Is storing emails in databases encrypted using encrypt() function in php secure ? If yes then how can i decrypt it if not then what's a better idea ? example : crypt() function
The best you're going to get is with a Rijndael encryption. What you're doing is hashing which isn't reversible.
Check this out for AES encryption in PHP:
AES-256 encryption in PHP
A good option to look at is PGP
You can find more info about this by clicking here
Related
I have been using the openssl function for encrypting data with AES-256-CBC in php. I have been able to encrypt it using an unique IV (by generating with openssl_random_pseudo_bytes)for each new encryption.
But I am struggling with the idea of authenticated encryption with aes cbc. How do I basically authenticate when I am about to decrypt the data?
Do I need to use something like PBKDF2, blowfish or hash_hmac()?
Do I need to hash the key somehow?
Any help is extremely appreciated.
Simple solution, use RNCryptor which is available for php and many other languages. See this ReadMe for implementation details.
Even if you don't use RNCryptor the methods are correct and secure.
Some details from the site:
AES-256 encryption
CBC mode
Password stretching with PBKDF2
Password salting
Random IV
Encrypt-then-hash HMAC
Versioning
But I am struggling with the idea of authenticated encryption with aes cbc. How do I basically authenticate when I am about to decrypt the data?
After you encrypt the data with a random IV, put both the ciphertext and IV into hash_hmac() with a second key.
If you're asking because you need to deploy into production, wait until version 2 of defuse/php-encryption is released and use that instead. (It's AES-256-CTR not AES-256-CBC, but CTR mode has less attack surface than CBC mode; i.e. no padding oracle attacks if you defeat the HMAC.)
Don't use RNCryptor.
RNCryptor is/was not written in accordance to cryptography coding standards, neither in PHP, nor in Python.
RNCryptor literally violates rule 1 of the cryptography coding standards consistently. There may be other issues that have yet been undiscovered. If you want portability across languages, use libsodium.
I'm a little confused with the best practices of encoding data, I'm dealing with very sensitive data so need to do/learn the best method to protect the data:
I'm currenting hashing all Passwords with a combination of SHA1, MD5 and hashBCRYPT all of which use salt with a large mixed character keys.
All personal data I'm currently encrypting with PHP MCRYPT_RIJNDAEL_256
Is it worth me also adding AES_ENCRYPT so the the data is also encrypted with MYSQL? I have a read a few things saying PHP is the better method when you need to search and fetch data regularly.
Any help would be greatly appreciated!
You shouldn't be rolling your own hashing for passwords. Use PHP's built in password_hash() function: http://php.net/manual/en/function.password-hash.php
As for encrypting user information, you probably don't want to be rolling your own library either, there are many existing PHP libraries for encrypting that will save you from making mistakes, such as Defuse, PHPSecLib, PHPCrypt, etc.
I want to encrypt and decrypt data strings that are longer than 2500 characters. Is it possible to encrypt and decrypt such long data strings. It's like essays. Please tell me which encryption and decryption technique should I choose for such long data in PHP. Also what will be the effects of this on the database? Will the database will become heavy. What will be the length of the encrypted string that it will return?
I have never encrypted data in PHP rather than using only md5().
MD5 is NOT encryption, it's a hash function, a one-way method to obfuscate data.
For encryption of data that you can also decrypt, take a look at Simplest two-way encryption using PHP.
md5() isn't usually used for encryption, but for hashing purposes.
There are many extensions in PHP that deal with encryption. You can find them all here:
http://www.php.net/manual/en/refs.crypto.php
The most well known extensions are Mcrypt and OpenSSL.
With OpenSSL, you can use openssl_encrypt() to encrypt your data.
With Mcrypt, you can use mcrypt_encrypt() to encrypt your data.
Check the relevant sections of each extension for more information
I have gotten a code from php.net. http://php.net/manual/en/book.mcrypt.php
Problem is when you encrypt something, the next time the ecrypted one isn't the same as the first one. I need to get the exact same hash using sha512 or sha256. I also need to decrypt it because the function will be used for encrypting customer's name and other data.
Thanks in advance!
I shared my crypt wrapper at https://stackoverflow.com/a/173764/17404. Try using that.
Instead of using mcrypt for hashing, consider using the hash() function instead.
Remember, hashes is one-way methods and cannot be 'decrypted'.
Looking for encryption/decryption I would recommend you look at AES encryption - either through MySQL if you have your data stored in the database, otherwise mcrypt() can also manage AES.
what's the difference between 1 way encryption and 2 way encryption with php and MySQL?
One-way cannot be reversed. Two-way can be.
MD5 and SHA1 are examples of one-way "encryption" (hashing, really). AES_ENCRYPT is an example of two-way encryption.
PHP's crypt() function is also one way which is some what misleading because encryption generally means two way. But crypt effectively does the same thing as hashing (1 way), it just saves the salt with the output.