PHP's Encryption Functionality

"2db76afcc5c0176b2770fc2360cc1cd4"!

What?!?

I said, "648a19754f7803769c66f871b9cd171a"!

Of course, I don't expect you to be able to understand the above two phrases. In fact, I'm counting on it, because I've encrypted the data to hide the true meaning of the messages. This notion of data encryption plays an increasingly important part of our lives, particularly considering the mammoth amount of transactions and activities that take place online. For those of you responsible for implementing these data security features, you may be interested to know that PHP provides an interesting array of security-oriented functionality. In this article, I'll introduce you to this functionality, providing you with a basis from which you can begin incorporating security enhancements into your own applications.

Preliminary information

Before delving into PHP's security functionality, I'd like to take a moment to introduce you to several notions of cryptography that will be particularly informative to those new to the subject. If you're already familiar with the very basic concepts of cryptography, feel free to skip ahead to the next section.

Cryptography can be generally defined as the study and practice of encryption and decryption, where encryption is the process of converting data into a format unreadable by all except certain parties, and decryption being the process of converting the encrypted data back into its original readable format. This unreadable data is also known as "ciphertext," while the readable data is known as plain text.

Data is encrypted/decrypted using some form of algorithm. These algorithms can be relatively simple, such as the famed Caesar Cipher (supposedly invented by Julius Caesar himself), which involves the shifting of alphabetical characters n places so as to seemingly "scramble" the meaning of the data. Of course, today's algorithms are considerably more complex, and are even considered unbreakable using today's known methods. To put it into perspective, the Caesar Cipher can be broken with patience and a pencil and paper, while it is currently technologically impossible to break even a single key implemented via the advanced encryption standard algorithm Rijndael.

PHP's cryptography functionality

Those of you with even minimal experience with non-Windows platforms are probably familiar with the crypt() function. This function implements what is termed as one-way encryption, which allows for the encryption of some plain text, but does not provide a way in which to convert the ciphertext back to its original form. While on the surface this may seem like a relatively useless idea, it is actually a widely used technique for ensuring the integrity of system passwords. After all, if the one-way encrypted passwords somehow fall into the hands of a third-party, it isn't going to do much good because they can never be converted back to plain text. When it comes time to verify a password input by a user, that input is also encrypted using the one-way algorithm, and compared with the stored encrypted password. If they match, the input password must be correct.

PHP also offers the possibility to perform one-way encryption using its own crypt() function. I'll briefly introduce this function here:

The input parameter input_string is just the string that you would like to encrypt. The second, optional input parameter salt refers to a bit-string that will influence the encryption outcome to further eliminate the possibility of what are known as precomputation attacks. By default, PHP uses a two-character DES salt string. However, if the encryption standard on your system happens to be MD5 (I'll introduce the MD5 algorithm later), a 12-character salt string is used. Incidentally, you can find out the size of the salt string your system will use by simply executing the following:

print "My system salt size is: ". CRYPT_SALT_LENGTH;

Chances are your system supports additional encryption algorithms. In all, crypt() supports four, each of which is shown below along with its corresponding salt: