11/24/2015

Encrypt Sensitive Information within URLs using PHP

In This blog post, we will do some tests to Encrypt and Decrypt Plain Text using PHP. This is sometimes useful, suppose you have urls like this http://www.somesite.com/users/1 and this is not safe, because your users can manipuate this to get some information that is not for them. So, What is you can change that URL into like this, http://www.somesite.com/users/iopiqowialkjsdkjdnzmnzmv This URL is more safe, all You need to do is, extract encoded string from URL and Decrypt it to get Plain Text Infomation.

Note: we are using PHP MCrypt Module





<?php 

# __identity__ : EncryptionOperations

/*
* EncryptionOperations.comp.php
* Useful Methods for Encoding and Decoding URL sensitive Information
* @methods
    public static function encryptStringBymCrypt($plaintext)
    public static function decryptStringBymCrypt($ciphertext_base64) 

*/

trait EncryptionOperations
{
 public static $salt = "bcb04b7e103a0cd8b54763051cef08bc55abe029fdebae5e1d417e2ffb2a00a3";
 /*
 * To encode URL normal text (Using  mcrypt  library)
 * @param - Plain text
 */
 public static function encryptStringBymCrypt($plaintext)
 {
  # --- ENCRYPTION ---
  # Pack data into binary string
        $key = pack('H*', self::$salt);
        # show key size use either 16, 24 or 32 byte keys for AES-128, 192
        # and 256 respectively
        $key_size =  strlen($key);

        # create a random IV to use with CBC encoding
        ## int mcrypt_get_iv_size ( string $cipher , string $mode )
        ### Returns the size of the IV belonging to a specific cipher/mode combination
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
        # string mcrypt_create_iv ( int $size [, int $source = MCRYPT_DEV_URANDOM ] )
        ## Creates an initialization vector (IV) from a random source
        $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

        # creates a cipher text compatible with AES (Rijndael block size = 128)
        # to keep the text confidential 
        # only suitable for encoded input that never ends with value 00h
        ## (because of default zero padding)
        # string mcrypt_encrypt ( string $cipher , string $key , string $data , string $mode [, string $iv ] )
        ## Encrypts plaintext with given parameters
        $ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plaintext, MCRYPT_MODE_CBC, $iv);

        # prepend the IV for it to be available for decryption
        $ciphertext_enc = $iv . $ciphertext;
        
        # encode the resulting cipher text so it can be represented by a string
        $ciphertext_base64 = base64_encode($ciphertext_enc);
        return rawurlencode($ciphertext_base64);
    }

 /*
 * To decode URL normal text (Using  mcrypt  library)
 * @param - Base64 text string
 */
 public static function decryptStringBymCrypt($ciphertext_base64) 
 {
        # --- DECRYPTION ---
        $key = pack('H*', self::$salt);

        # show key size use either 16, 24 or 32 byte keys for AES-128, 192
        # and 256 respectively
        $key_size =  strlen($key);

        # create a random IV to use with CBC encoding
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);

        $ciphertext_dec = base64_decode(rawurldecode($ciphertext_base64));

        # retrieves the IV, iv_size should be created using mcrypt_get_iv_size()
        $iv_dec = substr($ciphertext_dec, 0, $iv_size);

        # retrieves the cipher text (everything except the $iv_size in the front)
        $ciphertext_dec = substr($ciphertext_dec, $iv_size);

        # may remove 00h valued characters from end of plain text
        $plaintext_dec = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $ciphertext_dec, MCRYPT_MODE_CBC, $iv_dec);
        return $plaintext_dec;
    }

    function encryptStringasHex($plaintext)
    {
        $iterations = 1000;
        $hash_length = 64;
        # Secret Key
        $secret_key = pack('H*', self::$salt);
        # Random IV for Encryption ...
        $secret_iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_DEV_URANDOM);
        
        // $hashsha256 = hash_pbkdf2("sha256", $plaintext, $secret_iv, $iterations, $hash_length);
        $ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $secret_key, $plaintext, MCRYPT_MODE_CBC, $secret_iv);
        $cipher_enc = $secret_iv . $ciphertext;
        return bin2hex($cipher_enc);
    }

    function decryptHexasString($encoded_string)
    {
        # Secret Key
        $secret_key = pack('H*', self::$salt);
        # Random IV for Encryption ...
        $secret_iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
        // $secret_iv = mcrypt_create_iv($secret_iv_size, MCRYPT_DEV_URANDOM);
        # Hex to Bin $encoded_string
        $userdata = hex2bin($encoded_string);
        # Extract $secret_iv and $secret_data from bin
        $secret_iv = substr($userdata, 0, $secret_iv_size);
        $secret_data = substr($userdata, $secret_iv_size);
        # Now Decrypt Data
        $plaintext_dec = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $secret_key, $secret_data, MCRYPT_MODE_CBC, $secret_iv);
        return $plaintext_dec;
    }

}


// # Main Test Case (11-12-2015)
class Demo
{
    use EncryptionOperations;
    function __construct()
    {
        $this->hello = "simple hello world";
    }
}



# Test case 1
$i = new Demo();
$j = $i->encryptStringBymCrypt("simple hello world and awesome work so far this is just simple and great");
$j = $i->decryptStringBymCrypt("XSDflmFYdqWJrgML6LyUTNH6zl3rEVRSxijljfayig48h1cN0r88VSuJLKMlIxRclV29yKEZ%2BNyDzyjrm5E%2FwEHB6EKPkyp6bbgkfU7GpoGuCAzrUFK18mNAubAM2ukc");
// echo $j
echo rtrim($j)



# Test Case 2
$a = new Demo();
echo Demo::encryptStringasHex("hello wold");
$b = Demo::decryptHexasString("27960504158a4c4ceeee1650ab9686027b47af826b9e69fe5fe34d33872e75d6");
echo rtrim($b);


?>


No comments :