dopecode/dcrypt

A petite library of encryption functionality for PHP

:closed_lock_with_key:dcrypt

, _(*1)

A petite library of essential encryption functions for PHP 7.1+. For legacy PHP version support, look here., _(*2)

Install

Add dcrypt to your composer.json file requirements. Don't worry, dcrypt does not have any dependencies of its own., _(*3)

composer require "mmeyer2k/dcrypt:^13.2"

Block Ciphers

The dcrypt library helps application developers avoid common mistakes in crypto implementations that leave data at risk., _(*4)

Specification document, _(*5)

Keys

Safe usage of dcrypt's block cipher functions requires the use of a high entropy 256 bit (minimum) key. Keys should be passed into dcrypt in base64 encoded format. You are responsible for the randomness of your key!, _(*6)

Generate a new key on the linux CLI:, _(*7)

head -c 32 /dev/urandom | base64 -w 0 | xargs echo

Or with PHP..., _(*8)

<?php
$key = \Dcrypt\OpensslKey::create(32);

AES-256 GCM Encryption

Since PHP 7.1 supports native AEAD encryption modes, using GCM would be safest option for most applications. Dcrypt will handle the AEAD authentication tag, SHA3-256 HMAC, initialization vector and encrypted message as a single unencoded string., _(*9)

<?php
$key = '[...BASE64 KEY...]';

$encrypted = \Dcrypt\Aes::encrypt('a secret', $key);

$plaintext = \Dcrypt\Aes::decrypt($encrypted, $key);

If in doubt, use this example and don't read any further!, _(*10)

Other AES-256 Modes

If you read to this point then you are an experienced cryptonaut, congrats! :ok_hand: :metal:, _(*11)

Several AES-256 encryption modes are supported out of the box via hardcoded classes., _(*12)

Custom Encryption Suites

Dcrypt is compatible with most OpenSSL ciphers and hashing algorithms supported by PHP. Run openssl_get_cipher_methods() and hash_algos() to view supported options on your platform., _(*13)

Static Wrapper

Use any cipher/algo combination by calling the OpensslStatic class., _(*14)

<?php
$encrypted = \Dcrypt\OpensslStatic::encrypt('a secret', $key, 'bf-ofb', 'crc32');

$plaintext = \Dcrypt\OpensslStatic::decrypt($encrypted, $key, 'bf-ofb', 'crc32');

Class Overloading

Dcrypt's internal functions are easily extendable by overloading the OpensslBridge class., _(*15)

<?php
class BlowfishCrc32 extends \Dcrypt\OpensslBridge 
{
    const CIPHER = 'bf-ofb';

    const ALGO = 'crc32';
}

$encrypted = BlowfishCrc32::encrypt('a secret', $key);

$plaintext = BlowfishCrc32::decrypt($encrypted, $key);

Layered Encryption Factory

Feeling especially paranoid? Not sure which cipher methods and algos can be trusted? Why not try all of them., _(*16)

<?php
$stack = (new \Dcrypt\OpensslStack($key))
    ->add('aes-256-ecb', 'snefru')
    ->add('aes-256-ofb', 'sha224')
    ->add('aes-256-cbc', 'sha256')
    ->add('aes-256-ctr', 'sha384')
    ->add('aes-256-gcm', 'sha512');

$encrypted = $stack->encrypt('a secret');

$plaintext = $stack->decrypt($encrypted);

Message Authenticity Checking

By default, \Dcrypt\Exceptions\InvalidChecksumException exception will be raised before decryption is allowed to proceed when the supplied checksum is not valid., _(*17)

<?php
try {
    $decrypted = \Dcrypt\Aes::decrypt('malformed cyphertext', $key);
} catch (\Dcrypt\Exceptions\InvalidChecksumException $ex) {
    // ...
}

Stream Ciphers

Be sure you understand the risks and inherent issues of using a stream cipher before proceeding., _(*18)

• Each key should only be used once
• Data integrity can not be guaranteed
• https://en.wikipedia.org/wiki/Stream_cipher_attacks
• https://jameshfisher.com/2018/01/01/making-a-stream-cipher/

One Time Pad

A novel counter-based stream cipher. OneTimePad uses SHA3-512 to output a keystream that is ⊕'d with the input in 512 bit chunks., _(*19)

Specification document, _(*20)

<?php
$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key);

$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key);

OneTimePad can use any hashing algorithm to generate the pseudorandom keystream., _(*21)

<?php
$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key, 'whirlpool');

$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key, 'whirlpool');

String Helpers

Generate random base62 string tokens with specified number of characters., _(*22)

$token = \Dcrypt\Str::token(10);

Compare 2 strings in a time-safe manner., _(*23)

$equal = \Dcrypt\Str::equal($known, $given);

Show me some love :heart_eyes::beer:

Developing dcrypt has been a great journey for many years. If you find dcrypt useful, please consider donating., _(*24)

Or please consider checking out my dcrypt inspired encryption library for .NET, check out harpocrates., _(*25)