Encryption and Authentication in PHP 7
Encryption is an important aspect of many software applications. Today, most of the websites store sensitive data like credit card numbers and user’s passwords.
In this article, I will explain how to encrypt and authenticate sensitive data using PHP 7, the last release of PHP that offers new security features.
Encryption is not enough
An encryption algorithm works with a secret key that is used to decrypt a message. Encryption provides confidentiality, that means only the authorized persons (the owners of the secret key) have access to the information.
Encryption does not provide integrity and authenticity assurance on the data. Anyone can falsify an encrypted message without any evidence of the alteration. For instance, Bob encrypts a message using the Advanced Encryption Algorithm (AES) with a 256-bit key. Bob wants to send the message to Alice that has the decryption key. Mallory, a malicious attacker, intercepts the message and alters the content. Alice tries to decrypt the message, obtaining another message but cannot prove that the message has been altered and that it comes from Bob.
Encryption is not enough. We also need to provide authentication. We have to protect the encrypted message from tampering, and we want to be sure that the message has been encrypted by authorized users.
Moreover, there are many cryptographic attacks on encryption algorithms without authentication. For instance, the padding oracle attack performed using the padding of a cryptographic message. This attack is critical in many user cases. For instance, in the CBC encryption mode, it can recover the encryption key in few seconds! The original attack was published in 2002 by Serge Vaudenay. The attack was applied to several web frameworks, including JavaServer Faces, Ruby on Rails and ASP.NET. To prevent this attack, we need to add an authentication layer.
To provide authentication, we have two options: use the encrypt-then-authenticate approach, that adds the authentication after the encryption, or use an authenticated encryption algorithm that offers authentication built-in.
Authenticated encryption is available from PHP 7.1 using the OpenSSL extension of PHP. If you are using PHP 7.0 or less, you can use the encrypt-then-authenticate approach presented in the next section.
Upgrade to Premium Account to read all articles and publish your own content …
About the author
Enrico Zimuel is a Senior Software Engineer in the R&D department of Zend Technologies, a Rogue Wave Company. Open source contributor of Apigility and Zend Framework, two popular PHP projects with millions of installations. He did academic research in Computer Science at the Informatics Institute of Amsterdam University. He is an author of articles and books about programming, open-source and applied cryptography. He is TEDx and international speakers. He is the co-founder of PHP User Group in Turin (Italy).