www.KevinBurkholder.com

Getting Work Done Through People

Getting People Done Through Work

www.KevinBurkholder.com
Strengths Based Performance Management
EarthAsylum Consulting
The EarthAsylum Leadership Circle
The EarthAsylum Fusion Network
Thursday, July 24, 2008

eac_mcrypt.class.php PHP Encryption Library

Includes a session encryption container plug-in for use with PEAR::http_session.

eac_mcrypt.class.php

Source Code

Documentation (9pg/272k)

Example wrapper with read/write encrypted functions

FileENC.php

Session file encyption with PEAR::HTTP_Session

Download FileENC.zip

Interested in using this software in your project? Contact Kevin at KBurkholder@EarthAsylum.com

Overview

eac_mcrypt.class is a PHP utility that automates the string or file encryption process. It utilizes the PHP mcrypt module to perform the encryption but requires little or no knowledge of how the module works.

eac_mcrypt.class creates a very strong encryption process by first creating a strong key using the supplied unique key and either a built-in or supplied “salt”. These two keys are combined into two different binary encrypted hashes (using Message-Digest algorithm 5 or MD5) to create a unique 256-bit key (the maximum key size for any supported cipher).

Using a double binary hash increases the strength of the key over typical single hexadecimal hashes used in many encryption algorithms. The hexadecimal characters each represent only 4 bits so a 32 character hash really only represents a 128 bit key, whereas two 16 bit binary keys concatenated will create a true 32 byte / 256 bit key.

The double binary hash is also much stronger than the common key/pass-phrase only algorithms in that it ensures the longest, densest key allowable by the cipher and it combines two values (the key and salt) to create each hash before combining the hashes into the strong key.

Furthermore, rather than using a known or common Initialization Vector in the encryption process, eac_mcrypt.class generates a random IV and includes it with the encrypted data. The IV allows for multiple independent encryption streams using the same strong key without regenerating the key.

As a last step protection mechanism, the encrypted data stream (along with the Initialization Vector) is further protected with a “scramble” function that does a byte-by-byte mathematical scramble using the data stream and the generated strong key.

On systems that do not have the PHP mcrypt module loaded, eac_mcrypt.class will first try to load it and, on failure, will fall back to it’s own “scramble” function in lieu of the stronger encryption functions. Although this is a weaker encryption method, it still requires the original unique key and salt, the key generation algorithm and the “descramble” algorithm to descramble the data.

eac_mcrypt.class also performs an integrity check of the data by appending a 32 bit cyclical redundancy check number to the end of the data stream before encryption. It then validates this number after the decryption process by regenerating the number and comparing it to the original. This ensures true data integrity even when the data stream is padded with null (binary zero) characters.

Usage Summary

eac_mcrypt.class.php should be installed in any folder in the server’s PHP include path. It is recommended that the file be installed outside of the normal web space.

First, include the class library in your php document:

require_once('eac_mcrypt.class.php');

Next create an instance of the mcrypt class:

$mcrypt = new mcrypt_class( array( "key"=>"unique key", "salt"=>"unique salt" ) );

To encrypt a data stream

$mcrypt->encrypt( data stream );

To decrypt a data stream:

$mcrypt->decrypt( data stream );

The Encryption/Decryption Process

Encryption

$mcrypt->encrypt( data stream );
  1. Generate 1st binary hash of key and salt.
  2. Generate 2nd binary hash of key and salt.
  3. Concatenate hashes into a single 32-byte key.
  4. Calculate 32bit cyclical redundancy check and append to data stream.
  5. Generate the Initialization Vector required for the cipher.
  6. Encrypt the data stream using the 32-byte key and IV.
  7. Prepend the IV to the data stream.
  8. Scramble the data stream using the 32-byte key.
  9. Compress the data using gzcompress (optional).

Decryption

$mcrypt->decrypt( data stream );
  1. Generate 1st binary hash of key and salt.
  2. Generate 2nd binary hash of key and salt.
  3. Concatenate hashes into a single 32-byte key.
  4. De-compress the data using gzuncompress (optional).
  5. De-scramble the data stream using the 32-byte key.
  6. Strip the Initialization Vector from the front of the data stream.
  7. Decrypt the data stream using the 32-byte key and IV.
  8. Strip the cyclical redundancy check from the end of the data stream.
  9. Calculate 32bit cyclical redundancy check on data stream and compare to original.