Databases
StackOverflow2013
Postsdbo
POBest practice for a simple encryption class. Am I using crypt and mcrypt well?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POBest practice for a simple encryption class. Am I using crypt and mcrypt well?
    text
    copied!<p>These days I read a lot here on SO about password hashing and data encryption. It's a real mess, I mean, deciding what the best practice is. I need a very simple class that can be reused anywhere and that provide a <strong><em>decent-but-not-paranoic</em></strong> security level for my PHP applications (I do not handle bank data). Additionally, I want to rely as much as possible on PHP standard libs. I came up with this:</p> <pre><code>class Security { public static function hashPassword($plain) { $salt = md5(rand(0, 1023) . '@' . time()); // Random salt return crypt($plain, '$2a$07$' . $salt); // '$2a$07$' is the Blowfish trigger } public static function checkPassword($plain, $hash) { return (crypt($plain, $hash) === $hash); } public static function generateIv() { $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); // It's 32 return mcrypt_create_iv($iv_size, MCRYPT_RAND); } public static function encrypt($key, $data, $iv = null, $base64 = true) { if (is_null($iv)) $iv = md5($key); $ret = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC, $iv); return ($base64 ? base64_encode($ret) : $ret); } public static function decrypt($key, $data, $iv = null, $base64 = true) { if (is_null($iv)) $iv = md5($key); return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $base64 ? base64_decode($data) : $data, MCRYPT_MODE_CBC, $iv), "\0"); } } </code></pre> <p>As you can see, I choose to hash passwords with <a href="http://us.php.net/manual/en/function.crypt.php" rel="nofollow"><strong><code>crypt()</code></strong></a> using <strong>Blowfish hashing algorithm</strong>. The return value of <code>hashPassword()</code> is the salt + hash that then I store in the DB. I made this choice because <code>crypt()</code> is available on every server, provides a confortable way to check hash regardless of algorithm used (it's based on salt prefix) and, I read, <em>bcrypt</em> is a decent hashing method.</p> <p>Then, for data encryption I used <a href="http://www.php.net/manual/en/book.mcrypt.php" rel="nofollow"><strong><code>mcrypt()</code></strong></a> <strong>Rijndael 256</strong> algorithm with <strong>CBC mode</strong>. As you can see, I can use encryption methods in two way. I can pass a IV (and <code>generateIv()</code> helps me to create one) that I will store in the DB along crypted data, or, if I don't, a basic IV is derived from key in both crypt and decrypt process.</p> <p>What do you think about it? Am I missing something? Can I be finally relaxed about hashing and encryption in my PHP aplications?!?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload