Skip to content

Instantly share code, notes, and snippets.

@joshhartman
Last active November 25, 2022 10:10
Show Gist options
  • Save joshhartman/10342187 to your computer and use it in GitHub Desktop.
Save joshhartman/10342187 to your computer and use it in GitHub Desktop.
Rijndael 256-bit Encryption (CBC) Class
<?php
class Crypt {
private $key;
function __construct($key){
$this->setKey($key);
}
public function encrypt($encrypt){
$encrypt = serialize($encrypt);
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC), MCRYPT_DEV_URANDOM);
$key = pack('H*', $this->key);
$mac = hash_hmac('sha256', $encrypt, substr($this->key, -32));
$passcrypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $encrypt . $mac, MCRYPT_MODE_CBC, $iv);
$encoded = base64_encode($passcrypt) . '|' . base64_encode($iv);
return $encoded;
}
public function decrypt($decrypt){
$decrypt = explode('|', $decrypt.'|');
$decoded = base64_decode($decrypt[0]);
$iv = base64_decode($decrypt[1]);
if(strlen($iv)!==mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC)){ return false; }
$key = pack('H*', $this->key);
$decrypted = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $decoded, MCRYPT_MODE_CBC, $iv));
$mac = substr($decrypted, -64);
$decrypted = substr($decrypted, 0, -64);
$calcmac = hash_hmac('sha256', $decrypted, substr($this->key, -32));
if($calcmac !== $mac){
return false;
}
$decrypted = unserialize($decrypted);
return $decrypted;
}
public function setKey($key){
if(ctype_xdigit($key) && strlen($key) === 64){
$this->key = $key;
}else{
trigger_error('Invalid key. Key must be a 32-byte (64 character) hexadecimal string.', E_USER_ERROR);
}
}
}
$crypt = new Crypt('d0a7e7997b6d5fcd55f4b5c32611b87cd923e88837b63bf2941ef819dc8ca282');
echo '<h1>Rijndael 256-bit CBC Encryption Function</h1>';
$data = 'Super secret confidential string data.';
$encrypted_data = $crypt->encrypt($data);
echo '<h2>Example #1: String Data</h2>';
echo 'Data to be Encrypted: ' . $data . '<br/>';
echo 'Encrypted Data: ' . $encrypted_data . '<br/>';
echo 'Decrypted Data: ' . $crypt->decrypt($encrypted_data) . '</br>';
$data = array(1, 5, 8, new DateTime(), 22, 10, 61, array('apple' => array('red', 'green')));
$encrypted_data = $crypt->encrypt($data);
echo '<h2>Example #2: Non-String Data</h2>';
echo 'Data to be Encrypted: <pre>';
print_r($data);
echo '</pre><br/>';
echo 'Encrypted Data: ' . $encrypted_data . '<br/>';
echo 'Decrypted Data: <pre>';
print_r($crypt->decrypt($encrypted_data));
echo '</pre>';
@Harmond
Copy link

Harmond commented Sep 12, 2015

Do not roll your own crypto.
For all those considering using this class... DON'T! It is insecure. What is more, the author has, by means of this code, demonstrated that he is not equipped to not write crypto code.

So, how insecure is this code? Well, it featured on Crypto Fails.

@joshhartman, please don't try to fix this class, just scrape it. Use a well known, widely reviewed, standard implementation instead.

@xcount
Copy link

xcount commented Jun 1, 2017

The above class is deprecated in php 7.1
Could someone upgrade?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment