In a previous tutorial, we learned about hashing strings. Hashing works very well for strings like passwords where you don't need the data back in plain text. But what if you needed a way to get it back in the original format for things like credit card numbers? Remember that hashing is a one way street and there is no way to revert it back; so we use something else: encryption.
How do you do it?
I'm going to give you the code first and explain it below. The function we use for encryption is called mcrypt.
$data = 'This is top secret!';$key = md5('Open Sesame');$cipher = MCRYPT_RIJNDAEL_128;$mode = MCRYPT_MODE_ECB;$iv_size = mcrypt_get_iv_size($cipher, $mode);$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);$encrypted = mcrypt_encrypt($cipher, $key, $data, $mode, $iv);// produces t7N3TqLNOf/ykktnbb/Zno5CmjhCeW6Orc9AZQnG14g= $encrypted = base64_encode($encrypted);$decrypted = base64_decode($encrypted);$decrypted = mcrypt_decrypt($cipher, $key, $decrypted, $mode, $iv);$decrypted = rtrim($decrypted, "\0\4");
How does it work?
The mcrypt function requires five different things: the data, key, cipher, mode and initialization vector.
The key is the secret passphrase used for the encryption and decryption. Think of this as the password to the whole encryption so keep it as safe as possible. It is highly recommended that you hash the key so it is difficult to guess.
The cipher is the encryption algorithm that you want used. Some algorithms are better for different types of data but AES is the "newbie friendly" choice that most people recommend if you don't know what you're doing.
The mode is the method for the encryption. There's six modes you can choose from for different types of data. There's a relationship between the mode and the initialization vector that you must follow that is different for every mode. Electronic codebook, called ECB, is good for strings of text.
The initialization vector, also called iv, is a number added into the mix. This is just extra security to make it harder to crack. The number has a relationship with the cipher that you must follow. It's very complicated and you should learn about cryptology if you want to know more about this.
What is with the base64 encode/decode?
It's the whole unicode, encodings and character sets that you don't have to worry about if everything you do is in English (yes, English users are completely ignorant). If you do computer work in Chinese, Japanese, or any other language that uses more than the alphabet, you should know how important this is. Basically, if you don't use it, there's no telling what's going to come out the other end.
Note: If you're a web designer and the above statement applies to you, you owe it to your users to learn more about character sets. If I go to your website and I can't find the word charset before your head tag is closed, I'm making note to never work with you. At the very least, read: htmldog.
That's all for today. Now make your New Years resolution to patch up all the security holes in your website.