These functions work using mcrypt.
This is an interface to the mcrypt library, which supports a wide variety of block algorithms such as DES, TripleDES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes. Additionally, it supports RC6 and IDEA which are considered "non-free".
To use it, download libmcrypt-x.x.tar.gz from here and follow the included installation instructions. You need to compile PHP with the --with-mcrypt parameter to enable this extension.
mcrypt can be used to encrypt and decrypt using the above mentioned ciphers. The four important mcrypt commands (mcrypt_cfb(), mcrypt_cbc(), mcrypt_ecb(), and mcrypt_ofb()) can operate in both modes which are named MCRYPT_ENCRYPT and MCRYPT_DECRYPT, respectively.
Example 1. Encrypt an input value with TripleDES in ECB mode
|
mcrypt can operate in four cipher modes (CBC, OFB, CFB, and ECB). We will outline the normal use for each of these modes. For a more complete reference and discussion see Applied Cryptography by Schneier (ISBN 0-471-11709-9).
ECB (electronic codebook) is suitable for random data, such as encrypting other keys. Since data there is short and random, the disadvantages of ECB have a favorable negative effect.
CBC (cipher block chaining) is especially suitable for encrypting files where the security is increased over ECB significantly.
CFB (cipher feedback) is the best mode for encrypting byte streams where single bytes must be encrypted.
OFB (output feedback) is comparable to CFB, but can be used in applications where error propagation cannot be tolerated.
PHP does not support encrypting/decrypting bit streams currently. As of now, PHP only supports handling of strings.
For a complete list of supported ciphers, see the defines at the end of mcrypt.h. The general rule is that you can access the cipher from PHP with MCRYPT_ciphername.
Here is a short list of ciphers which are currently supported by the mcrypt extension. If a cipher is not listed here, but is listed by mcrypt as supported, you can safely assume that this documentation is outdated.
MCRYPT_BLOWFISH
MCRYPT_DES
MCRYPT_TripleDES
MCRYPT_ThreeWAY
MCRYPT_GOST
MCRYPT_CRYPT
MCRYPT_DES_COMPAT
MCRYPT_SAFER64
MCRYPT_SAFER128
MCRYPT_CAST128
MCRYPT_TEAN
MCRYPT_RC2
MCRYPT_TWOFISH (for older mcrypt 2.x versions)
MCRYPT_TWOFISH128 (TWOFISHxxx are available in newer 2.x versions)
MCRYPT_TWOFISH192
MCRYPT_TWOFISH256
MCRYPT_RC6
MCRYPT_IDEA
You must (in CFB and OFB mode) or can (in CBC mode) supply an initialization vector (IV) to the respective cipher function. The IV must be unique and must be the same when decrypting/encrypting. With data which is stored encrypted, you can take the output of a function of the index under which the data is stored (e.g. the MD5 key of the filename). Alternatively, you can transmit the IV together with the encrypted data (see chapter 9.3 of Applied Cryptography by Schneier (ISBN 0-471-11709-9) for a discussion of this topic).