Changing encryption algorithm

The first parameter to mcrypt_module_open() is the encryption algorithm you want to use. In the examples above, we used Rijndael, which is believed to be one of the most secure encryption algorithms. When the National Institute of Standards and Technology (NIST) in the US wanted to develop a new governmental standard for encryption, to be called the Advanced Encryption Standard (AES), they chose Rijndael for its encryption quality, speed of encryption, and ease of implementation.

However, there were two other excellent algorithms submitted as AES proposals, which are Serpent and Twofish. Serpent is arguably the most secure of the three, but its very conservative design leaves it running about three times slower than Rijndael. Twofish is a particularly interesting cipher because it was designed to make the encrypted data is random as possible, so it includes built-in plaintext whitening and other mechanisms that cause it run slower than AES but end with potentially more secure ciphertext.

PHP makes a selection of encryption algorithms available to you to use as the first parameter to mcrypt_module_open() - here are the key choices:

  • MCRYPT_3DES

  • MCRYPT_BLOWFISH

  • MCRYPT_DES

  • MCRYPT_RC6_128

  • MCRYPT_RC6_192

  • MCRYPT_RC6_256

  • MCRYPT_RIJNDAEL_128

  • MCRYPT_RIJNDAEL_192

  • MCRYPT_RIJNDAEL_256

  • MCRYPT_SERPENT_128

  • MCRYPT_SERPENT_192

  • MCRYPT_SERPENT_256

  • MCRYPT_TWOFISH_128

  • MCRYPT_TWOFISH_192

  • MCRYPT_TWOFISH_256

Of those, you should generally only use 3DES, Rijndael, Serpent, and Twofish. Rijndael, now known as AES, is the best choice more often than not for several reasons. AES is very fast for encrypting and decrypting, most (if not all) libraries will support it because it is the standard, and also the fact that most other people will be using it, including the US government. This last point is quite important, as if AES is cracked in the future (unlikely, but you never know!), your head will not be on the block, because it is the recommended standard encryption method. If you choose another method and that gets cracked, people might look to you asking why you did not choose the standard - not a good situation to be in.

Serpent is the best choice if you do not care about speed and just want the best possible encryption, however this is only for the most paranoid of people who have CPU cycles to burn. Twofish is a great algorithm that provides a blend of security and speed, and makes a good choice if you are not sure whether you want to favour speed or security. Finally, 3DES, despite being much, much less secure than AES, Twofish, or Serpent due to its age, is sometimes still the best algorithm to use because of its backwards compatibility.

Generally speaking, AES/Rijndael is your best choice, however it is worth experimenting with the others to find the one that gives you the most speed or security, depending on your criteria.

Author's Note: many of the encryption types end with 128, 192, and 256 - this is the block size in bits that you have available. The AES standard is strictly 128-bit, but Rijndael was developed to work with 128, 192, and 256 bits. You need not worry about block size - there is no compelling reason to choose between the three other than the fact that the standard is 128-bit.

 

Next chapter: Changing block cipher mode >>

Previous chapter: Symmetric decryption

Jump to:

 

Home: Table of Contents

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar