How to encrypt plaintext with AES-256 CBC in PHP using OpenSSL?

php cryptography aes php-openssl
DASH picture DASH · Jan 19, 2016 · Viewed 23.9k times · Source

I am trying to encrypt sensitive user data like personal messages in my php powered website before entering into the database. I have researched a bit on the internet and I have found the few important things to remember:

  1. Never use mcrypt, it's abandonware.

  2. AES is based on the Rijndael algorithm and has been unbroken till now.

  3. AES has also been recommended by NSA and used in US Government data encryption, but since the NSA is recommending it, there's a chance they might sneak upon my user data easily.

  4. Blowfish has been unbroken as well, but slow and less popular.

So, I decided I will give it a try first with AES-256 cbc. But I am still not sure if I should not consider Blowfish a better option. So any recommendations are welcome.

And my primary concern is, how to encrypt the data in php? I don't find a good manual about this in the php documentation. What is the correct way to implement it?

Any help is heavily appreciated.

Answer

Luke picture Luke · Jan 19, 2016

AES-256 (OpenSSL Implementation)

You're in Luck.

The openssl extension has some pretty easy to use methods for AES-256. The steps you need to take are basically...

  1. Generate a 256-bit encryption key (This needs storing somewhere)
    • $encryption_key = openssl_random_pseudo_bytes(32);
  2. Generate an "initialization vector" (This too needs storing for decryption but we can append it to the encrypted data)
    • $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
  3. encrypt data using openssl_encrypt()
    • openssl_encrypt($data, 'aes-256-cbc', $encryptionKey, $options, $initializationVector)
    • the $options can be set to 0 for default options or changed to OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING
  4. append the initialisation vector to the encrypted data
    • $encrypted = $encrypted . ':' . $iv;
  5. retrieve the encrypted data and the initialization vector.
    • explode(':' , $encrypted);
  6. decrypt data using openssl_decrypt()
    • openssl_decrypt($encryptedData, 'aes-256-cbc', $encryptionKey, $options, $initializationVector)

Enabling openssl

openssl_functions() won't be available by default, you can enable this extension in your php.ini file by uncommenting the line. ;extension=php_openssl.dll by removing the leading ;

PHP - Fiddle.

http://phpfiddle.org/lite/code/9epi-j5v2

Related questions

Correct way to use php openssl_encrypt

I'm working with cryptography on a project and I need a little help on how to work with openssl_encrypt and openssl_decrypt, I just want to know the most basic and correct way to do it. Here is what …

Read More
PHP AES encrypt / decrypt

I found an example for en/decoding strings in PHP. At first it looks very good but it wont work :-( Does anyone know what the problem is? $Pass = "Passwort"; $Clear = "Klartext"; $crypted = fnEncrypt($Clear, $Pass); echo "Encrypted: ".$crypted."</…

Read More
Using PHP mcrypt with Rijndael/AES

I am trying to encrypt some text messages using mcrypt from php and the cipher Rijndael, but I am not sure about the MCRYPT_MODE_modename (according to PHP's manual these are available "ecb", "cbc", "cfb", "ofb", "nofb" or "stream" …

Read More