Many if not most current websites handle sensitive data in one form or another. Be it email addresses, passwords, credit card information or some other form of data, visitors to websites demand that thier information be kept confidential. As developers it is our job to uphold visitor expectations. This is a vexing problem considering the rise of internet piracy and credit fraud. However, there are is a tool available to developers that can help protect both your and your clients interests: encryption. One of the safest ways to store sensitive data securely is through the use of encryption. The following describes the use and features of encryption using the tool: Mcrypt (an open source third party encryption library written for the PHP language).Encryption is the process of converting plain text information into ciphertext (text unreadable by humans) through the use of algorithms and functions known as ciphers. MCrypt offers a wide variety of encryption ciphers, choosing the correct cipher for your application may require some further research into pros and cons of each. Something to keep in mind, however, is that encryption can either be one-way or two-way, meaning once the ciphertext is created it can either not be decrypted, or can be reformed into plaintext by using a decryption cipher. For example, a two way encryption cipher such as MCRYPT_3DES (Triple DES) would be best for storing credit card information, as the plaintext credit card number is needed to process a transaction.

Another decision that needs to be made is which block cipher mode to utilize with your encryption cipher. A cipher using a constant key and plaintext will always return the same ciphertext. To provide more security block cipher modes use Initialization Vectors (IVs) to process the ciphertext into a randomized constant length string. The four main block cipher modes supported by MCrypt are Cipher Block Chaining (CBC), Output Feedback (OFB), Cipher Feedback (CFB), and Electronic Codebook (ECB). These four modes are geared towards confidentiality. reference

Initialization Vectors are required for use in block cipher modes. They allow a block cipher to process a string of plaintext into a block of cipher text unique from every other block of ciphertext. The size of the IV coorelates to the block cipher you chose for your encryption scheme. MCrypt provides a useful method of retrieving the size of this string called mcrypt_get_iv_size, which takes into account the cipher and encryption mode as parameters, and returns the length of the required IV. Note: Mode ECB does not require an IV.

Lastly and perhaps most importantly, an Encryption Key needs to be chosen for the application. All of the Ciphers available through MCrypt are built on open standards. For the application to obtain actual security, a secret key needs to be created for the encryption scheme. “This principle is known as Kerckhoffs’ principle - ‘only secrecy of the key provides security’”.

After choosing the encryption scheme (cipher, mode, iv, and key) that best fit the website application, encrypting and decrypting is a simple matter of calling the library’s mcrypt_encrypt and mcrypt_decrypt methods.