Home arrow PHP arrow Page 4 - Secure Encrypting and Decrypting for Your PHP Website

The MCrypt Package - PHP

In this conclusion to a three-part series on secure PHP programming, you'll learn how to validate inputs, handle hashing, use the MCrypt package, and more. This article is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

TABLE OF CONTENTS:
  1. Secure Encrypting and Decrypting for Your PHP Website
  2. Taking Advantage of PEAR: Validate
  3. Data Encryption
  4. The MCrypt Package
By: Apress Publishing
Rating: starstarstarstarstar / 1
August 26, 2010

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

MCrypt is a popular data-encryption package available for use with PHP, providing support for two-way encryption (i.e., encryption and decryption). Before you can use it, you need to follow these installation instructions:

  1. Go to http://mcrypt.sourceforge.net/ and download the package source. 
     
  2. Extract the contents of the compressed distribution and follow the installation instructions as specified in the INSTALL document. 
     
  3. Compile PHP with the --with-mcrypt option.

MCrypt supports a number of encryption algorithms, all of which are listed here:

  1. ARCFOUR 
     
  2. ARCFOUR_IV 
     
  3. BLOWFISH 
     
  4. CAST 
     
  5. CRYPT 
     
  6. DES 
     
  7. ENIGMA 
     
  8. GOST 
     
  9. IDEA 
     
  10. LOKI97 
     
  11. MARS 
     
  12. PANAMA 
     
  13. RC (2, 4) 
     
  14. RC6 (128, 192, 256) 
     
  15. RIJNDAEL (128, 192, 256) 
     
  16. SAFER (64, 128, and PLUS) 
     
  17. SERPENT (128, 192, and 256) 
     
  18. SKIPJACK 
     
  19. TEAN 
     
  20. THREEWAY 
     
  21. 3DES 
     
  22. TWOFISH (128, 192, and 256) 
     
  23. WAKE 
     
  24. XTEA

This section introduces just a sample of the more than 35 functions made available via this PHP extension. For a complete introduction, consult the PHP manual.

Encrypting Data with MCrypt

The mcrypt_encrypt() function encrypts the provided data, returning the encrypted result. The prototype follows:

string mcrypt_encrypt(string cipher, string key, string data,
                      string mode [, string iv])

The provided cipher names the particular encryption algorithm, and the parameter key determines the key used to encrypt the data. The mode parameter specifies one of the six available encryption modes: electronic codebook, cipher block chaining, cipher feedback, 8-bit output feedback, N-bit output feedback, and a special stream mode. Each is referenced by an abbreviation: ecb , cbc , cfb , ofb , nofb , and stream , respectively. Finally, the iv parameter initializes cbc , cfb , ofb , and certain algorithms used in stream mode. Consider an example:

<?php
   
$ivs = mcrypt_get_iv_size(MCRYPT_DES, MCRYPT_MODE_CBC);
   
$iv = mcrypt_create_iv($ivs, MCRYPT_RAND);
   
$key = "F925T";
   
$message = "This is the message I want to encrypt.";
   
$enc = mcrypt_encrypt(MCRYPT_DES, $key, $message, MCRYPT_MODE_CBC, $iv);
   
echo bin2hex($enc);
?>

This returns the following:

--------------------------------------------
f5d8b337f27e251c25f6a17c74f93c5e9a8a21b91f2b
1b0151e649232b486c93b36af467914bc7d8
--------------------------------------------

You can then decrypt the text with the mcrypt_decrypt() function, introduced next.

Decrypting Data with MCrypt

The mcrypt_decrypt() function decrypts a previously encrypted cipher, provided that the cipher, key, and mode are the same as those used to encrypt the data. Its prototype follows:

string mcrypt_decrypt(string cipher, string key, string data,
                      string mode [, string iv])

Go ahead and insert the following line into the previous example, directly after the last statement:

echo mcrypt_decrypt(MCRYPT_DES, $key, $enc, MCRYPT_MODE_CBC, $iv);

This returns the following:

--------------------------------------------
This is the message I want to encrypt.
--------------------------------------------

The methods in this section are only those that are in some way incorporated into the PHP extension set. However, you are not limited to these encryption/hashing solutions. Keep in mind that you can use functions such as popen() or exec() with any of your favorite third-party encryption technologies, for example, PGP ( http://www.pgpi.org/ ) or GPG ( http://www.gnupg.org/ ).

Summary

Hopefully the material presented in this chapter provided you with a few important tips and, more importantly, got you thinking about the many attack vectors that your application and server face. However, it’s important to understand that the topics described in this section are but a tiny sliver of the total security pie. If you’re new to the subject, take some time to learn more about some of the more prominent security-related Web sites.

Regardless of your prior experience, you need to devise a strategy for staying abreast of breaking security news. Subscribing to the newsletters both from the more prevalent security-focused Web sites and from the product developers may be the best way to do so. However, your strategic preference is somewhat irrelevant; what is important is that you have a strategy and stick to it, lest your castle be conquered.  



 
 
>>> More PHP Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
   

PHP ARTICLES

- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates

 



© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: