Generic Cipher and Encryption

Wed, 02/20/2008 - 09:31 — eaberry

Lately I needed to encrypt some data: in this case username, password, and credit card data. It them hit me that there exists. I knew that I'd be reusing the encryption settings, so why not make some external API to do all that work for me so that all I have to do is say: "Hey, encrypt this!", or "Hey, decrypt this!".

Enter the "Cipher" module. It is a basic module that basically gives a developer an API to work with via a class to do basic encryption/description. Here's a little snippet of how it works:

Say that I want to have a password field stored encrypted in a database. The insertion happened on the myform_submit hook. So, in the form, I would do something to the following effect:

function myform_submit($form_id, $form_values) { $cipher = new PontoCipher(variable_get('mymodule_cipher_key', '')); $form_values['password'] = $cipher->encrypt($form_values['password']); db_query("INSERT INTO {table} VALUES('%s', '%s')", $form_values['username'], $form_values['password']); return; }

Now, what just happened? Well, on the first line, we created the $cipher object. You will notice that we gave the constructor a "cipher_key". This is the 'key' that is used for encryption. By default, the cipher module uses your drupal installs site key if one is not given. However, your module could use a totally different key.
Next, we asked the cipher to encrypt the values. We then inserted the ENCRYPTED information into the database.

To decrypt, we would create the cipher object as object, and give the function decrypt the encrypted information. The function will return the decrypted string value of the information given.

This is the start of a module that could have a lot of potential. Hopefully someone finds it of use.

eaberry's blog

Comments

Mon, 09/08/2008 - 12:02 — Anonymous

sohbet

Sohbet

Sat, 09/06/2008 - 20:47 — Anonymous

thanks

Thank you very much

-----------
sohbet

Thu, 09/04/2008 - 21:54 — Anonymous

thanks

Chat muhabbet

Wed, 09/03/2008 - 16:00 — Anonymous

Thanks

şarkı dinle çok güzel hareketler bunlar klip izle

Mon, 09/01/2008 - 21:13 — Anonymous

burayıda copluk yaptız a.q

bizde thanks dielim a.q coluk yaptıgınız bloga ibisler
________
sohbet
sohbet odaları

Sun, 08/31/2008 - 04:28 — Anonymous

Chat

Chat Canlı Chat

Mon, 08/25/2008 - 23:51 — Anonymous

thnaks you

it' really nice

________
Saç Ekimi
muhabbet
muhabbet
sohbet
mirc

Mon, 08/25/2008 - 00:37 — Anonymous

thank you sohbet mirc

thank you

sohbet
mirc
evden eve nakliyat

Fri, 08/22/2008 - 11:40 — Anonymous

thank you tebrikler

thank you tebrikler devamını diliyorum..

sohbet

Fri, 08/22/2008 - 07:47 — Anonymous

good

thanks you

Mirc
Muhabbet
sohbet
saç ekimi
saç ekimi
Muhabbet
webmaster
toplist
toplist

Fri, 08/22/2008 - 07:44 — Anonymous

nice

thanks you

Mirc
Muhabbet
sohbet
saç ekimi
saç ekimi
Muhabbet
webmaster
toplist
toplist

Fri, 08/22/2008 - 07:39 — Anonymous

I was going to be angry

I was going to be angry about the hair/fingernail thing
LOL! Funniest DoD ever... I just hate mimes

Mirc
Muhabbet
sohbet
saç ekimi
saç ekimi
Muhabbet
webmaster
toplist
toplist

Fri, 08/22/2008 - 07:36 — Anonymous

very well

very well thanks sohbet saç ekimi

Fri, 08/22/2008 - 07:36 — Anonymous

sohbet

thanks ;)

sohpet sohbet chat canlı sohbet çet

Thu, 08/21/2008 - 17:32 — Anonymous

muhabbet

sohbet odaları chat muhabbet sohpet ruya tabiri rüya tabirleri gazete gazeteler

I was going to be angry about the hair/fingernail thing
LOL! Funniest DoD ever... I just hate mimes

Wed, 08/20/2008 - 15:46 — Anonymous

sohbet

http://www.dosttr.net

Mon, 08/18/2008 - 17:17 — Anonymous

whares To This is.

Thank you very much for this information. I like this site

Thanks matthew. Apparently
Regards,

Sohbet ~ Muhabbet

Thu, 08/07/2008 - 04:39 — Anonymous

XY5zzi8l

detox foot pads
fruit detox
detox kits
detox your body

Tue, 08/05/2008 - 19:21 — Anonymous

Thank you very much for this

Thank you very much for this useful article.

Sohbet

Sun, 08/03/2008 - 16:04 — Anonymous

thanks

Thu, 07/24/2008 - 09:39 — Anonymous

well

it' really nice

http://www.google.com/notebook/public/08249454177045954012/BDSMKQgoQmu_i...

Fri, 05/09/2008 - 15:09 — Anonymous

Security

If the input data are filtered within special chars there is no problem with encryption. If someone get access to the DB you can do nothing but write your own DB. Buy metformin

Thu, 02/21/2008 - 05:26 — Anonymous

Depends

If all you're storing is the public key, not a problem. It's public.

In the case of the example above with username/password, you're typically creating a one-way hash that's never decoded.

Fri, 02/22/2008 - 05:03 — eaberry

No, If you notice i'm using

No, If you notice i'm using the mcrypt lib, which entryps using the key given, and then the key must be used to decrypt in information. This is NOT a simple MD5 hash.

Thu, 02/21/2008 - 04:25 — Anonymous

storage

Isn't the encryption circumvented easily since the key is stored on the same machine as the encrypted information?

Thu, 02/21/2008 - 04:22 — Anonymous

Security hole

Presumably the point of this module is to protect data in case someone gets hold of the database. If so, then it doesn't help to store the key in the database because while the data would be encrypted, the intruder would have everything they need to decrypt said data (presuming they know what encryption algorithm was used).

Fri, 02/22/2008 - 05:05 — eaberry

The module allows on to

The module allows on to specify the FULL PATH to the key, meaning the key can be stored in a file on the server instead of on the server.
I used the drupal-api key as a "starting" point for "simply turning the api on", but def. not best practice.
In production we read the key from a file that's stored out-of-path of the main webserver, and can only be accessed by the web user and only the web user.

Rants of a Jester...

User login