aarondfrancis/urlcrypt

PHP library to securely encode and decode short pieces of arbitrary binary data in URLs.

v0.2.0 2015-03-06 21:18 UTC

README

Ever wanted to securely transmit (not too long) pieces of arbitrary binary data in a URL? URLcrypt makes it easy.

To read more about how it works, check out the blog post on the topic.

This class is based on the URLCrypt gem from Thomas Fuchs.

URLcrypt uses 256-bit AES symmetric encryption to securely encrypt data, and encodes and decodes Base 32 strings that can be used directly in URLs.

This can be used to securely store user ids, download expiration dates and other arbitrary data like that when you access a web application from a place that doesn't have other authentication or persistence mechanisms (like cookies):

  • Loading a generated image from your web app in an email
  • Links that come with an expiration date (à la S3)
  • Mini-apps that don't persist data on the server

Important: As a general guideline, URL lengths shouldn't exceed about 2000 characters in length, as URLs longer than that will not work in some browsers and with some (proxy) servers. This limits the amount of data you should store with URLcrypt.

WORD OF WARNING: THERE IS NO GUARANTEE WHATSOEVER THAT THIS CLASS IS ACTUALLY SECURE AND WORKS. USE AT YOUR OWN RISK.

Patches are welcome; please include tests!

Requirements

URLcrypt requires PHP >= 5.3.3 as well as the mcrypt PHP extension.

Installation

You can install URLcrypt via Composer with composer require aarondfrancis/urlcrypt or by adding the following to your composer.json file:

{
	"require": {
		"aarondfrancis/urlcrypt": "0.2.*"
	}
}

Usage

use Urlcrypt\Urlcrypt;

// encoding without encryption. (don't use for anything sensitive)
$encoded = Urlcrypt::encode("aaron");		// --> "mfqx2664"
$decoded = Urlcrypt::decode("mfqx2664");	// --> "aaron"

// encrypting and encoding
Urlcrypt::$key = "bcb04b7e103a0cd8b54763051cef08bc55abe029fdebae5e1d417e2ffb2a00a3";
$encrypted = Urlcrypt::encrypt("aaron");
		// --> "q0dmt61xkjyylA5mp3gm23khd1kg6w7pzxvd3nzcgb047zx8y581"
$decrypted = Urlcrypt::decrypt("q0dmt61xkjyylA5mp3gm23khd1kg6w7pzxvd3nzcgb047zx8y581")
		// --> "aaron"

Note that your key has to be a lower-case hex string.

Why not Base 64?

URLcrypt uses a modified Base 32 algorithm that doesn't use padding characters, and doesn't use vowels to avoid bad words in the generated string.

Base64 results in ugly URLs, since many characters need to be URL escaped.

Development

Clone the repository and do a composer install in the root directory of the library to install the development dependencies. Run the tests with phpunit from the root directory.

License

This library is licensed under the MIT License - see the COPYING file for details.