| Shared Secret Algorithms |
| Article Index |
|---|
| Shared Secret Algorithms |
| Page 2 |
| Page 3 |
Taking It Further
Perhaps, for one reason or another, we don't want to keep track of a substitution alphabet, what other types of simple character substitution options are open to us? We might decide to implement a phase shift substitution: Advance the ordinal value of every character by one or more to encrypt, and decrease it back down to decrypt. We also might try applying a bitmask to our original text through the XOR operator, once to encrypt, twice to decrypt. Try out a few ideas on your own and see what you come up with.
NOTEThe most important thing to bear in mind about the algorithms mentioned thus far is that they are not generally considered to be secure. In fact, they are so easy to crack that many puzzle books include encrypted messages as games for children to solve. |
Stronger Encryption Algorithms
PHP includes an extension that wraps the popular Mcrypt library and provides the programmer with access to several moderate-strength shared key-encryption algorithms, including DES, Triple DES, Blowfish, 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2, GHOST, RC6, and IDEA. Mcrypt also supports a pluggable encryption system that allows new encryption algorithms to be added without having to recompile mcrypt or PHP. The underlying implementation of each algorithm differs, but the scripting interfaces from PHP are all alike. Let's look at an example:
<?php
$plaintext = "The crow flies at midnight";
$password = "enigma";
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
srand();
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$ciphertext = mcrypt_encrypt(MCRYPT_BLOWFISH, $password, $plaintext,
MCRYPT_MODE_ECB, $iv);
file_put_contents('secret_message.txt', $iv . $ciphertext);
?>
In the preceding code block, we're encrypting a small chunk of data ($plaintext) into $ciphertext using the Blowfish algorithm and a secret password of "enigma." $iv represents the initial value used to seed the encryption algorithm and is populated with random data.
<?php
$messagedata = file_get_contents('secret_message.txt');
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
$iv = substr($messagedata, 0, $iv_size);
$ciphertext = substr($messagedata, $iv_size);
$password = "enigma";
$plaintext = mcrypt_decrypt(MCRYPT_BLOWFISH, $password, $ciphertext,
MCRYPT_MODE_ECB, $iv);
?>
Here we read the initial value and encrypted text back from the file and pair it with our secret password to recover our plain text. Depending on your implementation, you may choose to make $iv a constant string, a hash based on the passphrase, or just include it inline with the encrypted data, as shown. No method is significantly more or less secure than the other so long as the passphrase is kept secret. If the initial value is not provided, PHP will assume an initial value of zero. Although this is technically as secure as any other initial value, it has the drawback of being the first combination tried by most strongarm attacks and thus, in practice, becomes less secure than providing a sufficiently randomized initial value.
In the preceding example, we specified a built-in cipher by using one of the predefined constants. Mcrypt also supports dynamically loaded ciphers by way of the Mcrypt generic API. Let's try the same example again, this time using Mcrypt generic:
<?php
$plaintext = "The crow flies at midnight";
$password = "enigma";
$cipher = mcrypt_module_open('blowfish', '', 'ecb', '');
$iv_size = mcrypt_enc_get_iv_size($cipher);
srand();
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
mcrypt_generic_init($cipher, $password, $iv);
$ciphertext = mcrypt_generic($cipher, $plaintext);
mcrypt_generic_deinit($cipher);
mcrypt_module_close($cipher);
file_put_contents('secret_message.txt', $iv . $ciphertext);
?>
In this version we've accomplished the same goals; however, we've loaded a dynamic cipher algorithm ('blowfish') and mode ('ecb') from the directories pointed to by the php.ini enTRies mcrypt.algorithms_dir and mcrypt.modes_dir, respectively. If we had a special algorithm cipher and encryption mode located in an alternative directory, we could have specified those directories in the second and fourth parameters.
$cipher = mcrypt_module_open('mycipher', '/home/jdoe/ciphers/', 'mymode',
'/home/jdoe/mcrypt-modes/');
Decrypting using this alternative API also parallels the first version with only minor differences:
<?php
$messagedata = file_get_contents('secret_message.txt');
$cipher = mcrypt_module_open('blowfish', '', 'ecb', '');
$iv_size = mcrypt_enc_get_iv_size($cipher);
$iv = substr($messagedata, 0, $iv_size);
$ciphertext = substr($messagedata, $iv_size);
$password = "enigma";
mcrypt_generic_init($cipher, $password, $iv);
$plaintext = mdecrypt_generic($cipher, $ciphertext);
mcrypt_generic_deinit($cipher);
mcrypt_module_close($cipher);
? >
| Users' Comments (0) |
|
No comment posted
