ivis missing, a warning 7 is issued: "Using an empty Initialization 6 Vector (iv) is potentially insecure and 5 not recommended".
$ivis too short, another 4 warning: "IV passed is only 3 bytes 3 long, cipher expects an IV of precisely 2 8 bytes, padding with \0"
same IV should 1 be used in
You don't need two-way encryption - encryption 8 is for maintaining secrecy, but what you're really 7 looking for here is authenticity.
HMACs (essentially, keyed 6 hashes) are one way of getting cryptographic 5 authenticity. Accompany the UID with a 4 HMAC of the UID (PHP has a HMAC implementation), using a key 3 that only the server knows. At the start 2 of each request, check the HMAC.
Basically, use 1 the right tool for the right job.
While PHP supports many two way hashing 4 algorithms I do not see it being useful 3 in this example. What you need to do is:
- Load the row from storage by the provided id
- Check that the owner of the row is the authenticated user and if not throw an exception and inform the user not to do that again
But 2 if your heart is set on hashing just pick 1 one of the algorithms provided.
First, encrypting URL parameters is usually a bad idea, and a separate lookup (based on 15 an index
CHAR column generated by a CSPRNG) is 14 better for 99.9% of use cases.
With that 13 said: Yes, you can use the OpenSSL extension 12 (don't use mcrypt) to encrypt the data like espradley suggested, however I would 11 caution you to not stop at merely encryption.
Encryption without message authentication is dangerous, especially if 10 you're trusting an end-user with the ciphertext.
The 9 solution, therefore, is to use authenticated encryption, which can 8 be easily accessed with libsodium, available on PECL.
If you cannot for 7 whatever reason install a PECL extension, there 6 are two PHP libraries to choose from: defuse/php-encryption and 5 zend-crypt. They both offer standards compliant authenticated 4 encryption and they're both safe to use 3 (for what it's worth, I frequently perform 2 code audits for cryptography implementations in PHP, I'm not merely some random person on 1 the internet).
In PHP, Encryption and Decryption of a string 37 is possible using one of the Cryptography 36 Extensions called OpenSSL function for encrypt 35 and decrypt.
openssl_encrypt() Function: The openssl_encrypt() function is used to encrypt the data.
Syntax is as follows :
string openssl_encrypt( string 34 $data, string $method, string $key, $options 33 = 0, string $iv, string $tag= NULL, string 32 $aad, int $tag_length = 16 )
Parameters are as follows :
$data: It holds the 31 string or data which need to be encrypted.
$method: The 30 cipher method is adopted using openssl_get_cipher_methods() function.
$key: It 29 holds the encryption key.
$options: It holds the bitwise 28 disjunction of the flags OPENSSL_RAW_DATA 27 and OPENSSL_ZERO_PADDING.
$iv: It holds the initialization 26 vector which is not NULL.
$tag: It holds the authentication 25 tag which is passed by reference when using 24 AEAD cipher mode (GCM or CCM).
$aad: It holds 23 the additional authentication data.
$tag_length: It holds 22 the length of the authentication tag. The 21 length of authentication tag lies between 20 4 to 16 for GCM mode.
Return Value: It returns the encrypted 19 string on success or FALSE on failure.
openssl_decrypt() Function The openssl_decrypt() function is used to decrypt the data.
Syntax is as follows :
string 18 openssl_decrypt( string $data, string $method, string 17 $key, int $options = 0, string $iv, string 16 $tag, string $aad)
Parameters are as follows :
$data: It holds the string or 15 data which need to be encrypted.
$method: The cipher 14 method is adopted using openssl_get_cipher_methods() function.
$key: It 13 holds the encryption key.
$options: It holds the bitwise 12 disjunction of the flags OPENSSL_RAW_DATA 11 and OPENSSL_ZERO_PADDING.
$iv: It holds the initialization 10 vector which is not NULL.
$tag: It holds the authentication 9 tag using AEAD cipher mode (GCM or CCM). When 8 authentication fails openssl_decrypt() returns 7 FALSE.
$aad: It holds the additional authentication 6 data.
Return Value: It returns the decrypted string on 5 success or FALSE on failure.
Approach: First 4 declare a string and store it into variable 3 and use openssl_encrypt() function to encrypt 2 the given string and use openssl_decrypt() function 1 to descrypt the given string.
You can find the examples at : https://www.geeksforgeeks.org/how-to-encrypt-and-decrypt-a-php-string/
More Related questions