Skip to content

A petite library of encryption functions for PHP

License

Notifications You must be signed in to change notification settings

mmeyer2k/dcrypt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ”dcrypt

Build Status Code Coverage Scrutinizer Code Quality Code Climate GPA License Latest Stable Version

A petite library of essential encryption functions for PHP 7.1+. For legacy PHP version support, look here.

Install

Add dcrypt to your composer.json file requirements. Don't worry, dcrypt does not have any dependencies of its own.

composer require "mmeyer2k/dcrypt:^13.2"

Block Ciphers

The dcrypt library helps application developers avoid common mistakes in crypto implementations that leave data at risk.

Specification document

Keys

Safe usage of dcrypt's block cipher functions requires the use of a high entropy 256 bit (minimum) key. Keys should be passed into dcrypt in base64 encoded format. You are responsible for the randomness of your key!

Generate a new key on the linux CLI:

head -c 32 /dev/urandom | base64 -w 0 | xargs echo

Or with PHP...

<?php
$key = \Dcrypt\OpensslKey::create(32);

AES-256 GCM Encryption

Since PHP 7.1 supports native AEAD encryption modes, using GCM would be safest option for most applications. Dcrypt will handle the AEAD authentication tag, SHA3-256 HMAC, initialization vector and encrypted message as a single unencoded string.

<?php
$key = '[...BASE64 KEY...]';

$encrypted = \Dcrypt\Aes::encrypt('a secret', $key);

$plaintext = \Dcrypt\Aes::decrypt($encrypted, $key);

If in doubt, use this example and don't read any further!

Other AES-256 Modes

If you read to this point then you are an experienced cryptonaut, congrats! πŸ‘Œ 🀘

Several AES-256 encryption modes are supported out of the box via hardcoded classes.

Class Name OpenSSL Cipher Security Rating Further Reading
Aes256Gcm or Aes aes-256-gcm πŸ˜ƒ wiki
Aes256Ctr aes-256-ctr ☺️ wiki
Aes256Cbc aes-256-cbc πŸ˜‘ wiki
Aes256Ofb aes-256-ofb 😬 wiki
Aes256Cfb aes-256-cfb 😯 wiki
Aes256Ccm aes-256-ccm 😲 wiki
Aes256Ecb aes-256-ecb 😑 wiki

Custom Encryption Suites

Dcrypt is compatible with most OpenSSL ciphers and hashing algorithms supported by PHP. Run openssl_get_cipher_methods() and hash_algos() to view supported options on your platform.

Static Wrapper

Use any cipher/algo combination by calling the OpensslStatic class.

<?php
$encrypted = \Dcrypt\OpensslStatic::encrypt('a secret', $key, 'bf-ofb', 'crc32');

$plaintext = \Dcrypt\OpensslStatic::decrypt($encrypted, $key, 'bf-ofb', 'crc32');

Class Overloading

Dcrypt's internal functions are easily extendable by overloading the OpensslBridge class.

<?php
class BlowfishCrc32 extends \Dcrypt\OpensslBridge 
{
    const CIPHER = 'bf-ofb';

    const ALGO = 'crc32';
}

$encrypted = BlowfishCrc32::encrypt('a secret', $key);

$plaintext = BlowfishCrc32::decrypt($encrypted, $key);

Layered Encryption Factory

Feeling especially paranoid? Not sure which cipher methods and algos can be trusted? Why not try all of them.

<?php
$stack = (new \Dcrypt\OpensslStack($key))
    ->add('aes-256-ecb', 'snefru')
    ->add('aes-256-ofb', 'sha224')
    ->add('aes-256-cbc', 'sha256')
    ->add('aes-256-ctr', 'sha384')
    ->add('aes-256-gcm', 'sha512');

$encrypted = $stack->encrypt('a secret');

$plaintext = $stack->decrypt($encrypted);

Message Authenticity Checking

By default, \Dcrypt\Exceptions\InvalidChecksumException exception will be raised before decryption is allowed to proceed when the supplied checksum is not valid.

<?php
try {
    $decrypted = \Dcrypt\Aes::decrypt('malformed cyphertext', $key);
} catch (\Dcrypt\Exceptions\InvalidChecksumException $ex) {
    // ...
}

Stream Ciphers

Be sure you understand the risks and inherent issues of using a stream cipher before proceeding.

One Time Pad

A novel counter-based stream cipher. OneTimePad uses SHA3-512 to output a keystream that is βŠ•'d with the input in 512 bit chunks.

Specification document

<?php
$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key);

$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key);

OneTimePad can use any hashing algorithm to generate the pseudorandom keystream.

<?php
$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key, 'whirlpool');

$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key, 'whirlpool');

String Helpers

Generate random base62 string tokens with specified number of characters.

$token = \Dcrypt\Str::token(10);

Compare 2 strings in a time-safe manner.

$equal = \Dcrypt\Str::equal($known, $given);

Show me some love 😍🍺

Developing dcrypt has been a great journey for many years. If you find dcrypt useful, please consider donating.

LTC LN97LrLCNiv14V6fntp247H2pj9UiFzUQZ
BTC 3N7vhA6ghWb1VrP4nGA6m6mzA9T2ASCVEj
ETH 0xe14a56046f28fCEF56A0EA4a84973bDdFF546923

Or please consider checking out my dcrypt inspired encryption library for .NET, check out harpocrates.