PHP AES encrypt / decrypt

by

Please use an existing secure PHP encryption library

It’s generally a bad idea to write your own cryptography unless you have experience breaking other peoples’ cryptography implementations.

None of the examples here authenticate the ciphertext, which leaves them vulnerable to bit-rewriting attacks.

If you can install PECL extensions, libsodium is even better

<?php
// PECL libsodium 0.2.1 and newer

/**
 * Encrypt a message
 * 
 * @param string $message - message to encrypt
 * @param string $key - encryption key
 * @return string
 */
function safeEncrypt($message, $key)
{
    $nonce = \Sodium\randombytes_buf(
        \Sodium\CRYPTO_SECRETBOX_NONCEBYTES
    );

    return base64_encode(
        $nonce.
        \Sodium\crypto_secretbox(
            $message,
            $nonce,
            $key
        )
    );
}

/**
 * Decrypt a message
 * 
 * @param string $encrypted - message encrypted with safeEncrypt()
 * @param string $key - encryption key
 * @return string
 */
function safeDecrypt($encrypted, $key)
{   
    $decoded = base64_decode($encrypted);
    $nonce = mb_substr($decoded, 0, \Sodium\CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
    $ciphertext = mb_substr($decoded, \Sodium\CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');

    return \Sodium\crypto_secretbox_open(
        $ciphertext,
        $nonce,
        $key
    );
}

Then to test it out:

<?php
// This refers to the previous code block.
require "safeCrypto.php"; 

// Do this once then store it somehow:
$key = \Sodium\randombytes_buf(\Sodium\CRYPTO_SECRETBOX_KEYBYTES);
$message="We are all living in a yellow submarine";

$ciphertext = safeEncrypt($message, $key);
$plaintext = safeDecrypt($ciphertext, $key);

var_dump($ciphertext);
var_dump($plaintext);

This can be used in any situation where you are passing data to the client (e.g. encrypted cookies for sessions without server-side storage, encrypted URL parameters, etc.) with a reasonably high degree of certainty that the end user cannot decipher or reliably tamper with it.

Since libsodium is cross-platform, this also makes it easier to communicate with PHP from, e.g. Java applets or native mobile apps.

Note: If you specifically need to add encrypted cookies powered by libsodium to your app, my employer Paragon Initiative Enterprises is developing a library called Halite that does all of this for you.

More Related Contents:

  1. How do you Encrypt and Decrypt a PHP String?
  2. Simplest two-way encryption using PHP
  3. How to encrypt/decrypt data in php?
  4. How to add/remove PKCS7 padding from an AES encrypted string?
  5. Login without HTTPS, how to secure?
  6. MCrypt rijndael-128 to OpenSSL aes-128-ecb conversion
  7. Java 256-bit AES Password-Based Encryption
  8. Best way to use PHP to encrypt and decrypt passwords? [duplicate]
  9. mcrypt is deprecated, what is the alternative?
  10. Two-way encryption: I need to store passwords that can be retrieved
  11. Upgrading my encryption library from Mcrypt to OpenSSL
  12. Image encryption/decryption using AES256 symmetric block ciphers [closed]
  13. Is it possible to hide/encode/encrypt php source code and let others have the system?
  14. How to encrypt or decrypt with Rijndael and a block-size of 256 bits?
  15. Example of AES using Crypto++ [closed]
  16. Two-way encryption in PHP
  17. How to decrypt an encrypted AES-256 string from CryptoJS using Java? [closed]
  18. Create an encrypted zip archive with PHP
  19. How can I decrypt a password hash in PHP?
  20. Can’t decrypt using pgcrypto from AES-256-CBC but AES-128-CBC is OK
  21. Decrypting strings in Python that were encrypted with MCRYPT_RIJNDAEL_256 in PHP
  22. Is it secure to store a password in a session? [duplicate]
  23. Switching between HTTP and HTTPS pages with secure session-cookie
  24. Can anyone get access to my PHP source code?
  25. AES/CBC/PKCS5Padding in iOS objective c result differs from Android
  26. PyCrypto problem using AES+CTR
  27. Is it possible to encrypt data with AES (256 bit) GCM mode in .net framework 4.7?
  28. AESCrypt decryption between iOS and PHP
  29. AES string encryption in Objective-C
  30. What encryption algorithm is best for encrypting cookies?

Leave a Comment