Reputation: 818
PHP string encryption/decryption, am i doing it wrong?
Hey I really need some guidance.
ATM. i am using this encryption/decryption method for regular strings.
function encrypt($pure_string) {
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH, "!@#$%#^&*", utf8_encode($pure_string), MCRYPT_MODE_ECB, $iv);
return $encrypted_string;
}
function decrypt($encrypted_string) {
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, "!@#$%#^&*", $encrypted_string, MCRYPT_MODE_ECB, $iv);
return $decrypted_string;
}
But after some research that might not be the most secure way? The data is being stored in a MYSQL DB.
And i do not have access to install custom php plugins to the webserver. So is there any other secure way to do this?
And how should I generate / store my encryption key?
This is not used for password and etc.
Upvotes: 0
Views: 280
Answers (1)
Reputation: 61952
But after some research that might not be the most secure way?
You somehow managed to hit the holy trinity of insecure code:
The library: using an abandoned library (mcrypt) which has many bugs. OpenSSL can be used, but it's still a challenge of using it securely. defuse/php-encryption is a much better alternative.
The block cipher: Using Blowfish where even its creator said that it is insecure. AES (=Rijndael-128) is a better alternative, but that's not something you should worry about when using a good library (see 1).
The block cipher mode of operation: Using ECB mode is insecure almost in every case (scroll down to the penguin). Generally, a randomized mode like CBC is needed, but that's not something you should worry about when using a good library (see 1).
That's something that applies to secure transmission of data (and then some). If you need to find stuff in your database based on encrypted columns, then you need to think about adding a hash column or really using ECB mode.
And how should I generate / store my encryption key?
Keys are usually simple byte arrays. Some ciphers - like DES - have weak keys which you need to check for and generate another one. A good library usually gives you an API for generating a key.
Storing keys is an issue of much debate. Think about the usefulness of encrypting some data where the key is stored close to the encrypted data. After all, you usually need access and decrypt that data frequently. There is no good solution for this. If you store the encryption key on another machine than the data, the chance is higher that you get something else wrong and leave your network vulnerable.
Upvotes: 2
Related Questions
- encrypt with PHP MYSQL
- PHP simple string encryption and decryption
- PHP encrypt string using blowfish
- Encrypting strings in PHP
- Encrypt / Decrypt Text in MySQL Column with PHP
- encryption using PHP crypt
- Can't get password encryption to work PHP
- Encryption and Decryption of a string
- Crypt/decrypt string (PHP)
- php - storing encrypted string in mysql