Implementing Cryptography
The Cryptography class is used to implement cryptography for your site and
back-end. Cryptography uses methods from the openssl library integrated into PHP
By default, Cryptography will use the AES 256-bit cipher in CBC (Cipher
Block Chaining) mode.
We choose AES-256-CBC because it is a strong cipher and is recommended by the US government for it's own secret
documents and hence is widely accepted too.
Cryptography can also conveniently do base64 conversion (similar to MIME-based
Base64 encoding) so that the resulting encrypted data can be used in text-based streams,
GET/POST data, URLs, etc. By default Base64 encoding is enabled, since we mostly deal with HTTP on the web and
it's just easier to transport text than binary.
However, note that any of these options can be changed at any time. Through the openssl
library, Cryptography supports most of the industry accepted ciphers. You can use the
openssl-get-cipher-methods
method to see the list of supported encryption methods.
You can specify a "default" cipher, base64 flag, key and initialization vector by modifying
the arguments when constructing a new instance of Cryptography.
Asymmetric Cryptography (using public-private key pairs) is not currently supported.
Cryptography also supports the encryption and decryption of entire files.
By default, the QCubed framework is not set up with a default cryptography key. You can set one up for your
application by
defining the QCUBED_CRYPTOGRAPHY_DEFAULT_KEY define. By sure to keep this key private.
The Initialization Vector
Some ciphers require an initialization vector. An initialization vector is an important part of preventing someone
from being able to guess your key from a series of encrypted data. Initialization vectors must be random, and should
be remembered. Generally speaking, you should let the Cryptography class handle the creation and management of
the initialization vector for you by specifying null. It will embed the initialization vector into the encrypted
data
(which is fine and does not compromise the data, it just makes it longer). Only in special situations where you are
trying to limit the size of encrypted data would you need to manage the IV yourself.