AES-256 encryption in PHP

Question

I need a PHP function, AES256_encode($dataToEcrypt) to encrypt the $data into AES-256 and another one AES256_decode($encryptedData) do the opposite. Does anyone know what code should this functions have?

Answer 1

Look at the mcrypt module

AES-Rijndael example taken from here

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM); $key = pack('H*', "bcb04b7e103a0cd8b54763051cef08bc55abe029fdebae5e1d417e2ffb2a00a3"); # show key size use either 16, 24 or 32 byte keys for AES-128, 192 # and 256 respectively $key_size =  strlen($key); echo "Key size: " . $key_size . "\n"; $text = "Meet me at 11 o'clock behind the monument."; echo strlen($text) . "\n";  $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $text, MCRYPT_MODE_CBC, $iv); echo strlen($crypttext) . "\n"; 

This is the decrypt function

Answer 2

I need a PHP function, AES256_encode($dataToEcrypt) to encrypt the $data into AES-256 and another one AES256_decode($encryptedData) do the opposite. Does anyone know what code should this functions have?

There is a difference between encrypting and encoding.

Do you really need AES-256? The security of AES-256 versus AES-128 isn't that significant; you're more likely to screw up at the protocol layer than get hacked because you used a 128-bit block cipher instead of a 256-bit block cipher.

Important - Use A Library

• defuse/php-encryption
• PECL libsodium
• Halite (libsodium wrapper, now stable)

A Quick and Dirty AES-256 Implementation

If you're interested in building your own not for the sake of deploying it in production but rather for the sake of your own education, I've included a sample AES256

/**  * This is a quick and dirty proof of concept for StackOverflow.  *   * @ref http://stackoverflow.com/q/6770370/2224584  *   * Do not use this in production.  */ abstract class ExperimentalAES256DoNotActuallyUse {     /**      * Encrypt with AES-256-CTR + HMAC-SHA-512      *       * @param string $plaintext Your message      * @param string $encryptionKey Key for encryption      * @param string $macKey Key for calculating the MAC      * @return string      */     public static function encrypt($plaintext, $encryptionKey, $macKey)     {         $nonce = random_bytes(16);         $ciphertext = openssl_encrypt(             $plaintext,             'aes-256-ctr',             $encryptionKey,             OPENSSL_RAW_DATA,             $nonce         );         $mac = hash_hmac('sha512', $nonce.$ciphertext, $macKey, true);         return base64_encode($mac.$nonce.$ciphertext);     }      /**      * Verify HMAC-SHA-512 then decrypt AES-256-CTR      *       * @param string $message Encrypted message      * @param string $encryptionKey Key for encryption      * @param string $macKey Key for calculating the MAC      */     public static function decrypt($message, $encryptionKey, $macKey)     {         $decoded = base64_decode($message);         $mac = mb_substr($message, 0, 64, '8bit');         $nonce = mb_substr($message, 64, 16, '8bit');         $ciphertext = mb_substr($message, 80, null, '8bit');          $calc = hash_hmac('sha512', $nonce.$ciphertext, $macKey, true);         if (!hash_equals($calc, $mac)) {             throw new Exception('Invalid MAC');         }         return openssl_decrypt(             $ciphertext,             'aes-256-ctr',             $encryptionKey,             OPENSSL_RAW_DATA,             $nonce         );     } } 

Usage

First, generate two keys (yes, two of them) and store them somehow.

$eKey = random_bytes(32); $aKey = random_bytes(32); 

Then to encrypt/decrypt messages:

$plaintext = 'This is just a test message.'; $encrypted = ExperimentalAES256DoNotActuallyUse::encrypt($plaintext, $eKey, $aKey); $decrypted = ExperimentalAES256DoNotActuallyUse::decrypt($encrypted, $eKey, $aKey); 

If you don't have random_bytes(), get random_compat.