Home >Backend Development >PHP Tutorial >How Can I Implement Simple Two-Way Encryption in PHP Using OpenSSL?
How Can I Implement Simple Two-Way Encryption in PHP Using OpenSSL?
- Barbara StreisandOriginal
- 2024-12-13 04:49:13320browse
Simplest Two-Way Encryption in PHP
Important Note:
Before proceeding, it's crucial to emphasize that this article aims to provide a simplified understanding of unauthenticated encryption. For robust data protection, always consider using industry-standard authenticated encryption libraries or bcrypt/argon2 for password storage.
Native Cryptographic Methods
If using PHP 5.4 or later, consider employing the openssl_* functions for cryptographic operations. These offer robust encryption functionalities with native support.
Simple Encryption and Decryption
OpenSSL's openssl_encrypt() and openssl_decrypt() functions provide an accessible way to encrypt and decrypt data. The recommended encryption algorithm is AES-CTR in its 128, 192, or 256-bit variants.
Caution: Avoid using mcrypt due to its deprecation and potential security risks.
Simple Encryption/Decryption Wrapper
To simplify the encryption and decryption process, you can utilize the following wrapper class:
class UnsafeCrypto
{
// Encryption method (CTR mode)
const METHOD = 'aes-256-ctr';
/**
* Encrypts data using the specified key.
*
* @param string $message Plaintext message
* @param string $key Encryption key
* @param bool $encode Whether to encode the result
*
* @return string Ciphertext
*/
public static function encrypt($message, $key, $encode = false)
{
// Generate random IV
$ivSize = openssl_cipher_iv_length(self::METHOD);
$iv = openssl_random_pseudo_bytes($ivSize);
// Encrypt using OpenSSL
$ciphertext = openssl_encrypt($message, self::METHOD, $key, OPENSSL_RAW_DATA, $iv);
// Concatenate IV and ciphertext
if ($encode) {
return base64_encode($iv . $ciphertext);
}
return $iv . $ciphertext;
}
/**
* Decrypts data using the specified key.
*
* @param string $message Ciphertext
* @param string $key Encryption key
* @param bool $encoded Whether the message is encoded
*
* @return string Decrypted message
*/
public static function decrypt($message, $key, $encoded = false)
{
if ($encoded) {
$message = base64_decode($message, true);
if ($message === false) {
throw new Exception('Encryption failure');
}
}
// Extract IV and ciphertext
$ivSize = openssl_cipher_iv_length(self::METHOD);
$iv = substr($message, 0, $ivSize);
$ciphertext = substr($message, $ivSize);
// Decrypt using OpenSSL
$plaintext = openssl_decrypt($ciphertext, self::METHOD, $key, OPENSSL_RAW_DATA, $iv);
return $plaintext;
}
}
Authenticated Encryption
The above approach only provides encryption, leaving data vulnerable to tampering. To address this, implement an authenticated encryption scheme:
class SaferCrypto extends UnsafeCrypto
{
// MAC algorithm
const HASH_ALGO = 'sha256';
/**
* Encrypts and authenticates data using the specified key.
*
* @param string $message Plaintext message
* @param string $key Encryption key
* @param bool $encode Whether to encode the result
*
* @return string Encrypted and authenticated data
*/
public static function encrypt($message, $key, $encode = false)
{
// Split key into encryption and authentication keys
list($encKey, $authKey) = self::splitKeys($key);
// Encrypt using UnsafeCrypto::encrypt
$ciphertext = parent::encrypt($message, $encKey);
// Calculate MAC
$mac = hash_hmac(self::HASH_ALGO, $ciphertext, $authKey, true);
// Concatenate MAC and ciphertext
if ($encode) {
return base64_encode($mac . $ciphertext);
}
return $mac . $ciphertext;
}
/**
* Decrypts and authenticates data using the specified key.
*
* @param string $message Encrypted and authenticated data
* @param string $key Encryption key
* @param bool $encoded Whether the message is encoded
*
* @throws Exception
*
* @return string Decrypted message
*/
public static function decrypt($message, $key, $encoded = false)
{
// Split key
list($encKey, $authKey) = self::splitKeys($key);
// Decode message if necessary
if ($encoded) {
$message = base64_decode($message, true);
if ($message === false) {
throw new Exception('Encryption failure');
}
}
// Extract MAC and ciphertext
$hs = strlen(hash(self::HASH_ALGO, '', true), '8bit');
$mac = substr($message, 0, $hs);
$ciphertext = substr($message, $hs);
// Calculate expected MAC
$expectedMac = hash_hmac(self::HASH_ALGO, $ciphertext, $authKey, true);
// Verify MAC
if (!self::hashEquals($mac, $expectedMac)) {
throw new Exception('Encryption failure');
}
// Decrypt message using UnsafeCrypto::decrypt
$plaintext = parent::decrypt($ciphertext, $encKey);
return $plaintext;
}
/**
* Splits a key into two separate keys for encryption and authentication.
*
* @param string $masterKey Master key
*
* @return string[] Array of encryption and authentication keys
*/
protected static function splitKeys($masterKey)
{
return [
hash_hmac(self::HASH_ALGO, 'ENCRYPTION', $masterKey, true),
hash_hmac(self::HASH_ALGO, 'AUTHENTICATION', $masterKey, true)
];
}
/**
* Compares two strings without leaking timing information
* (PHP 7+).
*
* @param string $a
* @param string $b
*
* @return bool
*/
protected static function hashEquals($a, $b)
{
if (function_exists('hash_equals')) {
return hash_equals($a, $b);
}
$nonce = openssl_random_pseudo_bytes(32);
return hash_hmac(self::HASH_ALGO, $a, $nonce) === hash_hmac(self::HASH_ALGO, $b, $nonce);
}
}
Remember, for robust security, consider utilizing reputable encryption libraries.
The above is the detailed content of How Can I Implement Simple Two-Way Encryption in PHP Using OpenSSL?. For more information, please follow other related articles on the PHP Chinese website!