One of the challenges as developers we have with PHP is storing keys and initialization vectors for encrypted data in plain view in our code. As a developer it bugs me since we don’t have the luxury of compiling our code like other languages to try to protect this sensitive information.
With that in mind I came up with a solution that may seem a little crazy at first, but works extremely well when it comes to protecting your data and the key’s used to encrypt them.
Method 1
look at this encrypted string:
nGL0lSag69AasuBrMmjhUJjqa5H5rl3YqUP+vHIojxsUOWX3D+ao5g==
It looks like a regular old base64 encoded string, but you are actually looking at the key, IV and encrypted data.
the key : nGL0lSag69AasuBrMmjhUJjq
the iv : a5H5rl3Y
the data : qUP+vHIojxsUOWX3D+ao5g==
Using built-in functions you can extract the key, IV and data with minimal effort.
Method 2
Another more complicated example uses the same principle as method 1. However, method 2uses a more sophisticated interlacing technique, where we take the key and mix it into our encrypted string. To decrypt, you simply reverse the interlacing.
Consider the following encrypted string:
xutremZywiD/GX4X9vampwLh9FKPNqq21USIjvX9NNKNG8N6krZeT6KRbs0OnM2Ub89oAy+ac4wB2RJbkapvNeLqzoni1x0ONOrcsMgj8YM=
Again it looks like just a simple base64 encoded string. With this example we have interlaced the two strings together to form our new string. In this case, every other letter of this string is the key.
the key : urmyi/XXvmwhFPq2UIv9NN86
the iv : re6RsOMU
the data : xteZwDG49apL9KNq1SjXNKGNkZTKb0n2b89oAy+ac4wB2RJbkapvNeLqzoni1x0ONOrcsMgj8YM=
This method only works if your encrypted string has a string length larger than your key.
By using these methods, you can generate your keys per record with the comfort that if one of your keys is compromised, the rest of your data is safe. The way you interlace your keys and data are limited only by your imagination and creativity. Remember, the more complicated the interlacing, the more chance of errors when decrypting your data, so be careful.
Happy encrypting and decrypting!
Questions or comments? Share them below, or tweet us @Pixafy!
