A Reversible Encryption Routine for PHP

Intended Audience

This tutorial is intended for those PHP developers who want a password encryption routine that is reversible - i.e. the encrypted password can be decrypted back into plain text. The reason for wanting such a routine could be that your web hosting service does not include an acceptable encryption module in his PHP build, or perhaps you want a routine that allows a certain amount of customisation that makes it totally different from the encryption routines used by others.

Prerequisites

A working PHP development environment. Expert knowledge of PHP is not required, although an understanding of classes and OOP (Object Oriented Programming) would be useful.

Encryption Methods

Many different methods of encryption have been used over the years, some are simple and can be broken easily while others are more complex and therefore more difficult to break.

Rotating each character a fixed number of positions

In this method each character is converted into a number, another number is added to it, then it is converted back into a different character from the same character set. This is how the ROT13 system works as it rotates each character 13 positions. This system is easy to break.

Swapping between two different character strings

A better method is to use two different character sets - one for obtaining the index number of the source character (STRING1), and a second for converting this index number into a different target character (STRING2). The advantage is that there is no fixed rotation between one character and the next, which would make it difficult for any potential hacker. The disadvantage is that each source character will always be converted to the same target character, so once a source and target pair have been found they will always remain the same. This is not good.

Manipulating the index number between the two strings

This involves an additional step in between converting a character into an index number using STRING1 and converting that index number into a character from STRING2. This additional step adjusts the index number at runtime according to some fixed rules. The rules must be fixed so that the same source string will always result in the same target string, otherwise it will not be possible to verify a password with one that is held on file. This method means that if the same character appears in the input string more than once that it will not generate the same corresponding character in the output string, thus making the hacker's job that much more difficult.

A common method is to use a separate character string as a 'key'. This key is reduced to an array of numbers, and it is this array of numbers that is used to adjust the index number between STRING1 and STRING2. The method I use is to take the first number from the array, add it to the index number, then move this number from the beginning to the end of the array in a rotation movement.

The beauty of this method is that even if you know the exact encryption algorithm being used it is totally useless without the key.