Crypto
in package
Class Crypto
Provides encryption and decryption utilities using AES-256-GCM with automatic key management, random IVs, and authenticated encryption for security.
Tags
Table of Contents
Constants
- CIPHER_METHOD = 'AES-256-GCM'
- Cipher method to use for encryption.
- IV_LENGTH = 12
- IV length for AES-256-GCM (12 bytes for optimal performance).
- TAG_LENGTH = 16
- Authentication tag length for GCM (16 bytes).
Properties
- $key : string|null
- Optional override for encryption key.
Methods
- decrypt() : mixed
- Decrypts a hex-encoded string and returns the original PHP value.
- encrypt() : string
- Encrypts any PHP value and returns a printable (hex-encoded) string.
- generateKey() : string
- Generates a cryptographically secure random key suitable for AES-256.
- key() : string|null
- Sets or gets the encryption key.
- secureCompare() : bool
- Securely compares two strings to prevent timing attacks.
- deriveKey() : string
- Derives a proper AES-256 encryption key from any input string.
Constants
CIPHER_METHOD
Cipher method to use for encryption.
private
mixed
CIPHER_METHOD
= 'AES-256-GCM'
IV_LENGTH
IV length for AES-256-GCM (12 bytes for optimal performance).
private
mixed
IV_LENGTH
= 12
TAG_LENGTH
Authentication tag length for GCM (16 bytes).
private
mixed
TAG_LENGTH
= 16
Properties
$key
Optional override for encryption key.
protected
static string|null
$key
= null
Methods
decrypt()
Decrypts a hex-encoded string and returns the original PHP value.
public
static decrypt(string $encryptedString[, string|null $key = null ]) : mixed
Parameters
- $encryptedString : string
-
The hex-encoded encrypted JSON string.
- $key : string|null = null
-
Optional override key.
Return values
mixed —The original value or null on failure.
encrypt()
Encrypts any PHP value and returns a printable (hex-encoded) string.
public
static encrypt(mixed $mixedToEncrypt[, string|null $key = null ]) : string
Parameters
- $mixedToEncrypt : mixed
-
The value to encrypt.
- $key : string|null = null
-
Optional override key.
Tags
Return values
string —Hex-encoded encrypted JSON string.
generateKey()
Generates a cryptographically secure random key suitable for AES-256.
public
static generateKey() : string
Tags
Return values
string —Base64-encoded 256-bit key
key()
Sets or gets the encryption key.
public
static key([string|null $key = null ]) : string|null
Parameters
- $key : string|null = null
-
If provided, sets the key and returns the old key.
Return values
string|null —Returns the current/old key.
secureCompare()
Securely compares two strings to prevent timing attacks.
public
static secureCompare(string $first, string $second) : bool
Regular string comparison (===, strcmp) stops checking as soon as it finds the first difference, making comparison time dependent on WHERE the strings differ. Attackers can measure these tiny timing differences to gradually guess secrets character by character.
This method always takes the same amount of time regardless of where or if the strings differ, preventing timing-based side-channel attacks.
CRITICAL: Use this for any comparison involving secrets, tokens, passwords, API keys, or other sensitive data where the comparison result must remain secure from timing analysis.
Parameters
- $first : string
-
The first string to compare
- $second : string
-
The second string to compare
Return values
bool —True if strings are identical, false otherwise
deriveKey()
Derives a proper AES-256 encryption key from any input string.
protected
static deriveKey(string $masterKey) : string
Takes a string of any length and converts it to exactly 32 bytes (256 bits) required by AES-256-GCM. This allows developers to provide passwords, passphrases, or keys of any length without worrying about exact byte requirements.
Parameters
- $masterKey : string
-
Input string of any length (password, passphrase, etc.)
Return values
string —Exactly 32 bytes suitable for AES-256 encryption