1

I found out that I should not use global variables like global $auth_key for sensitive data's (Correct me if that's not true.) so I wanted to use defined variables for storing security keys.

Inside config.php salt keys are defined.

define('AUTH_KEY','::~K~UC*[tlu4Eq/]Lm|h');

define('SECURE_AUTH_KEY', 'QsTMvbV+tuU{K26!]J2');

In encryption.php contains the encryption functions where AUTH_KEY and SECURE_AUTH_KEY will be used inside.

function encrypt_text($value) {
   if(!$value) return false;
   $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, **AUTH_KEY_HERE**, $value, MCRYPT_MODE_ECB, **SECURE_AUTH_KEY_HERE**);
   return trim(base64_encode($crypttext));
}

function decrypt_text($value) {
   if(!$value) return false;
   $crypttext = base64_decode($value);
   $decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, **AUTH_KEY_HERE**, $crypttext, MCRYPT_MODE_ECB, **SECURE_AUTH_KEY_HERE**);
   return trim($decrypttext);
}

Is there a way to do that? or any other solutions you can recommend? Please note that these keys are real important for encryption of sensitive informations.

Also, a another question, what is the maximum length of keys to be used on mcrypt?

Thank you and looking forward for reply of yours.

Ken
  • 833
  • 2
  • 13
  • 27

5 Answers5

1

as a rule: the logner the key, the stonger the encryption. Secondly, don't use ECB unless your data is very short, you ought to use CBC or something stronger. Third: use a salt or initialization vector. Lastly read this: https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

Tucker
  • 7,017
  • 9
  • 37
  • 55
  • 1
    +1 not because its a great answer specifically to the question but because OP could really use the OWASP cheat sheets you linked. – ficuscr Feb 09 '13 at 07:16
0

Using a constant is just like using a variable except there is no dollar sign.

$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, AUTH_KEY, $value, MCRYPT_MODE_ECB, SECURE_AUTH);

There is nothing inherently more secure in this approach over using the global key word. Though this approach is preferred. By using a constant you are saying this is a static value I will use across the application. Having to use global on the other hand is often just a result of bad design or laziness. It leads to code that is hard to follow, abusing what scoping tries to accomplish.

Key length is dependent on the encryption algorithm used. RTM.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
ficuscr
  • 6,975
  • 2
  • 32
  • 52
0

Yes you can use the define variable like you are doing, see the example

 define('AUTH_KEY','::~K~UC*[tlu4Eq/]Lm|h');

 function abc()
 {
  echo AUTH_KEY;
 }

 abc();  // ::~K~UC*[tlu4Eq/]Lm|h

http://codepad.viper-7.com/tUAg6D

Yogesh Suthar
  • 30,424
  • 18
  • 72
  • 100
0

Although choosing constants would be preferable over plain variables, this kind of information is better stored inside a configuration file rather than your code.

Also, for better reuse and avoid having those global values lying around it would be a better idea to encapsulate the functionality:

class MyCrypto
{
    private $key;
    private $cipher;
    private $mode;

    public function __construct($key, $cipher, $mode = "cbc")
    {
       $this->key = $key;
       $this->cipher = $cipher;
       $this->mode = $mode;
    }

    public function generate_salt()
    {
        return mcrypt_create_iv(
            mcrypt_get_iv_size($this->cipher, $this->mode), 
            MCRYPT_DEV_URANDOM
        );
    }

    public function encrypt($data) { ... }

    public function decrypt($data) { ... }
}

I've added a salt generator function to be used for every encryption operation;

Lastly, I would recommend using CBC mode - MCRYPT_MODE_CBC.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
0

Update (27/09/17):

Since mcrypt_encrypt is DEPRECATED as of PHP 7.1.0. Ive added a simple encrypt/decrypt using openssl.

function encrypt($string, $key = 'PrivateKey', $secret = 'SecretKey', $method = 'AES-256-CBC') {
    // hash
    $key = hash('sha256', $key);
    // create iv - encrypt method AES-256-CBC expects 16 bytes
    $iv = substr(hash('sha256', $secret), 0, 16);
    // encrypt
    $output = openssl_encrypt($string, $method, $key, 0, $iv);
    // encode
    return base64_encode($output);
}

function decrypt($string, $key = 'PrivateKey', $secret = 'SecretKey', $method = 'AES-256-CBC') {
    // hash
    $key = hash('sha256', $key);
    // create iv - encrypt method AES-256-CBC expects 16 bytes
    $iv = substr(hash('sha256', $secret), 0, 16);
    // decode
    $string = base64_decode($string);
    // decrypt
    return openssl_decrypt($string, $method, $key, 0, $iv);
}

$str = 'Encrypt this text';
echo "Plain: " .$str. "\n";

// encrypt
$encrypted_str = encrypt($str);
echo "Encrypted: " .$encrypted_str. "\n";

// decrypt
$decrypted_str = decrypt($encrypted_str);
echo "Decrypted: " .$decrypted_str. "\n";

In your example, you are using the same initialization vector **SECURE_AUTH_KEY_HERE** when you can allow PHP to create the iv for you this way you only need 1 SECURE_KEY defined.

<?php 
define('SECURE_KEY',md5('your secret key'));
/**
* Encrypt a value
*/
function encrypt($str){
    $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, SECURE_KEY, $str, MCRYPT_MODE_ECB, $iv);
}
/**
* Decrypt a value
*/
function decrypt($str){
    $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, SECURE_KEY, $str, MCRYPT_MODE_ECB, $iv));
}


//32
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);

//Create an initialization vector (IV) from a random source 
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

echo decrypt(encrypt('Encrypt me'));
?>
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106