How to encrypt data at rest? - php

HOw do i encrypt data at rest? I know SSL encrypts in transit.
How do i integrate AES 256 bit encryption in phpmyadmin?


Here's an example using mcrypt:
<?
// Encrypt Function
function mc_encrypt($encrypt, $mc_key) {
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$passcrypt = trim(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $mc_key, trim($encrypt), MCRYPT_MODE_ECB, $iv));
$encode = base64_encode($passcrypt);
return $encode;
}
// Decrypt Function
function mc_decrypt($decrypt, $mc_key) {
$decoded = base64_decode($decrypt);
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$decrypted = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $mc_key, trim($decoded), MCRYPT_MODE_ECB, $iv));
return $decrypted;
}
?>
Read more about the library here: http://php.net/manual/en/ref.mcrypt.php
EDIT:
If i misunderstood the question and you wanted to do this in mysql you can use the mysql built in aes encryption functions:
INSERT INTO users SET name = "User1", password = AES_ENCRYPT("password", "encryption key");
and:
SELECT AES_DECRYPT(password, "encryption key") FROM users WHERE id = 1;
However this is just aes128, if you want to use aes256 directly in mysql you would have to modify the source and recompile.
Read more about it here:
http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_aes-encrypt


If you're talking about straight encrypt/decrypt of data then there are some good examples in the php.net manuals.
You would then encrypt your data before inserting it into your database, you wouldn't encrypt anything through phpMyAdmin.

Related

Decrypt string that is encrypted by MCRYPT_RIJNDAEL_128

I used following codes to encrypt and decrypt the strings in php. I recently upgraded my server and now i can see that the codes i use is depreciated. Encryption code is hardcoded on my app so i need to decrypt on the server. Please provide the alternative to both encrypt and decrypt
Code for encryption.
function encrypt($data = '', $key = 'chiperbase65enus')
{
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC, 'chiperbase65enus');
return base64_encode($encrypted);
}
And for decryption is below. I dont actually need encryption anymore but decryption is the must.
function decrypt($data = '', $key = 'chiperbase65enus')
{
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($data), MCRYPT_MODE_CBC,'chiperbase65enus');
return rtrim($decrypted, "\0");
}

$decrypted = openssl_decrypt(base64_decode($encrypted_string), "AES-128-CBC", "chiperbase65enus",OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, "chiperbase65enus");
I found the solution...

How to always get the same results when encrypting a string?

I have this function to encrypt strings:
public function encriptar($string) {
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC),
MCRYPT_DEV_URANDOM);
$encrypted = base64_encode($iv . mcrypt_encrypt(MCRYPT_RIJNDAEL_128,
hash('sha256', getKey(), true),
$string, MCRYPT_MODE_CBC, $iv));
return $encrypted;
}
The problem is that I always return a different value even adding the same string.
Example:
I introduce: StackOverflow
Result: InT3g0AUXXTrmCAxrlht5ZVe8GBmlgGDMotXuVu11hI =
If I rerun the script:
I introduce: StackOverflow
Result: ImhWn5vPA / A2NY2wpUwg7VLWAiGBls80Z84fGU303Ws =
If I re-run the script:
I introduce: StackOverflow
Result: FqvxSsblSwz5riaDnnq7h20PzZTPdk / K + dikLHbLHTY =
How can I make it always the same value?

You are creating a different $iv using MCRYPT_DEV_URANDOM as the pseudo-random-number-generator, use the same $iv, and the result will be the same.
You can either store it in you database, in the class instance, or store it as a prefix/suffix of the final hash.
Albeit you shouldn't be reusing the $iv for security purposes...
A more insightful topic of the security implications of reusing the key, or even the IV can be found here: https://crypto.stackexchange.com/questions/10505/reusing-keys-with-aes-cbc

The result is dependent on the $iv variable which you keep regenerating. You need to generate it only once, save it in the database and then re-use it.
function getIv($database) {
// fictive database abstraction layer
$iv = $database->fetchIv();
if (!$iv) {
$iv = mcrypt_create_iv(
mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC),
MCRYPT_DEV_URANDOM
);
$database->saveIv($iv);
}
return $iv;
}
// in your class
public function encriptar($string) {
$encrypted = base64_encode($iv . mcrypt_encrypt(MCRYPT_RIJNDAEL_128,
hash('sha256', getKey(), true),
$string, MCRYPT_MODE_CBC, getIv()));
return $encrypted;
}
However, for best practices, this should be kept in a configuration file.

Is this a safe implementation of mcrypt?

My web application needs to connect to several FTP servers and I don't want the FTP passwords to be stored in plain text. Hashing is not an option, because I need two-way encryption.
That's why I wrote the following class in PHP, based on mcrypt documentation. It uses mcrypt to encrypt and decrypt plain text. A password input field is used as input for the $password variable.
Can I consider this encryption as secure when I use a 50 character strong password to encrypt the text?
Thank you in advance.
class Crypto
{
private $_iv_size, $_iv;
function __construct()
{
$this->_iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
$this->_iv = mcrypt_create_iv($this->_iv_size, MCRYPT_RAND);
}
function encrypt($plaintext, $password)
{
$key = pack('H*', hash("SHA512", $password, true));
$plaintext_utf8 = utf8_encode($plaintext);
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key,
$plaintext_utf8, MCRYPT_MODE_CBC, $this->_iv);
$ciphertext = $this->_iv . $ciphertext;
$ciphertext_base64 = base64_encode($ciphertext);
return $ciphertext_base64;
}
function decrypt($ciphertext_base64, $password)
{
$key = pack('H*', hash("SHA512", $password, true));
$ciphertext_dec = base64_decode($ciphertext_base64);
$iv_dec = substr($ciphertext_dec, 0, $this->_iv_size);
$ciphertext_dec = substr($ciphertext_dec, $this->_iv_size);
$plaintext_utf8_dec = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key,
$ciphertext_dec, MCRYPT_MODE_CBC, $iv_dec);
return $plaintext_utf8_dec;
}
}

Yes, AFAICS(1) the code should protect the payload.
since you are deriving the key used for the encryption from the password, it would be neater to only implement this once in your code (even if it is only a single line). But the glaring WTF is that you through all this bother, to protect an FTP password which is sent in clear text to the FTP server!
1 - it's imposible to prove that code is secure or bug free

Encrypting the variable with password in PHP [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Two-way encryption in PHP
I need a PHP script that encrypts a variable with password. I don't mean hash like md5($var); or sha1($var);
I need a script that could make (for example) md5($var); hash but also get from md5($var); the useful string.
Expectation like
$password = "SomePassword";
$data = "TheVerySecretString";
$encrypted = TheEncyptionFunctionINeed($password, $data); // Output some useless strings
$decrypted = TheDecryptionFunctionINeed($password, $data); // Output: "TheVerySecretString"

Two-way encryption in PHP
Sry to open this up a couple years later, but I think it's important
since it's in the top search rankings...
PHP 5.3 has introduced a new encryption method that is really easy to
use.
It's openssl_encrypt and openssl_decrypt...It's not well documented
here, so here's a simple example..
$textToEncrypt = "My super secret information.";
$encryptionMethod = "AES-256-CBC"; // AES is used by the U.S. gov't to encrypt top secret documents.
$secretHash = "25c6c7ff35b9979b151f2136cd13b0ff";
//To encrypt
$encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $secretHash);
//To Decrypt
$decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $secretHash);
//Result
echo "Encrypted: $encryptedMessage <br>Decrypted: $decryptedMessage";

Here are 2 functions:
function encryptData($value){
$key = "top secret key";
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
return $crypttext;
}
function decryptData($value){
$key = "top secret key";
$crypttext = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $crypttext, MCRYPT_MODE_ECB, $iv);
return trim($decrypttext);
}
?>
check the manual for functions: mcrypt_encrypt and mcrypt_decrypt

How to decrypt text in PHP that is encrypted by Rijndael in .NET

We use .NET to encrypt text with the following procedure:
RijndaelManaged rijndaelCipher = new RijndaelManaged();
rijndaelCipher.Mode = CipherMode.CBC;
rijndaelCipher.Padding = PaddingMode.PKCS7;
rijndaelCipher.KeySize = 128;
rijndaelCipher.BlockSize = 128;
One of our partners try to use PHP to decrypt it, but failed.
Do you know PHP got existing library to help them out?
Thanks

$decode = trim(base64_decode($decrypt));
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $mc_key, $decode, MCRYPT_MODE_ECB, $iv);

Categories