How to protect sensitive data in PHP using cryptography

Cryptography in PHP

“The mantra of any good security engineer is: ‘Security is a not a product, but a process.’ It’s more than designing strong cryptography into a system; it’s designing the entire system such that all security measures, including cryptography, work together.” —Bruce Schneier

If you are a professional web developer, security is an important aspect of your job. If you manage critical data in your web application, like users’ passwords or credit card numbers, you should protect it. But how? Cryptography can be the answer, but you need to know how to use it and, most of the time, this is not so easy. In this article we will introduce the use of cryptography in PHP.

A brief introduction to cryptography

Cryptography (or ‘cryptology’, from the Greek ‘kryptos’ – “hidden, secret” and ‘graphein’ – “writing”) is the study of secret messages and the practice of how to protect information. Cryptography is a multidisciplinary science that involves mathematics, computer science, linguistics, software engineering and more. It protects information using special algorithms to transform a message in an unreadable format. Only the owner of the message, who knows the secret of the transformation, can read the original message.

The message to protect is usually called the plaintext and the protected message is called the ciphertext. The process of transforming a message from plaintext to ciphertext is called encryption. The opposite procedure, from ciphertext to plaintext, is called decryption. To encrypt or decrypt a message we use a piece of secret information, the key. The security of a message is related to the knowledge of the key, which means that the management of the key is one of the most important aspects for the security of the encrypted data.

There is a famous maxim in cryptography that claims: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge”. This quote is known as Kerckhoffs’s principle [1] in honour of Auguste Kerckhoffs, a Dutch linguist and cryptographer who was professor of languages at the École des Hautes Études Commerciales in Paris in the late 19th century. Kerckhoffs’s principle was reformulated by Claude Shannon as “The enemy knows the system”. In that form, it is called Shannon’s maxim – in contrast to “security through obscurity”, it is widely embraced by cryptographers.

Kerckhoffs’s principle has some interesting correlations with the open source philosophy, where the algorithm (the source code) is public (free to share). As Bruce Schneier writes, “[a]s a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades.”

This is an important aspect of the security of a cryptographic system: never use closed source algorithms. If you want to implement a cryptographic system that is reasonably secure, you should always use standard algorithms. Don’t spend time and energy to create a new cipher. If you are not an expert in cryptography, i.e. at least a competent mathematician, you will fail for sure. One of the most used standards in cryptography today is the Advanced Encryption Standard (AES [2]). This algorithm won the NIST competition in 2001 after five years of challenging with fifteen different designs.


Unsere Redaktion empfiehlt:

Relevante Beiträge

Meinungen zu diesem Beitrag

- Gib Deinen Standort ein -
- or -