How Can I Securely Encrypt and Decrypt Strings in PHP Using Established Libraries?

Encrypting and Decrypting Strings in PHP

Avoiding Common Pitfalls

Before delving into the implementation of encryption and decryption, it's crucial to understand the difference between encryption and authentication. For secure data protection, authenticated encryption is recommended over simple encryption. Additionally, it's advisable to avoid creating custom cryptography implementations and instead rely on secure and well-established libraries like libsodium or defuse/php-encryption.

Encryption and Decryption

Encryption:

1. Encrypt the data using AES-CTR or GCM (recommended).
2. Authenticate the ciphertext using HMAC-SHA-256 (or Poly1305 for stream ciphers).

Decryption:

1. Verify the MAC of the ciphertext (if not using Poly1305 or GCM).
2. Decrypt the message.

Implementation with Libsodium

use Sodium\Crypto\SecretBox;

$key = random_bytes(SecretBox::KEYBYTES);
$nonce = random_bytes(SecretBox::NONCEBYTES);

$ciphertext = SecretBox::encrypt($message, $nonce, $key);
$plaintext = SecretBox::decrypt($ciphertext, $nonce, $key);

Implementation with defuse/php-encryption

use Defuse\Crypto\Crypto;
use Defuse\Crypto\Key;

$key = Key::createNewRandomKey();

$ciphertext = Crypto::encrypt($message, $key);
$plaintext = Crypto::decrypt($ciphertext, $key);

Additional Considerations

• Avoid compressing data before encryption.
• Use secure functions like mb_strlen() and mb_substr() for string manipulation.
• Generate IVs using a CSPRNG (e.g., random_bytes()).
• Avoid using functions like bin2hex() or base64_encode() for potential information leaks.
• Always authenticate the ciphertext (MAC) after encryption.

Cautions

• Do not encrypt passwords; use password hashing algorithms instead.
• Do not encrypt URL parameters; it's not the appropriate solution.

Example with Libsodium

use Sodium\Crypto\SecretBox;

$key = random_bytes(SecretBox::KEYBYTES);
$nonce = random_bytes(SecretBox::NONCEBYTES);

$ciphertext = SecretBox::encrypt($message, $nonce, $key);
$plaintext = SecretBox::decrypt($ciphertext, $nonce, $key);

echo "Ciphertext: " . $ciphertext . PHP_EOL;
echo "Plaintext: " . $plaintext . PHP_EOL;

The above is the detailed content of How Can I Securely Encrypt and Decrypt Strings in PHP Using Established Libraries?. For more information, please follow other related articles on the PHP Chinese website!