PHP DevCenter

oreilly.comSafari Books Online.Conferences.

We've expanded our LAMP news coverage and improved our search! Search for all things LAMP across O'Reilly!

Search
Search Tips

advertisement

Listen Print Subscribe to PHP Subscribe to Newsletters

PHP's Encryption Functionality

by W.J. Gilmore
07/26/2001

"2db76afcc5c0176b2770fc2360cc1cd4"!

What?!?

I said, "648a19754f7803769c66f871b9cd171a"!

Of course, I don't expect you to be able to understand the above two phrases. In fact, I'm counting on it, because I've encrypted the data to hide the true meaning of the messages. This notion of data encryption plays an increasingly important part of our lives, particularly considering the mammoth amount of transactions and activities that take place online. For those of you responsible for implementing these data security features, you may be interested to know that PHP provides an interesting array of security-oriented functionality. In this article, I'll introduce you to this functionality, providing you with a basis from which you can begin incorporating security enhancements into your own applications.

Preliminary information

Before delving into PHP's security functionality, I'd like to take a moment to introduce you to several notions of cryptography that will be particularly informative to those new to the subject. If you're already familiar with the very basic concepts of cryptography, feel free to skip ahead to the next section.

Cryptography can be generally defined as the study and practice of encryption and decryption, where encryption is the process of converting data into a format unreadable by all except certain parties, and decryption being the process of converting the encrypted data back into its original readable format. This unreadable data is also known as "ciphertext," while the readable data is known as plain text.

Data is encrypted/decrypted using some form of algorithm. These algorithms can be relatively simple, such as the famed Caesar Cipher (supposedly invented by Julius Caesar himself), which involves the shifting of alphabetical characters n places so as to seemingly "scramble" the meaning of the data. Of course, today's algorithms are considerably more complex, and are even considered unbreakable using today's known methods. To put it into perspective, the Caesar Cipher can be broken with patience and a pencil and paper, while it is currently technologically impossible to break even a single key implemented via the advanced encryption standard algorithm Rijndael.

PHP's cryptography functionality

Those of you with even minimal experience with non-Windows platforms are probably familiar with the crypt() function. This function implements what is termed as one-way encryption, which allows for the encryption of some plain text, but does not provide a way in which to convert the ciphertext back to its original form. While on the surface this may seem like a relatively useless idea, it is actually a widely used technique for ensuring the integrity of system passwords. After all, if the one-way encrypted passwords somehow fall into the hands of a third-party, it isn't going to do much good because they can never be converted back to plain text. When it comes time to verify a password input by a user, that input is also encrypted using the one-way algorithm, and compared with the stored encrypted password. If they match, the input password must be correct.

PHP also offers the possibility to perform one-way encryption using its own crypt() function. I'll briefly introduce this function here:

string crypt (string input_string [, string salt])

The input parameter input_string is just the string that you would like to encrypt. The second, optional input parameter salt refers to a bit-string that will influence the encryption outcome to further eliminate the possibility of what are known as precomputation attacks. By default, PHP uses a two-character DES salt string. However, if the encryption standard on your system happens to be MD5 (I'll introduce the MD5 algorithm later), a 12-character salt string is used. Incidentally, you can find out the size of the salt string your system will use by simply executing the following:

print "My system salt size is: ". CRYPT_SALT_LENGTH;

Chances are your system supports additional encryption algorithms. In all, crypt() supports four, each of which is shown below along with its corresponding salt:

Algorithm Salt
CRYPT_STD_DES 2-character (Default)
CRYPT_EXT_DES 9-character
CRYPT_MD5 12-character beginning with $1$
CRYPT_BLOWFISH 16-character beginning with $2$

Pages: 1, 2, 3

Next Pagearrow




Tagged Articles

Post to del.icio.us

This article has been tagged:

php

Articles that share the tag php:

Understanding MVC in PHP (477 tags)

The PHP Scalability Myth (123 tags)

The Dynamic Duo of PEAR::DB and Smarty (53 tags)

PHP Form Handling (43 tags)

Very Dynamic Web Interfaces (39 tags)

View All

encryption

Articles that share the tag encryption:

Secure RSS Syndication (104 tags)

PHP's Encryption Functionality (21 tags)

Encrypting Connection Strings in Web.config (5 tags)

Creating Your Own CA (4 tags)

How to Set Up Encrypted Mail on Mac OS X (3 tags)

View All

security

Articles that share the tag security:

Secure RSS Syndication (169 tags)

Google Your Site For Security Vulnerabilities (74 tags)

Building a Desktop Firewall (64 tags)

The Next 50 Years of Computer Security: An Interview with Alan Cox (42 tags)

Protect Yourself from WiFi Snoops (40 tags)

View All

programming

Articles that share the tag programming:

Rolling with Ruby on Rails (1374 tags)

Very Dynamic Web Interfaces (279 tags)

Ajax on Rails (231 tags)

Understanding MVC in PHP (202 tags)

A Simpler Ajax Path (186 tags)

View All

development

Articles that share the tag development:

Rolling with Ruby on Rails (579 tags)

What Is Web 2.0 (129 tags)

Ajax on Rails (119 tags)

Very Dynamic Web Interfaces (97 tags)

Understanding MVC in PHP (64 tags)

View All

Sponsored Resources

  • Inside Lightroom
Advertisement

Sponsored by:

O'Reilly Media

©2009, O'Reilly Media, Inc.
(707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. 		About O'Reilly
Academic Solutions
Authors
Contacts
Customer Service
Jobs
Newsletters
O'Reilly Labs
Press Room
Privacy Policy
RSS Feeds
Terms of Service
User Groups
Writing for O'Reilly
Content Archive
Business Technology
Computer Technology
Google
Microsoft
Mobile
Network
Operating System
Digital Photography
Programming
Software
Web
Web Design
 More O'Reilly Sites
O'Reilly Radar
Ignite
Tools of Change for Publishing
Digital Media
Inside iPhone
O'Reilly FYI
makezine.com
craftzine.com
hackszine.com
perl.com
xml.com

Partner Sites
InsideRIA
java.net
O'Reilly Insights on Forbes.com