2

I'll keep this short and simple. As part of PHP's mcrypt library there are 40 or so possible ciphers, see here.

Not knowing much about encryption myself, I'm working under the assumption regardless of the cipher used, the data when decrypted is identical as the data encrypted (otherwise what's the point right?)

I need to encrypt and then decryption either an array or serialised standard object. I've browsed a couple examples online of the basic implementation of the mcrypt library and noticed that each example used a different cipher. It got me wondering if there was any significance to this, or simply personal preference?

My question is, is there any significant differences between these ciphers I should be concerned with knowing that

  • I'll be encrypting/decrypting is an either an array or serialised standard object, and contain relatively little data.
  • This operation will be fairly uncommon so speed isn't a massive issue, anywhere in the range on < 2s is acceptable.
  • The encrypted string will need to be stored in a cookie and transmitted via url query string (so there are limitations on length and character set)

Note

I'm not after a debate about whether I should be using a hash or hmac. Encryption is necessary and the correct option for this problem.

xzyfer
  • 13,937
  • 5
  • 35
  • 46

1 Answers1

5

Any reasonable cipher encrypts/decrypts between plaintext/ciphertext given the correct key.

There are huge differences to which cipher you choose. Be it block length, key length and/or general security. For instance, you should never use DES because it only uses a 56-bit key. Similar for other ciphers on the list you refer to. Before using any cipher always read up on it and determine whether it is a good cipher for your context.

But I can't go into detail about every cipher on your list here. :-)

I personally like AES (Rijndael) which takes three sizes of keys 128, 192 and 256 bits. The best known attack is faster than a brute-force attack but is still infeasible. It is fast, too (actually Intel included machine instructions for AES in Westmere and Sandy Bridge).

Serpent and Twofish are also good ciphers. Serpent came second to Rijndael and Twofish came third (I think it was) in the AES contest some years back.

Morten Kristensen
  • 7,412
  • 4
  • 32
  • 52
  • 1
    The one thing I've noticed with aes MCRYPT_RIJNDAEL_256 is that it generates non ascii characters. Since this is going to be passed via URL query strings, I'd feel more comfortable with strings that matched characters on a querty keyboard (not sure what this character set is called) Eg: žˆŽO– 6ò:L—Â%W¸¤ò`½(!$¢bnƶÝJl›fbÕCìJ•îåžËP6àÖ‰UïûÊæTÿ, ÛP"·kSAB·mV Z($àklÍpFó©ºÁ8åÊqŠ–ð.‚ú&&µ‘gÒM~c:"PSŠÉÐ`܃Êêú£0êùÃ܃õKfXƒ‹T¹˜ÂÑÐiC³¡Y†žsØ® – xzyfer Mar 06 '11 at 12:45
  • 2
    It returns simply bytes. You could Base64 encode them if you so choose, then you would have no problems. It is a general concern how to represent encrypted data when transferring it. – Morten Kristensen Mar 06 '11 at 12:53
  • That's nice to hear. Good job! :) – Morten Kristensen Mar 06 '11 at 13:00