basic PHP encryption help needed

Report · Oct 27, 2018

Hi all,

Using PHP, I am trying to connect to an external service which requires authentication. Rather than storing the private authentication text in the clear on a PHP Page with variables, I'm curious what the best encryption method would be for this purpose.

some choices i've seen - mcrypt - openssl_encrypt and others...

Some of the possibilities seem outdated.

Can anyone point me to a current basic standard for 2018 to get me started?

Thanks

Dave

Report · Oct 27, 2018

There's not much point in trying to use encryption to store your credentials.

Most encryption methods are one-way, so you can't decrypt them.
Even if you use a method that allows decryption, you've got to do that within your script so that the actual credentials are sent to the remote service. Consequently, anyone who is able to access the raw script will be able to decrypt them.

The key is to prevent others from accessing your script or where the credentials are stored.

A simple approach would be to store your credentials in a file outside the server's document root. PHP includes are capable of finding files outside the document root; but no one else can access them unless they have direct access to your server. Alternatively, store your credentials in a database.

Report · Oct 31, 2018

Extending upon what David has said as a timeless way.

One thing that's typically saved on the filesystem, away from prying eyes, is the salt used per your given encryption choice. The salt alone will be what you store in that file. When a user logs in, you'd take the password they supply in a login form, read your 'secret salt file', encrypt that value and then compare the encrypted value against a password you stored for them in your database. Since the salt is the same, the one-way encrypted value will match it. Then you can store those passwords in the database and have a way to quickly check against them in a login.

Another way PHP offers is password_hash(). This function handles the salt for you automatically based on time. It then encrypts whatever string you give it and embeds a salt into the encrypted string it returns as well. Then you can skip the step of putting the salt on the filesystem altogether. You use PHP's password_verify() function which will compare what the user sends as the passwords while auto-reading it's own embedded salt. It is doing the same salting method as above, only every password has a unique salt already inside it, encrypted. Take a look at the pages, the functions are very simple to use. e.g.:

$hash = password_hash( "aStr0ngp@$swoRd", PASSWORD_DEFAULT ); // hash created using a generated salt for you
if ( password_verify( "aStr0ngp@$swoRd", $hash ) ) {
    // validated! do stuff..
}

The documentation recommends that you do not provide a salt, but you may. the PASSWORD_DEFAULT is also a CONST specifying the type of encryption you want. There are other options you can read about to suit your needs. This is all in the realm of a basic setup.

Report · Apr 18, 2019

Sorry for the late reply - Thanks David and sinious for your detailed info!

basic PHP encryption help needed

1 Correct answer