The MCrypt Package - PHP

MCrypt is a popular data-encryption package available for use with PHP, providing support for two-way encryption (i.e., encryption and decryption). Before you can use it, you need to follow these installation instructions:

1. Go to http://mcrypt.sourceforge.net/ and download the package source. 
    
2. Extract the contents of the compressed distribution and follow the installation instructions as specified in the INSTALL document. 
    
3. Compile PHP with the --with-mcrypt option.

MCrypt supports a number of encryption algorithms, all of which are listed here:

1. ARCFOUR 
    
2. ARCFOUR_IV 
    
3. BLOWFISH 
    
4. CAST 
    
5. CRYPT 
    
6. DES 
    
7. ENIGMA 
    
8. GOST 
    
9. IDEA 
    
10. LOKI97 
     
11. MARS 
     
12. PANAMA 
     
13. RC (2, 4) 
     
14. RC6 (128, 192, 256) 
     
15. RIJNDAEL (128, 192, 256) 
     
16. SAFER (64, 128, and PLUS) 
     
17. SERPENT (128, 192, and 256) 
     
18. SKIPJACK 
     
19. TEAN 
     
20. THREEWAY 
     
21. 3DES 
     
22. TWOFISH (128, 192, and 256) 
     
23. WAKE 
     
24. XTEA

This section introduces just a sample of the more than 35 functions made available via this PHP extension. For a complete introduction, consult the PHP manual.

Encrypting Data with MCrypt

The mcrypt_encrypt() function encrypts the provided data, returning the encrypted result. The prototype follows:

string mcrypt_encrypt(string cipher, string key, string data,
                      string mode [, string iv])

The provided cipher names the particular encryption algorithm, and the parameter key determines the key used to encrypt the data. The mode parameter specifies one of the six available encryption modes: electronic codebook, cipher block chaining, cipher feedback, 8-bit output feedback, N-bit output feedback, and a special stream mode. Each is referenced by an abbreviation: ecb , cbc , cfb , ofb , nofb , and stream , respectively. Finally, the iv parameter initializes cbc , cfb , ofb , and certain algorithms used in stream mode. Consider an example:

<?php
    $ivs = mcrypt_get_iv_size(MCRYPT_DES, MCRYPT_MODE_CBC);
    $iv = mcrypt_create_iv($ivs, MCRYPT_RAND);
    $key = "F925T";
    $message = "This is the message I want to encrypt.";
    $enc = mcrypt_encrypt(MCRYPT_DES, $key, $message, MCRYPT_MODE_CBC, $iv);
    echo bin2hex($enc);
?>

This returns the following:

--------------------------------------------
f5d8b337f27e251c25f6a17c74f93c5e9a8a21b91f2b
1b0151e649232b486c93b36af467914bc7d8
--------------------------------------------

You can then decrypt the text with the mcrypt_decrypt() function, introduced next.

Decrypting Data with MCrypt

The mcrypt_decrypt() function decrypts a previously encrypted cipher, provided that the cipher, key, and mode are the same as those used to encrypt the data. Its prototype follows:

string mcrypt_decrypt(string cipher, string key, string data,
                      string mode [, string iv])

Go ahead and insert the following line into the previous example, directly after the last statement:

echo mcrypt_decrypt(MCRYPT_DES, $key, $enc, MCRYPT_MODE_CBC, $iv);

This returns the following:

--------------------------------------------
This is the message I want to encrypt.
--------------------------------------------

The methods in this section are only those that are in some way incorporated into the PHP extension set. However, you are not limited to these encryption/hashing solutions. Keep in mind that you can use functions such as popen() or exec() with any of your favorite third-party encryption technologies, for example, PGP ( http://www.pgpi.org/ ) or GPG ( http://www.gnupg.org/ ).

Summary

Hopefully the material presented in this chapter provided you with a few important tips and, more importantly, got you thinking about the many attack vectors that your application and server face. However, it’s important to understand that the topics described in this section are but a tiny sliver of the total security pie. If you’re new to the subject, take some time to learn more about some of the more prominent security-related Web sites.

Regardless of your prior experience, you need to devise a strategy for staying abreast of breaking security news. Subscribing to the newsletters both from the more prevalent security-focused Web sites and from the product developers may be the best way to do so. However, your strategic preference is somewhat irrelevant; what is important is that you have a strategy and stick to it, lest your castle be conquered.