mmeyer2k / dcrypt
A petite library of encryption functionality for PHP
Installs: 446 377
Dependents: 2
Suggesters: 0
Security: 0
Stars: 100
Watchers: 6
Forks: 8
Open Issues: 0
Requires
- php: >=7.1.0
- ext-mbstring: *
- ext-openssl: *
This package is auto-updated.
Last update: 2024-10-26 00:21:38 UTC
README
A petite library of essential encryption functions for PHP 7.1+. For legacy PHP version support, look here.
Install
Add dcrypt to your composer.json file requirements. Don't worry, dcrypt does not have any dependencies of its own.
composer require "mmeyer2k/dcrypt:^13.2"
Block Ciphers
The dcrypt library helps application developers avoid common mistakes in crypto implementations that leave data at risk.
Keys
Safe usage of dcrypt's block cipher functions requires the use of a high entropy 256 bit (minimum) key. Keys should be passed into dcrypt in base64 encoded format. You are responsible for the randomness of your key!
Generate a new key on the linux CLI:
head -c 32 /dev/urandom | base64 -w 0 | xargs echo
Or with PHP...
<?php $key = \Dcrypt\OpensslKey::create(32);
AES-256 GCM Encryption
Since PHP 7.1 supports native AEAD encryption modes, using GCM would be safest option for most applications. Dcrypt will handle the AEAD authentication tag, SHA3-256 HMAC, initialization vector and encrypted message as a single unencoded string.
<?php $key = '[...BASE64 KEY...]'; $encrypted = \Dcrypt\Aes::encrypt('a secret', $key); $plaintext = \Dcrypt\Aes::decrypt($encrypted, $key);
If in doubt, use this example and don't read any further!
Other AES-256 Modes
If you read to this point then you are an experienced cryptonaut, congrats! 👌 🤘
Several AES-256 encryption modes are supported out of the box via hardcoded classes.
Custom Encryption Suites
Dcrypt is compatible with most OpenSSL ciphers and hashing algorithms supported by PHP.
Run openssl_get_cipher_methods()
and hash_algos()
to view supported options on your platform.
Static Wrapper
Use any cipher/algo combination by calling the OpensslStatic
class.
<?php $encrypted = \Dcrypt\OpensslStatic::encrypt('a secret', $key, 'bf-ofb', 'crc32'); $plaintext = \Dcrypt\OpensslStatic::decrypt($encrypted, $key, 'bf-ofb', 'crc32');
Class Overloading
Dcrypt's internal functions are easily extendable by overloading the OpensslBridge
class.
<?php class BlowfishCrc32 extends \Dcrypt\OpensslBridge { const CIPHER = 'bf-ofb'; const ALGO = 'crc32'; } $encrypted = BlowfishCrc32::encrypt('a secret', $key); $plaintext = BlowfishCrc32::decrypt($encrypted, $key);
Layered Encryption Factory
Feeling especially paranoid? Not sure which cipher methods and algos can be trusted? Why not try all of them.
<?php $stack = (new \Dcrypt\OpensslStack($key)) ->add('aes-256-ecb', 'snefru') ->add('aes-256-ofb', 'sha224') ->add('aes-256-cbc', 'sha256') ->add('aes-256-ctr', 'sha384') ->add('aes-256-gcm', 'sha512'); $encrypted = $stack->encrypt('a secret'); $plaintext = $stack->decrypt($encrypted);
Message Authenticity Checking
By default, \Dcrypt\Exceptions\InvalidChecksumException
exception will be raised before decryption is allowed to proceed when the supplied checksum is not valid.
<?php try { $decrypted = \Dcrypt\Aes::decrypt('malformed cyphertext', $key); } catch (\Dcrypt\Exceptions\InvalidChecksumException $ex) { // ... }
Stream Ciphers
Be sure you understand the risks and inherent issues of using a stream cipher before proceeding.
- Each key should only be used once
- Data integrity can not be guaranteed
- https://en.wikipedia.org/wiki/Stream_cipher_attacks
- https://jameshfisher.com/2018/01/01/making-a-stream-cipher/
One Time Pad
A novel counter-based stream cipher.
OneTimePad
uses SHA3-512 to output a keystream that is ⊕'d with the input in 512 bit chunks.
<?php $encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key); $plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key);
OneTimePad
can use any hashing algorithm to generate the pseudorandom keystream.
<?php $encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key, 'whirlpool'); $plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key, 'whirlpool');
String Helpers
Generate random base62 string tokens with specified number of characters.
$token = \Dcrypt\Str::token(10);
Compare 2 strings in a time-safe manner.
$equal = \Dcrypt\Str::equal($known, $given);
Show me some love 😍🍺
Developing dcrypt has been a great journey for many years. If you find dcrypt useful, please consider donating.
Or please consider checking out my dcrypt inspired encryption library for .NET, check out harpocrates.