[ACCEPTED]-Two-way encryption in PHP-encryption

PHP 5.3 has introduced a new encryption 22 method that is really easy to use: openssl_encrypt and 21 openssl_decrypt. It's not well-documented here, so here's 20 a simple example:

$textToEncrypt = "My super secret information.";
$encryptionMethod = "AES-256-CBC";  // AES is used by the U.S. gov't to encrypt top secret documents.
$secretHash = "25c6c7ff35b9979b151f2136cd13b0ff";

//To encrypt
$encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $secretHash);

//To Decrypt
$decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $secretHash);

//Result
echo "Encrypted: $encryptedMessage <br>Decrypted: $decryptedMessage";

I chose 256-AES because 19 it's solid and fast. It's been adopted 18 by the U.S. gov't to encrypt top secret 17 documents. It's fast considering machine 16 and software. Here's a list of available 15 encryption methods:

AES-128-CBC, AES-128-CFB, AES-128-CFB1, AES-128-CFB8, AES-128-ECB, AES-128-OFB, AES-192-CBC, AES-192-CFB, AES-192-CFB1, AES-192-CFB8, AES-192-ECB, AES-192-OFB, AES-256-CBC, AES-256-CFB, AES-256-CFB1, AES-256-CFB8, AES-256-ECB, AES-256-OFB, BF-CBC, BF-CFB, BF-ECB, BF-OFB, CAMELLIA-128-CBC, CAMELLIA-128-CFB, CAMELLIA-128-CFB1, CAMELLIA-128-CFB8, CAMELLIA-128-ECB, CAMELLIA-128-OFB, CAMELLIA-192-CBC, CAMELLIA-192-CFB, CAMELLIA-192-CFB1, CAMELLIA-192-CFB8, CAMELLIA-192-ECB, CAMELLIA-192-OFB, CAMELLIA-256-CBC, CAMELLIA-256-CFB, CAMELLIA-256-CFB1, CAMELLIA-256-CFB8, CAMELLIA-256-ECB, CAMELLIA-256-OFB, CAST5-CBC, CAST5-CFB, CAST5-ECB, CAST5-OFB, DES-CBC, DES-CFB, DES-CFB1, DES-CFB8, DES-ECB, DES-EDE, DES-EDE-CBC, DES-EDE-CFB, DES-EDE-OFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-CFB1, DES-EDE3-CFB8, DES-EDE3-OFB, DES-OFB, DESX-CBC, RC2-40-CBC, RC2-64-CBC, RC2-CBC, RC2-CFB, RC2-ECB, RC2-OFB, RC4, RC4-40, SEED-CBC, SEED-CFB, SEED-ECB, SEED-OFB, aes-128-cbc, aes-128-cfb, aes-128-cfb1, aes-128-cfb8, aes-128-ecb, aes-128-ofb, aes-192-cbc, aes-192-cfb, aes-192-cfb1, aes-192-cfb8, aes-192-ecb, aes-192-ofb, aes-256-cbc, aes-256-cfb, aes-256-cfb1, aes-256-cfb8, aes-256-ecb, aes-256-ofb, bf-cbc, bf-cfb, bf-ecb, bf-ofb, camellia-128-cbc, camellia-128-cfb, camellia-128-cfb1, camellia-128-cfb8, camellia-128-ecb, camellia-128-ofb, camellia-192-cbc, camellia-192-cfb, camellia-192-cfb1, camellia-192-cfb8, camellia-192-ecb, camellia-192-ofb, camellia-256-cbc, camellia-256-cfb, camellia-256-cfb1, camellia-256-cfb8, camellia-256-ecb, camellia-256-ofb, cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb, des-cbc, des-cfb, des-cfb1, des-cfb8, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-cfb1, des-ede3-cfb8, des-ede3-ofb, des-ofb, desx-cbc, rc2-40-cbc, rc2-64-cbc, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb, rc4, rc4-40, seed-cbc, seed-cfb, seed-ecb, seed-ofb

IMPORTANT UPDATE!!!

Thanks 14 Hobo and Jorwin for pointing out that in 13 PHP 5.3.3 > there is a new parameter 12 that makes this function a little more secure.

Jorwin 11 referenced this link in his comment, and here is an 10 excerpt that is applicable:

In 5.3.3 they 9 added a new parameter, string $iv (initialization vector) Real 8 parameters are: string openssl_encrypt ( string $data , string $method , string $password, bool $raw_output = false, string $iv )

If $iv is missing, a warning 7 is issued: "Using an empty Initialization 6 Vector (iv) is potentially insecure and 5 not recommended".

If $iv is too short, another 4 warning: "IV passed is only 3 bytes 3 long, cipher expects an IV of precisely 2 8 bytes, padding with \0"

same IV should 1 be used in openssl_decrypt()

You don't need two-way encryption - encryption 8 is for maintaining secrecy, but what you're really 7 looking for here is authenticity.

HMACs (essentially, keyed 6 hashes) are one way of getting cryptographic 5 authenticity. Accompany the UID with a 4 HMAC of the UID (PHP has a HMAC implementation), using a key 3 that only the server knows. At the start 2 of each request, check the HMAC.

Basically, use 1 the right tool for the right job.

While PHP supports many two way hashing 4 algorithms I do not see it being useful 3 in this example. What you need to do is:

1. Load the row from storage by the provided id
2. Check that the owner of the row is the authenticated user and if not throw an exception and inform the user not to do that again

But 2 if your heart is set on hashing just pick 1 one of the algorithms provided.

For two-way encryption check mcrypt, or if you 1 prefer a pure implementation phpseclib.

First, encrypting URL parameters is usually a bad idea, and a separate lookup (based on 15 an index CHAR column generated by a CSPRNG) is 14 better for 99.9% of use cases.

With that 13 said: Yes, you can use the OpenSSL extension 12 (don't use mcrypt) to encrypt the data like espradley suggested, however I would 11 caution you to not stop at merely encryption.

Encryption without message authentication is dangerous, especially if 10 you're trusting an end-user with the ciphertext.

The 9 solution, therefore, is to use authenticated encryption, which can 8 be easily accessed with libsodium, available on PECL.

If you cannot for 7 whatever reason install a PECL extension, there 6 are two PHP libraries to choose from: defuse/php-encryption and 5 zend-crypt. They both offer standards compliant authenticated 4 encryption and they're both safe to use 3 (for what it's worth, I frequently perform 2 code audits for cryptography implementations in PHP, I'm not merely some random person on 1 the internet).

In PHP, Encryption and Decryption of a string 37 is possible using one of the Cryptography 36 Extensions called OpenSSL function for encrypt 35 and decrypt.

openssl_encrypt() Function: The openssl_encrypt() function is used to encrypt the data.

Syntax is as follows :

string openssl_encrypt( string 34 $data, string $method, string $key, $options 33 = 0, string $iv, string $tag= NULL, string 32 $aad, int $tag_length = 16 )

Parameters are as follows :

$data: It holds the 31 string or data which need to be encrypted.

$method: The 30 cipher method is adopted using openssl_get_cipher_methods() function.

$key: It 29 holds the encryption key.

$options: It holds the bitwise 28 disjunction of the flags OPENSSL_RAW_DATA 27 and OPENSSL_ZERO_PADDING.

$iv: It holds the initialization 26 vector which is not NULL.

$tag: It holds the authentication 25 tag which is passed by reference when using 24 AEAD cipher mode (GCM or CCM).

$aad: It holds 23 the additional authentication data.

$tag_length: It holds 22 the length of the authentication tag. The 21 length of authentication tag lies between 20 4 to 16 for GCM mode.

Return Value: It returns the encrypted 19 string on success or FALSE on failure.

openssl_decrypt() Function The openssl_decrypt() function is used to decrypt the data.

Syntax is as follows :

string 18 openssl_decrypt( string $data, string $method, string 17 $key, int $options = 0, string $iv, string 16 $tag, string $aad)

Parameters are as follows :

$data: It holds the string or 15 data which need to be encrypted.

$method: The cipher 14 method is adopted using openssl_get_cipher_methods() function.

$key: It 13 holds the encryption key.

$options: It holds the bitwise 12 disjunction of the flags OPENSSL_RAW_DATA 11 and OPENSSL_ZERO_PADDING.

$iv: It holds the initialization 10 vector which is not NULL.

$tag: It holds the authentication 9 tag using AEAD cipher mode (GCM or CCM). When 8 authentication fails openssl_decrypt() returns 7 FALSE.

$aad: It holds the additional authentication 6 data.

Return Value: It returns the decrypted string on 5 success or FALSE on failure.

Approach: First 4 declare a string and store it into variable 3 and use openssl_encrypt() function to encrypt 2 the given string and use openssl_decrypt() function 1 to descrypt the given string.

You can find the examples at : https://www.geeksforgeeks.org/how-to-encrypt-and-decrypt-a-php-string/