When I talk to developers about the forms of encryption they can use in their applications, I’m often met with confusion. Encryption itself is seen as an advanced topic, so it’s relegated to a dark art practiced by expert consultants rather than everyday engineers.
But every engineer needs to understand encryption. They don’t need to be an algorithm expert or a mathematician, but knowing what different forms of encryption exist – and how to use them – is vital for any engineer.
Symmetric crypto
The most common form of encryption is symmetric. You use the same key to both encrypt and decrypt messages. AES is one of the most widely used symmetric algorithms in the world today. It’s fast, secure, and implemented in a wide variety of languages and frameworks.
In the PHP world, you can use either AES or the newer, open source XSalsa20 cipher introduced by Libsodium.
If you’re using PHP, the Basic Secret-Key Cryptography documentation and examples by Paragon IE help illustrate how straightforward the language makes encryption.
Asymmetric crypto
Asymmetric encryption is usually called “public key cryptography” because it splits operations into public and private elements. You start by creating a cryptographic keypair – one key is kept secret, the other is shared publicly with the world. Anyone who wants to encrypt a message for you can leverage your known, public key. Only you, armed with your private key, can decrypt the message.
A similar exchange works with signatures . You can sign a message using your private key and any third party can verify that signature with your public key.
If you’re using PHP, take a look at the public key cryptography support built into the language.
Envelope encryption
Envelope encryption is actually a combination of both symmetric and asymmetric algorithms. In most cases, what we want to be using is asymmetric so we can ensure no secret key material ever needs to be exchanged. Unfortunately, encrypting asymmetrically is expensive and limited. Modern asymmetric algorithms can only encrypt small elements of data.
If you need to encrypt a large document, video, or anything longer than a few words – you want to use symmetric crypto.
Rather than pick one or the other, using envelope encryption lets you choose both!
Encrypt your payload with a strong, symmetric cipher. Then, wrap that encryption key in an envelope; Use a asymmetric cipher to redundantly encrypt the symmetric key. You get the benefit of asymmetry with your communication, but the speed and power of symmetric cryptography to protect your data.
In fact, the public key cryptography supported by PHP’s Libsodium interface handles the envelope for you automatically. These interfaces are remarkably straightforward and make using encryption correctly quite simple.