These functions work using mcrypt.
This is an interface to the mcrypt library, which supports a wide
variety of block algorithms such as DES, TripleDES, Blowfish
(default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and
GOST in CBC, OFB, CFB and ECB cipher modes. Additionally, it
supports RC6 and IDEA which are considered "non-free".
To use it, download libmcrypt-x.x.tar.gz from here and follow the included
installation instructions. You need to compile PHP with the --with-mcrypt parameter to enable this
extension.
mcrypt can be used to encrypt and decrypt using the above
mentioned ciphers. The four important mcrypt commands
(mcrypt_cfb(), mcrypt_cbc(),
mcrypt_ecb(), and
mcrypt_ofb()) can operate in both modes which
are named MCRYPT_ENCRYPT and MCRYPT_DECRYPT, respectively.
Example 1. Encrypt an input value with TripleDES in ECB mode 1
2 <?php
3 $key = "this is a very secret key";
4 $input = "Let us meet at 9 o'clock at the secret place.";
5
6 $encrypted_data = mcrypt_ecb(MCRYPT_TripleDES, $key, $input, MCRYPT_ENCRYPT);
7 ?>
8 |
|
This example will give you the encrypted data as a string in
$encrypted_data.
mcrypt can operate in four cipher modes (CBC, OFB, CFB, and ECB). We will
outline the normal use for each of these modes. For a more complete
reference and discussion see Applied Cryptography by Schneier (ISBN 0-471-11709-9).
ECB (electronic codebook) is suitable for random data, such as encrypting
other keys. Since data there is short and random, the disadvantages of
ECB have a favorable negative effect.
CBC (cipher block chaining) is especially suitable for encrypting files
where the security is increased over ECB significantly.
CFB (cipher feedback) is the best mode for encrypting byte streams where
single bytes must be encrypted.
OFB (output feedback) is comparable to CFB, but can be used in
applications where error propagation cannot be tolerated.
PHP does not support encrypting/decrypting bit streams currently. As of
now, PHP only supports handling of strings.
For a complete list of supported ciphers, see the defines at the end of
mcrypt.h. The general rule is that you can access the cipher from PHP with
MCRYPT_ciphername.
Here is a short list of ciphers which are currently supported by the
mcrypt extension. If a cipher is not listed here, but is listed by
mcrypt as supported, you can safely assume that this documentation
is outdated.
You must (in CFB and OFB mode) or can (in CBC mode) supply an
initialization vector (IV) to the respective cipher function. The IV must
be unique and must be the same when decrypting/encrypting. With data which
is stored encrypted, you can take the output of a function of the index
under which the data is stored (e.g. the MD5 key of the filename).
Alternatively, you can transmit the IV together with the encrypted data
(see chapter 9.3 of Applied Cryptography by Schneier (ISBN 0-471-11709-9) for a discussion of this
topic).
