2
I need to write confidential data in the database, but which can be read later (decrypt).
1 answer
0
You can implement two functions in php to encrypt one and another to decrypt and you would save in the database these strings (careful that they can get very large), follows an example of the functions:
<?php
public static function getMacAlgoBlockSize($algorithm = 'sha1')
{
switch($algorithm)
{
case 'sha1':
{
return 160;
}
default:
{
return false;
break;
}
}
}
/**
* O metodo responsavel por descriptograr uma mensagem
* @param string $message Mensagem criptografada
* @param string $key Chave para realizar a descriptografia precisa ser a mesma usada na criptografia Exemplo: "skjj400ndkdçg00"
* @param string $mac_algorithm Tipo da descriptografia que sera usada Exemplo: md5 e sha1
*/
public static function decrypt($message, $key, $mac_algorithm = 'sha1',
$enc_algorithm = MCRYPT_RIJNDAEL_256, $enc_mode = MCRYPT_MODE_CBC)
{
$message= base64_decode($message);
$iv_size = mcrypt_get_iv_size($enc_algorithm, $enc_mode);
$iv_dec = substr($message, 0, $iv_size);
$message= substr($message, $iv_size);
$message= mcrypt_decrypt($enc_algorithm, $key, $message, $enc_mode, $iv_dec);
$mac_block_size = ceil(static::getMacAlgoBlockSize($mac_algorithm)/8);
$mac_dec = substr($message, 0, $mac_block_size);
$message= substr($message, $mac_block_size);
$mac = hash_hmac($mac_algorithm, $message, $key, true);
if($mac_dec == $mac)
{
return $password;
}
else
{
return false;
}
}
/**
* O metodo responsavel por criptofrafar uma mensagem
* @param string $message Mensagem a ser criptograda
* @param string $key Chave para realizar a criptografia Exemplo: "skjj400ndkdçg00"
* @param string $mac_algorithm Tipo da criptograda que sera usada Exemplo: md5 e sha1
*/
public static function encrypt($message, $key, $mac_algorithm = 'sha1',
$enc_algorithm = MCRYPT_RIJNDAEL_256, $enc_mode = MCRYPT_MODE_CBC)
{
$mac = hash_hmac($mac_algorithm, $message, $key, true);
$mac = substr($mac, 0, ceil(static::getMacAlgoBlockSize($mac_algorithm)/8));
$message= $mac . $message;
$iv_size = mcrypt_get_iv_size($enc_algorithm, $enc_mode);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$ciphertext = mcrypt_encrypt($enc_algorithm, $key,
$message, $enc_mode, $iv);
return base64_encode($iv . $ciphertext);
}
I added some comments to facilitate, but the three methods were done by: Methods described
Browser other questions tagged php cryptography
You are not signed in. Login or sign up in order to post.
Where do you plan to store the key/password? This encryption/decryption would occur on the server side, not the client side, right? And would it be the same for every user, or would each user have their own password? Please give more details of your scenario, otherwise it is difficult to suggest anything. It is also good to specify than exactly you want to protect this data (i.e. in what kind of situation an attacker would have access to the BD but not the rest of the server). I suggest [Edit] your question with more information, otherwise someone will answer "use AES" or something like that, which is not very useful...
– mgibsonbr
What I want to store are "general data" and not passwords. Because I learned that for passwords it is not necessary to decrypt. Location: I will store in the database (server side only) and all records may have the same security key.
– Claytinho
Okay, but how are you going to make sure that an eventual attacker who gets access to your bank also can’t get access to that key?
– mgibsonbr
Putz, so I don’t know. So there’s no encryption with decryption?
– Claytinho
Without solving this key problem, no, at least not without costs. I know two alternatives, only: 1) keeps the key in a configuration file, and uses it to encrypt some data in the database; if the attacker only has access to the database (via SQL Injection or a backup found in the trash) he cannot read the data. It’s a limited situation, but it works. 2) Every time you boot the server, you enter the password manually, and it persists only in memory. Laborious, and I don’t know how it would work in PHP, but then at least no copy of the server would reveal the data.
– mgibsonbr
even using different instances, a single BD pro and a single PHP pro, still can’t have an encryption ? is that I wanted to at least know what functions to use and how to use.
– Claytinho
So, you can use in some limited scenarios (like, if you think one instance can be attacked and the other can’t, then keep the key in one and the BD in the other protects), I’m not saying it’s 100% useless. You just have to be careful not to have a security illusion where it doesn’t exist. When to which functions to use, I have no experience with PHP, but at first glance the
mcrypt_genericusing AES and CBC or CTR (ECB never!) - or better yet, CCM, if supported - should be good enough. See that question and my answer for more details.– mgibsonbr
Each user will have a key to decrypt their messages or it would just be a single key (from the system)?
– Victor Marconi