PHP Data Encryption
Results 1 to 8 of 8

Thread: PHP Data Encryption

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Posts
    452

    PHP Data Encryption

    As people in the Information Technology industry, we work with data on a daily basis. Many times, the data we with is considered sensitive and requires a higher level of protection then most.

    Cryptography helps us to protect our most sensitive data from those not authorized to view it.

    In todays lesson, I'm going to be using the BlowFish encryption algorithm, and of course, we will be doing this in PHP. Why PHP you ask? (Slap upside your head).

    Crypt_Blowfish is a class which preforms Blowfish encryption on the fly using only PHP. It does not require the Mcrypt PHP extension to work. This package allows you to perform two-way blowfish encryption on the fly using only PHP.

    Crypt_Blowfish is actually a Pear Package, so you can grab it from here:
    http://pear.php.net/package/Crypt_Blowfish/

    or as root simply run: #pear install Crypt_Blowfish

    Pear is installed by default on most recent versions of PHP. If you don't have it installed, you've either explicity requested not to install during compile time, or your really using an older version of php, which you should upgrade.

    Now that we have the package installed, we can begin with the brief lesson.

    Before I show you to use this encryption, there are a few things you'll want to take into consideration. First, don't encrypt everything unless it's really necessary. Encrypt things like credit card numbers, social security numbers, home addresses, passwords, financial data. Those are the most highly sensitive types of data you can maintain. So, if you actually work with this type of data, make sure your doing the right thing.

    On to the example code:

    Code:
    <?php
    require_once 'Crypt/Blowfish.php';  // Just including the class
    
    // Create the Crypt_Blowfish object using a secret key. The key must be
    //protected at all costs. The key is like a password to access the data.
    $blowfish = new Crypt_Blowfish('super secret key');
    
    // This is the text we will encrypt
    $encrypted = $blowfish->encrypt('Visa Card 4111111111111111');
    
    // At this point you can take $encrypted and place it in your database. If 
    //you desire.
    
    // Getting back the original message. Where $encrypted = the ciphertext.
    // Most likely $encrypted will be your data from a mysql query.
    $decrypted = $blowfish->decrypt($encrypted);
    
    // Now here is your encrypted message and the original message.
    echo 'Encrypted: ' . bin2hex($encrypted) . "<br />";
    echo 'Decrypted: ' . $decrypted;
    
    ?>
    Not as hard as you thought it was huh. Remember not to lose your key, or your data is gone, unless your the NSA
    --------------------------------------------------------
    The above code outputs the following:

    Encrypted: dda661b7764debf95d09caacbe74244335a884847b22cb476af6c25cfe4baf31
    Decrypted: Visa Card 4111111111111111


    My name is PuRe and this has been a PHP Crytography tutorial.
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  2. #2
    Senior Member
    Join Date
    Mar 2005
    Posts
    175
    Definitly good tutorial, PuRe. This is going to help me as I am moving from ASP to PHP. Looking forward for more PHP tutorials.

    - :S:
    \"And life is what we make it. Always has been, always will be.\"

  3. #3
    Banned
    Join Date
    May 2005
    Posts
    47
    What's the benefit of using blowfish over md5 per say? Wouldn't one way encryption be a better choice when working with sensitive data rather than two way? Would more processing power be needed in comparsion to md5 for example since the call to an outside class? How would that be represented on a larger scale of let's say a site handling 50,000 users?

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    The benefit to using blowfish over md5 is that for one, it's a higher level of encryption. Md5 is only one way hash, which wouldn't help you if you are trying to legitimately retrieve data. Remember that this is data that is to be retrieved so it can be used, not just compared (like passwords).

    Blowfish actually uses a negligible amount of cpu power. It does everything on the fly, and doesn't require anymore power then your other scripts.

    As far as how many users you can support, well that's still depends on your hardware and bandwidth.


    PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Originally posted here by PuReExcTacy
    [B]The benefit to using blowfish over md5 is that for one, it's a higher level of encryption.
    They cannot be compared. It's apples and oranges. Md5 is a hashing algorithm, blowfish is a symmetric cipher. They do different things.

    Md5 is only one way hash, which wouldn't help you if you are trying to legitimately retrieve data.
    Absolutely!

    Blowfish actually uses a negligible amount of cpu power.
    I don't think you can meaningfully make that assertion without some context. For example

    - Blowfish uses a neligible amount of CPU power, for encrypting / decrypting a short string on a PHP page

    Obviously encrypting your entire hard disc using Blowfish (or any other cipher) may not use a "negligible" amount of CPU power.

    The question I want to ask is:

    - Why encrypt data on a web server if you're not sending it anywhere?
    - If you can't trust your machine's own hard disc, you shouldn't be storing sensitive data, encrypted or not - an attacker with access to it can easily find the key to decrypt it, or modify your scripts so they collect data and store it unencrypted
    - If your web site runs over HTTP on an untrusted network (example: the internet), why bother encrypting stuff on your HD as the network is obviously much less secure
    - Why didn't you mention HTTPS?

    Slarty

  6. #6
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    - Why encrypt data on a web server if you're not sending it anywhere?
    Who says it's not going anywhere?

    - If you can't trust your machine's own hard disc, you shouldn't be storing sensitive data, encrypted or not - an attacker with access to it can easily find the key to decrypt it, or modify your scripts so they collect data and store it unencrypted
    Obviously everyone will enable as much protection on their server as they can. Again obviously if an attacker has access to the key they will be able to decrypt the data, but that's just obvious.

    - If your web site runs over HTTP on an untrusted network (example: the internet), why bother encrypting stuff on your HD as the network is obviously much less secure
    I'm not talking about my website. This is just a general tutorial, but hopefully for whom ever is collecting sensitive data, they should also be using SSL (https) so that it safely travels over the internet.

    - Why didn't you mention HTTPS?
    Just did.

    The purpose of the tutorial is to discuss using encryption in php. Clearly there are other security considerations you'll want to be aware of, thank you Slarty for pointing out those important points.
    The encryption will be useless if you allow the server to be compromised.


    PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  7. #7
    Junior Member
    Join Date
    Jan 2012
    Posts
    1

    Question Marks in Black Diamonds

    I realize this is a very old thread, but I'm having a slight problem with the code and hoping someone can shed some light.

    When I run the script, the decrypted data is displayed as such:

    Decrypted: Visa Card 4111111111111111������

    From what I've found online the question marks in the black diamond are apparently displayed when the interpreter can't read a character. Can't figure out why it thinks there's additional characters after the original string that was encrypted. Anyone have a solution?

  8. #8
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    I would suspect it would have something to do with the version of PHP you're running with this code.....That is only a guess as that I am an amateur at best when it comes to this type of PHP coding.....you could try an older version released at the time of this post to test. Again, I am just guessing on this.......
    "It is a shame that stupidity is not painful" - Anton LaVey

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides