How to encrypt decrypt data in php

Question

I m currently a student and I m studying PHP  I m trying to make a simple encrypt decrypt of data in PHP  I made some online research and some of them were quite confusing at least for me    Here s what I m trying to do   I have a table consisting of these fields  UserID Fname Lname Email Password   What I want to have is have the all fields encrypted and then be decrypted Is it possible to use sha256 for encryption decryption  if not any encryption algorithm   Another thing I want to learn is how to create a one way hash sha256  combined with a good  salt    Basically I just want to have a simple implementation of encryption decryption  hash sha256  salt   Sir Ma am  your answers would be of great help and be very much appreciated  Thank you

User · Answer

Answer Background and Explanation

To understand this question, you must first understand what SHA256 is. SHA256 is a Cryptographic Hash Function. A Cryptographic Hash Function is a one-way function, whose output is cryptographically secure. This means it is easy to compute a hash (equivalent to encrypting data), but hard to get the original input using the hash (equivalent to decrypting the data). Since using a Cryptographic hash function means decrypting is computationally infeasible, so therefore you cannot perform decryption with SHA256.

What you want to use is a two-way function, but more specifically, a Block Cipher. A function that allows for both encryption and decryption of data. The functions mcrypt_encrypt and mcrypt_decrypt by default use the Blowfish algorithm. PHP's use of mcrypt can be found in this manual. A list of cipher definitions to select the cipher mcrypt uses also exists. A wiki on Blowfish can be found at Wikipedia. A block cipher encrypts the input in blocks of known size and position with a known key, so that the data can later be decrypted using the key. This is what SHA256 cannot provide you.

Code

$key = 'ThisIsTheCipherKey';

$ciphertext = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, 'This is plaintext.', MCRYPT_MODE_CFB);

$plaintext = mcrypt_decrypt(MCRYPT_BLOWFISH, $key, $encrypted, MCRYPT_MODE_CFB);

User · Answer

Foreword  Starting with your table definition   - UserID - Fname - Lname - Email - Password - IV   Here are the changes    The fields Fname  Lname and Email will be encrypted using a symmetric cipher  provided by OpenSSL  The IV field will store the initialisation vector used for encryption  The storage requirements depend on the cipher and mode used  more about this later  The Password field will be hashed using a one-way password hash    Encryption  Cipher and mode  Choosing the best encryption cipher and mode is beyond the scope of this answer  but the final choice affects the size of both the encryption key and initialisation vector  for this post we will be using AES-256-CBC which has a fixed block size of 16 bytes and a key size of either 16  24 or 32 bytes   Encryption key  A good encryption key is a binary blob that s generated from a reliable random number generator  The following example would be recommended     5 3     key size   32     256 bits  encryption key   openssl random pseudo bytes  key size   strong       strong will be true if the key is crypto safe   This can be done once or multiple times  if you wish to create a chain of encryption keys   Keep these as private as possible   IV  The initialisation vector adds randomness to the encryption and required for CBC mode  These values should be ideally be used only once  technically once per encryption key   so an update to any part of a row should regenerate it   A function is provided to help you generate the IV    iv size   16     128 bits  iv   openssl random pseudo bytes  iv size   strong     Example  Let s encrypt the name field  using the earlier  encryption key and  iv  to do this  we have to pad our data to the block size   function pkcs7 pad  data   size         length    size - strlen  data     size      return  data   str repeat chr  length    length       name    Jack    enc name   openssl encrypt      pkcs7 pad  name  16      padded data      AES-256-CBC             cipher and mode      encryption key          secret key     0                        options  not used       iv                      initialisation vector      Storage requirements  The encrypted output  like the IV  is binary  storing these values in a database can be accomplished by using designated column types such as BINARY or VARBINARY   The output value  like the IV  is binary  to store those values in MySQL  consider using BINARY or VARBINARY columns  If this is not an option  you can also convert the binary data into a textual representation using base64 encode   or bin2hex    doing so requires between 33  to 100  more storage space   Decryption  Decryption of the stored values is similar   function pkcs7 unpad  data        return substr  data  0  -ord  data strlen  data  - 1         row    result- gt fetch PDO  FETCH ASSOC      read from database result     enc name   base64 decode  row  Name         enc name   hex2bin  row  Name      enc name    row  Name        iv   base64 decode  row  IV         iv   hex2bin  row  IV      iv    row  IV      name   pkcs7 unpad openssl decrypt       enc name       AES-256-CBC        encryption key      0       iv       Authenticated encryption  You can further improve the integrity of the generated cipher text by appending a signature that s generated from a secret key  different from the encryption key  and the cipher text  Before the cipher text is decrypted  the signature is first verified  preferably with a constant-time comparison method    Example     generate once  keep safe  auth key   openssl random pseudo bytes 32   strong       authentication  auth   hash hmac  sha256    enc name   auth key  true    auth enc name    auth    enc name      verification  auth   substr  auth enc name  0  32    enc name   substr  auth enc name  32    actual auth   hash hmac  sha256    enc name   auth key  true    if  hash equals  auth   actual auth            perform decryption     See also  hash equals    Hashing  Storing a reversible password in your database must be avoided as much as possible  you only wish to verify the password rather than knowing its contents  If a user loses their password  it s better to allow them to reset it rather than sending them their original one  make sure that password reset can only be done for a limited time    Applying a hash function is a one-way operation  afterwards it can be safely used for verification without revealing the original data  for passwords  a brute force method is a feasible approach to uncover it due to its relatively short length and poor password choices of many people   Hashing algorithms such as MD5 or SHA1 were made to verify file contents against a known hash value  They re greatly optimized to make this verification as fast as possible while still being accurate  Given their relatively limited output space it was easy to build a database with known passwords and their respective hash outputs  the rainbow tables   Adding a salt to the password before hashing it would render a rainbow table useless  but recent hardware advancements made brute force lookups a viable approach  That s why you need a hashing algorithm that s deliberately slow and simply impossible to optimize  It should also be able to increase the load for faster hardware without affecting the ability to verify existing password hashes to make it future proof   Currently there are two popular choices available    PBKDF2  Password Based Key Derivation Function v2  bcrypt  aka Blowfish    This answer will use an example with bcrypt   Generation  A password hash can be generated like this    password    my password    random   openssl random pseudo bytes 18    salt   sprintf   2y  02d  s       13     2 n cost factor     substr strtr base64 encode  random              0  22       hash   crypt  password   salt     The salt is generated with openssl random pseudo bytes   to form a random blob of data which is then run through base64 encode   and strtr   to match the required alphabet of  A-Za-z0-9      The crypt   function performs the hashing based on the algorithm   2y  for Blowfish   the cost factor  a factor of 13 takes roughly 0 40s on a 3GHz machine  and the salt of 22 characters   Validation  Once you have fetched the row containing the user information  you validate the password in this manner    given password     POST  password       the submitted password  db hash    row  Password       field with the password hash   given hash   crypt  given password   db hash    if  isEqual  given hash   db hash            user password verified       constant time string compare function isEqual  str1   str2         n1   strlen  str1       if  strlen  str2      n1            return false            for   i   0   diff   0   i     n1     i             diff    ord  str1  i     ord  str2  i              return   diff      To verify a password  you call crypt   again but you pass the previously calculated hash as the salt value  The return value yields the same hash if the given password matches the hash  To verify the hash  it s often recommended to use a constant-time comparison function to avoid timing attacks   Password hashing with PHP 5 5  PHP 5 5 introduced the password hashing functions that you can use to simplify the above method of hashing    hash   password hash  password  PASSWORD BCRYPT    cost    gt  13      And verifying   if  password verify  given password   db hash            password valid     See also  password hash    password verify

User · Answer

It took me quite a while to figure out  how to not get a false when using openssl decrypt   and get encrypt and decrypt working           cryptographic key of a binary string 16 bytes long  because AES-128 has a key size of 16 bytes       encryption key    58adf8c78efef9570c447295008e2e6e      example      iv   openssl random pseudo bytes openssl cipher iv length  aes-256-cbc          encrypted   openssl encrypt  plaintext   aes-256-cbc    encryption key  OPENSSL RAW DATA   iv        encrypted    encrypted         base64 encode  iv           decrypt to get again  plaintext      parts   explode       encrypted        decrypted   openssl decrypt  parts 0    aes-256-cbc    encryption key  OPENSSL RAW DATA  base64 decode  parts 1        If you want to pass the encrypted string via a URL  you need to urlencode the string         encrypted   urlencode  encrypted     To better understand what is going on  read     http   blog turret io the-missing-php-aes-encryption-example  http   thefsb tumblr com post 110749271235 using-opensslendecrypt-in-php-   To generate 16 bytes long keys you can use         bytes   openssl random pseudo bytes 16        hex   bin2hex  bytes     To see error messages of openssl you can use  echo openssl error string     Hope that helps

User · Answer

function my simple crypt   string   action    e                 you may change these values to your own          secret key    my simple secret key            secret iv    my simple secret iv             output   false           encrypt method    AES-256-CBC            key   hash   sha256    secret key             iv   substr  hash   sha256    secret iv    0  16             if   action     e                   output   base64 encode  openssl encrypt   string   encrypt method   key  0   iv                        else if   action     d                  output   openssl decrypt  base64 decode   string     encrypt method   key  0   iv                       return  output

User · Answer

Here is an example using openssl encrypt     Encryption   textToEncrypt    My Text to Encrypt    encryptionMethod    AES-256-CBC    secretHash    encryptionhash    iv   mcrypt create iv 16  MCRYPT RAND    encryptedText   openssl encrypt  textToEncrypt  encryptionMethod  secretHash  0   iv      Decryption   decryptedText   openssl decrypt  encryptedText   encryptionMethod   secretHash  0   iv   print  My Decrypted Text      decryptedText

User · Answer

I m think this has been answered before   but anyway  if you want to encrypt decrypt data  you can t use SHA256    Key  key    SuperSecretKey      To Encrypt   encrypted   mcrypt encrypt MCRYPT RIJNDAEL 256   key   I want to encrypt this   MCRYPT MODE ECB      To Decrypt   decrypted   mcrypt decrypt MCRYPT RIJNDAEL 256   key   encrypted  MCRYPT MODE ECB

[php] How to encrypt/decrypt data in php?

The answer is

Answer Background and Explanation

Code

Examples related to php

Examples related to security

Examples related to encryption

Examples related to cryptography

Examples related to encryption-symmetric

Tags