Implementing Cryptography

The Cryptography class is used to implement cryptography for your site and back-end. Cryptography uses methods from the openssl library integrated into PHP

By default, Cryptography will use the AES 256-bit cipher in CBC (Cipher Block Chaining) mode. We choose AES-256-CBC because it is a strong cipher and is recommended by the US government for it's own secret documents and hence is widely accepted too. Cryptography can also conveniently do base64 conversion (similar to MIME-based Base64 encoding) so that the resulting encrypted data can be used in text-based streams, GET/POST data, URLs, etc. By default Base64 encoding is enabled, since we mostly deal with HTTP on the web and it's just easier to transport text than binary.

However, note that any of these options can be changed at any time. Through the openssl library, Cryptography supports most of the industry accepted ciphers. You can use the openssl-get-cipher-methods method to see the list of supported encryption methods.

You can specify a "default" cipher, base64 flag, key and initialization vector by modifying the arguments when constructing a new instance of Cryptography.

Asymmetric Cryptography (using public-private key pairs) is not currently supported.

Cryptography also supports the encryption and decryption of entire files.

By default, the QCubed framework is not set up with a default cryptography key. You can set one up for your application by defining the QCUBED_CRYPTOGRAPHY_DEFAULT_KEY define. By sure to keep this key private.

The Initialization Vector

Some ciphers require an initialization vector. An initialization vector is an important part of preventing someone from being able to guess your key from a series of encrypted data. Initialization vectors must be random, and should be remembered. Generally speaking, you should let the Cryptography class handle the creation and management of the initialization vector for you by specifying null. It will embed the initialization vector into the encrypted data (which is fine and does not compromise the data, it just makes it longer). Only in special situations where you are trying to limit the size of encrypted data would you need to manage the IV yourself.

Default Settings - AES 256-bit CBC with default IV and Key

Blowfish, Cipher Block Chaining, with Base64 encoding and a custom IV)

Blowfish, Cipher Block Chaining, without Base64 encoding and the same custom IV as above)