Tutorial on How to Secure Sensitive Data in PHP using Encryption and Decryption - PHP Simple Encryption and Decryption package blog

Recommend this page to a friend!
  All package blogs All package blogs   PHP Simple Encryption and Decryption PHP Simple Encryption and Decryption   Blog PHP Simple Encryption and Decryption package blog   RSS 1.0 feed RSS 2.0 feed   Blog Tutorial on How to Se...  
  Post a comment Post a comment   See comments See comments (4)   Trackbacks (0)  

Author:

Updated on: 2020-06-19

Posted on: 2020-06-19

Viewers: 1,057 (June 2020 until August 2020)

Last month viewers: 48 (August 2020)

Package: PHP Simple Encryption and Decryption

As we all know, encryption is a vital process to secure sensitive data in any software application.

When done incorrectly it can result in stolen data or unrecoverable information.

Read this tutorial article to learn how to use the PHP Simple Encryption and Decryption package to choose the right cryptography cipher and generating a secure IV, so you do not need to be an expert in cryptography.





In this article you will learn:

How to Secure Sensitive Data Using Cryptography?

How to Choose an Encryption Algorithm Cipher?

How to Generate the Initialization Vector (IV)?

How to use the PHP Simple Encryption and Decryption Class?

How to Avoid Inconvenient Cryptography Algorithm Ciphers?

Downloading All Package Files

Installing the Package with Composer


Encryption and Decryption with Information Vector https://commons.wikimedia.org/wiki/File:Cbc_encryption.png

How to Secure Sensitive Data Using Cryptography?

When you have identified data that is considered sensitive, and should be encrypted when placed in storage, before you can encrypt that data you need to:

  1. Choose an encryption algorithm cipher

  2. Generate a secure random initialization vector (IV)

  3. Use a secure network data transmission method like https or permanent storage container like a database or file storage.

How to Choose an Encryption Algorithm Cipher?

In PHP you can use the OpenSSL extension to encrypt your data. When using OpenSSL there are over 100 encryption ciphers available to choose from. So which do you choose? How do you know which algorithm is the safest? Or which ones are obsolete?

To take the guesswork away from choosing a secure encryption algorithm, the PHP Simple Encryption and Decryption package uses AES-256-CBC, a strong encryption algorithm by default.

If this encryption algorithm ever becomes compromised, the class will default to a newer and stronger algorithm.

You will still be able to decrypt existing data, but new data you encrypt will automatically gain the use of the latest in crypto ciphers. All you will need to do is update your PHP Simple Encryption library.

How to Generate the Initialization Vector (IV)?

Initialization vectors (IVs) are a critical element to generating truly secure encrypted data. The more random your IV is, the probability for an attacker to determine relationships between sets of encrypted data is lower.

A common mistake when attempting to use cryptography is generating a IV that is not really random.

In fact, it is not uncommon to see developers use the same IV over and over again, or even going so far as to hard code a specific IV into their projects.

The PHP Simple Encryption and Decryption class can generate a strong IV with only one line of code that ensures your IVs are strong and your encrypted data is secure.

How to use the PHP Simple Encryption and Decryption Class?

Using PHP Simple Encryption is as simple as:

  1. Including your vendor autoload script file into your project

  2. Creating your PHP Simple Encryption and Decryption class object

  3. Generating your IV

  4. Encrypting your data

Example code for Encryption

use Encryption\Encryption;
$text = 'The quick brown fox jumps over the lazy dog';
$key  = 'secretkey';
$encryption = Encryption::getEncryptionObject();
$iv = $encryption->generateIv();
$encryptedText = $encryption->encrypt($text, $key, $iv);
printf('Cipher   : %s%s', $encryption->getName(), PHP_EOL);
printf('IV       : %s%s', base64_encode($iv), PHP_EOL);
printf('Encrypted: %s%s', $encryptedText, PHP_EOL);

Sample output for encryption

Cipher   : AES-256-CBC
IV       : QCLaYQ/+jUErSHzaq0ki6w==
Encrypted: JmJDbHRd+4LfndWs7noGLz4JaUDx9jt8yBCeNNu5vBw4vU5EtFpHs3AAeDviyk8wNR28ZL0OcGis4ph5bKRKcA==

Note: Here we have encoded the IV using base64. Otherwise it would look like a bunch of gibberish on your screen.

Example Code for Decryption

As long you have stored your secret key and IV, you can easily decrypt your encrypted data like this:

use Encryption\Encryption;

// $key and $IV were created when you encrypted the data
$decryptedText = $encryption->decrypt($encryptedText, $key, $iv)
printf('Decrypted: %s%s', $decryptedText, PHP_EOL);

How to Avoid Inconvenient Cryptography Algorithm Ciphers?

The PHP Simple Encryption and Decryption class library supports 127 crypto ciphers. However, not all of these are considered to be best practice to use.

Any cipher that uses ECB mode is considered not very safe to use. The Triple DES (3DES) algorithm is also obsolete as it can be compromised. 

PHP Simple Encryption and Decryption class supports these ciphers to be compatible with any software project that may already be using these ciphers. It is not recommended that you use them in new projects.

Tips

 - Make sure you choose a good secret key. It doesn't have to be as random as the IV, but that would help.

- Always generate a new IV for every piece of data you encrypt. Reusing IVs defeat the purpose of generating a strong, random IV.

- Do not generate your own IV. PHP Simple Encrypt uses the best options currently available in PHP. Anything you choose to create on your own will not be as strong.

Downloading All Package Files

If you want to use this package files in your development computer, you can just go here and download all package files in a single compressed archive in ZIP or tar.gz formats.

Installing the Package with Composer

If you want to use install this package files in your development or even in the production environment, you can just go here and find instructions to add this package to your projects' composer.json file.




You need to be a registered user or login to post a comment

1,562,949 PHP developers registered to the PHP Classes site.
Be One of Us!

Login Immediately with your account on:

FacebookGmail
HotmailStackOverflow
GitHubYahoo


Comments:

2. Unclear text - Sam Spickle (2020-06-19 12:41)
Some of the text is unclear (misleading?)... - 1 reply
Read the whole comment and replies

1. Storing the IV - Tofser (2020-06-19 07:04)
What's the best way to store the IV?... - 1 reply
Read the whole comment and replies



  Post a comment Post a comment   See comments See comments (4)   Trackbacks (0)  
  All package blogs All package blogs   PHP Simple Encryption and Decryption PHP Simple Encryption and Decryption   Blog PHP Simple Encryption and Decryption package blog   RSS 1.0 feed RSS 2.0 feed   Blog Tutorial on How to Se...  

For more information send a message to info at phpclasses dot org.