PHP.nl

openssl_encrypt

openssl_encrypt

Encrypts data

 **openssl_encrypt** string $data string $cipher_algo string $passphrase int $options string $iv string $tag string $aad int $tag_length

Encrypts given data with given method and passphrase, returns a raw or base64 encoded string

dataThe plaintext message data to be encrypted.

cipher_algo The cipher method. For a list of available cipher methods, use . openssl_get_cipher_methods

passphrase The passphrase. If the passphrase is shorter than expected, it is silently padded with characters; if the passphrase is longer than expected, it is silently truncated. NUL

Let op: > There is no key derivation function used for as its name might suggest. The only operation used is padding with characters or truncation if the length is different than expected. passphrase``NUL

options is a bitwise disjunction of the flags , and

      or .
    `options``OPENSSL_RAW_DATA``OPENSSL_ZERO_PADDING``OPENSSL_DONT_ZERO_PAD_KEY`

iv A non-null Initialization Vector. If the IV is shorter than expected, it is padded with characters and warning is emitted; if the passphrase is longer than expected, it is truncated and warning is emitted. NUL

tagThe authentication tag passed by reference when using AEAD cipher mode (GCM or CCM).

aadAdditional authenticated data.

tag_length The length of the authentication . Its value can be between 4 and 16 for GCM mode. tag

Returns the encrypted string on successreturn.falseforfailure.

Emits an level error if an unknown cipher algorithm is passed in via the parameter. E_WARNING``cipher_algo

Emits an level error if an empty value is passed in via the parameter. E_WARNING``iv

Voorbeeld: AES Authenticated Encryption in GCM mode example for PHP 7.1+

<?php
//$key should have been previously generated in a cryptographically safe way, like openssl_random_pseudo_bytes
$plaintext = "message to be encrypted";
$cipher = "aes-128-gcm";
if (in_array($cipher, openssl_get_cipher_methods()))
{
    $ivlen = openssl_cipher_iv_length($cipher);
    $iv = openssl_random_pseudo_bytes($ivlen);
    $ciphertext = openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv, $tag);
    //store $cipher, $iv, and $tag for decryption later
    $original_plaintext = openssl_decrypt($ciphertext, $cipher, $key, $options=0, $iv, $tag);
    echo $original_plaintext."\n";
}
?>

Voorbeeld: AES Authenticated Encryption example prior to PHP 7.1

<?php
//$key previously generated safely, ie: openssl_random_pseudo_bytes
$plaintext = "message to be encrypted";
$ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv = openssl_random_pseudo_bytes($ivlen);
$ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
$hmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);
$ciphertext = base64_encode( $iv.$hmac.$ciphertext_raw );

//decrypt later....
$c = base64_decode($ciphertext);
$ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv = substr($c, 0, $ivlen);
$hmac = substr($c, $ivlen, $sha2len=32);
$ciphertext_raw = substr($c, $ivlen+$sha2len);
$original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
$calcmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);
if (hash_equals($hmac, $calcmac))// timing attack safe comparison
{
    echo $original_plaintext."\n";
}
?>

openssl_decrypt

Vorige ← openssl_digest Volgende openssl_error_string →

Documentatie