Which PHP mcrypt cipher is safest?

Question

So guys, there's plenty of different ciphers available - but which one is the safest to use nowadays?

List: http://www.php.net/manual/en/mcrypt.ciphers.php

Answer 1

If unsure use AES (also known as "Rijndael") with a 128-bit key. If you have developed some kind of fetish about key size then you could fulfill your irrational qualms by selecting a larger key, e.g. 192 or 256 bits; the extra cost is not high (+40% workload for AES-256, compared to AES-128, and it takes a very very fast network to actually observe that difference).

Beware that, regardless of the key size chosen, the correct mcrypt cipher for AES is always MCRYPT_RIJNDAEL_128. This is because the AES standard refers to the flavor of the Rijndael cipher with a 128-bit block size. If you want AES-256, you need to use MCRYPT_RIJNDAEL_128 with a 256-bit (32 byte) key, not MCRYPT_RIJNDAEL_256.

AES was published in 1998 and adopted by the US government as a federal standard in 2001, and it shows no sign of weakness nowadays. Some mathematical properties were found later on, but they do not impact actual security; mostly, they highlight that we have some relatively precise knowledge on why AES is secure. No other symmetric encryption algorithm has received as much attention (by thousands of talented cryptographers) than AES.

Most security issues come from how the cryptographic algorithm is used, not the algorithm itself. Use a proper chaining mode, add a MAC, manage padding, and most of all handle the keys securely. If you got all of this right (which is much more tricky than what it seems) then it becomes time to worry about choosing Rijndael, Twofish or whatever.

Answer 2

In addition to Thomas Pornin's great answer, you also must consider what you are trying to achieve in terms of "security" (confidentiality/integrity/authenticity/availability).

For every case, you'll need to address a few questions, like... Who does this apply to? Where and why is it being used (what are you protecting)? How long is it meant to last? etc.

For example, there's probably no point in really encrypting session data with a full blown succession of 256 bit operations when the data is really only meant to last for say 20-30 minutes. A secure 128bit algorithm would be near twice as fast or at least use loads less clock cycles and be just as (if not more) secure.

There's also no point in encrypting something that's meant to last a long time (like a confidential document or file, private key etc...) with a weak, short key method. You'd want at times multiple algorithms with some sort of authentication and proper use of padding. I have regularly encrypted and signed content upon request for clients using multiple algorithms (mostly twofish, AES, RSA).

And not to forget either (like Thomas pointed out), you can implement a secure method (or methods) insecurely. With the vast amounts of variants of each formula and the such, it can be tricky to actually implement something that is "secure".

Generally, something is as secure as the key is to unlock it. If I leave my car keys in the car with the car unlocked, the keys aren't secure and it's open for the taking by anyone walking past. Blowfish with a well dispersed 32 character key would be just as secure as anything else today. A 3 character key however could be broken in the blink of an eye.

Answer 3

"The strongest cipher is AES-256"

From details on Bruce Schneier's website, AES-256 might, ironically, be the least secure out of the three key sizes 128, 192, and 256. There are issues with the key generation in the 256-bit variant.