php security encryption technology

A PHP developer should mainly be familiar with the following encryption methods:

l       Symmetric encryption

l                                                                         ’ ’ ’ ’ ’ s OUT OUT-''t' ' t--a t-wre my myt i t i t i s                                      .                

this The appendix focuses on symmetric encryption algorithms using the mcrypt extension. The information you need to refer to is as follows:

Applied Cryptography, by Bruce Schneier (Wiley)

http://www.schneier.com/blog/

http://wikipedia.org/wiki /Cryptography

http://phpsec.org/articles/2005/password-hashing.html

http://pear.php.net/package/Crypt_HMAC

http://pear.php.net/package/ Crypt_RSA

C.1. Password storage

When you store passwords in the database, never store them in plain code. Instead, store the hash value of the password and use additional strings at the same time:

<?php
 
  /* $password contains the password. */
 
  $salt = &#39;SHIFLETT&#39;;
  $password_hash = md5($salt . md5($password . $salt));
 
  /* Store password hash. */
 
  ?>

When you need to confirm whether a password is correct, calculate the hash value in the same way and compare the similarities and differences:

<?php
 
  $salt = &#39;SHIFLETT&#39;;
  $password_hash = md5($salt . md5($_POST[&#39;password&#39;] . $salt));
 
  /* Compare password hashes. */
 
  ?>

If the hash values ​​are exactly the same, you have reason to think that the password is also the same.

If this trick is used, it is impossible to tell the user what their password is. When a user forgets his password, you can only ask him to enter a new password and recalculate the hash value and store it in the database. Of course, you need to be very careful about authenticating users - password reminders are a frequent target of attacks and a frequent source of security breaches.

C.2. Using mcrypt

PHP’s standard encryption extension is mcrypt, which supports many different encryption algorithms. You can view the list of algorithms supported on your platform through the mcrypt_list_algorithms() function:

<?php
 
  echo &#39;<pre class="brush:php;toolbar:false">&#39; . print_r(mcrypt_list_algorithms(), TRUE) . &#39;

'; ?>

Encryption and decryption are implemented by the mcrypt_encrypt() and mcrypt_decrypt() functions respectively. Both functions have 5 parameters, the first parameter is used to specify the algorithm used:

 <?php
 
  mcrypt_encrypt($algorithm,
                 $key,
                 $cleartext,
                 $mode,
                 $iv);
 
  mcrypt_decrypt($algorithm,
                 $key,
                 $ciphertext,
                 $mode,
                 $iv);
 
  ?>

The encryption key (second parameter) is very sensitive data, so you want to make sure to store it In a safe place. Encryption keys can be protected using the methods for protecting database permissions in Chapter 8. If financial conditions permit, hardware encryption keys are the best choice, providing super strong security.

The function has multiple modes to choose from. You can use mcrypt_list_modes() to list all supported modes:

<?php
 
  echo &#39;<pre class="brush:php;toolbar:false">&#39; . print_r(mcrypt_list_modes(), TRUE) . &#39;

'; ?>

The fifth parameter ($iv) is the initialization vector, which can be created using the mcrypt_create_iv() function.

The following example class provides basic encryption and decryption methods:

class crypt
  {
    private $algorithm;
    private $mode;
    private $random_source;
 
    public $cleartext;
    public $ciphertext;
    public $iv;
 
    public function __construct($algorithm = MCRYPT_BLOWFISH,
                                $mode = MCRYPT_MODE_CBC,
                                $random_source = MCRYPT_DEV_URANDOM)
    {
      $this->algorithm = $algorithm;
      $this->mode = $mode;
      $this->random_source = $random_source;
    }
 
    public function generate_iv()
    {
      $this->iv = mcrypt_create_iv(mcrypt_get_iv_size($this->algorithm,
        $this->mode), $this->random_source);
    }
 
    public function encrypt()
    {
      $this->ciphertext = mcrypt_encrypt($this->algorithm,
        $_SERVER['CRYPT_KEY'], $this->cleartext, $this->mode, $this->iv);
    }
 
    public function decrypt()
    {
      $this->cleartext = mcrypt_decrypt($this->algorithm,
        $_SERVER['CRYPT_KEY'], $this->ciphertext, $this->mode, $this->iv);
    }
  }
 
  ?>

The above class will be used in other examples, the following is an example of its usage:

<?php
 
  $crypt = new crypt();
 
  $crypt->cleartext = &#39;This is a string&#39;;
  $crypt->generate_iv();
  $crypt->encrypt();
 
  $ciphertext = base64_encode($crypt->ciphertext);
  $iv = base64_encode($crypt->iv);
 
  unset($crypt);
 
  /* Store $ciphertext and $iv (initialization vector). */
 
  $ciphertext = base64_decode($ciphertext);
  $iv = base64_decode($iv);
 
  $crypt = new crypt();
 
  $crypt->iv = $iv;
  $crypt->ciphertext = $ciphertext;
  $crypt->decrypt();
 
  $cleartext = $crypt->cleartext;
?>

Tips

This extension requires You use the -mcrypt flag when compiling PHP. For installation instructions and requirements, see http://php.net/mcrypt.

C.3. Saving of Credit Card Numbers

I am often asked how to store credit card numbers safely. Mine always starts by asking if they really need to save the credit card number. After all, no matter how it is done, it is unwise to introduce unnecessary risks. At the same time, national laws also have regulations on the processing of credit card information, and I always carefully remind myself that I am not a legal expert.

In this book I will not specifically discuss credit card processing methods, but will explain how to save encrypted information to the database and decrypt it when reading. This process results in a degradation of system performance, but does provide a layer of protection. Its main advantage is that if the database content is leaked, only the encrypted information is exposed, but the premise is that the encryption key is safe. Therefore, the encryption key is as important as the implementation of the encryption itself.

The process of saving encrypted data to data is to first encrypt the data, and then create ciphertext through the initial vector and plaintext and save it to the database. Since the ciphertext is a binary string, it needs to be converted into a normal text string through base64_encode() to ensure safe storage of binary encoding.

  <?php
 
  $crypt = new crypt();
 
  $crypt->cleartext = &#39;1234567890123456&#39;;
  $crypt->generate_iv();
  $crypt->encrypt();
 
  $ciphertext = $crypt->ciphertext;
  $iv = $crypt->iv;
 
  $string = base64_encode($iv . $ciphertext);
 
  ?>

Save the string to the database. When reading, it is the reverse processing of the above process:

 <?php
 
  $string = base64_decode($string);
 
  $iv_size = mcrypt_get_iv_size($algorithm, $mode);
 
  $ciphertext = substr($string, $iv_size);
  $iv = substr($string, 0, $iv_size);
 
  $crypt = new crypt();
 
  $crypt->iv = $iv;
  $crypt->ciphertext = $ciphertext;
  $crypt->decrypt();
 
  $cleartext =  $crypt->cleartext;
 
  ?>

This implementation method assumes that the encryption algorithm and mode remain unchanged. If they are undefined, you also need to save them for use in decrypting the data. The encryption key is the only data that needs to be kept secret.

C.4. Encrypt session data

如果你的数据库存在安全问题，或者部分保存在会话中的数据是敏感的，你可能希望加密会话数据。除非很有必要，一般我不推荐这样做，但是如果你觉得在你的情形下需要这样做的话，本节提供了一个实现方法的示例。

这个方案十分简单。实际上，在第八章中，已经说明了如何通过调用session_set_save_handler( )来执行你自己的会话机制。通过对保存和读取数据的函数的少量调整，你就能加密存入数据库的数据及在读取时解密数据：

  <?php
 
  function _read($id)
  {
    global $_sess_db;
 
    $algorithm = MCRYPT_BLOWFISH;
    $mode = MCRYPT_MODE_CBC;
 
    $id = mysql_real_escape_string($id);
 
    $sql = "SELECT data
            FROM   sessions
            WHERE  id = &#39;$id&#39;";
 
    if ($result = mysql_query($sql, $_sess_db))
    {
        $record = mysql_fetch_assoc($result);
 
        $data = base64_decode($record[&#39;data&#39;]);
 
        $iv_size = mcrypt_get_iv_size($algorithm, $mode);
 
        $ciphertext = substr($data, $iv_size);
        $iv = substr($data, 0, $iv_size);
 
        $crypt = new crypt();
 
        $crypt->iv = $iv;
        $crypt->ciphertext = $ciphertext;
        $crypt->decrypt();
 
        return $crypt->cleartext;
    }
 
    return &#39;&#39;;
  }
 
  function _write($id, $data)
  {
    global $_sess_db;
 
    $access = time();
 
    $crypt = new crypt();
 
    $crypt->cleartext = $data;
    $crypt->generate_iv();
    $crypt->encrypt();
 
    $ciphertext = $crypt->ciphertext;
    $iv = $crypt->iv;
 
    $data = base64_encode($iv . $ciphertext);
 
    $id = mysql_real_escape_string($id);
    $access = mysql_real_escape_string($access);
    $data = mysql_real_escape_string($data);
 
    $sql = "REPLACE
            INTO    sessions
            VALUES  (&#39;$id&#39;, &#39;$access&#39;, &#39;$data&#39;)";
 
    return mysql_query($sql, $_sess_db);
  }
  ?>