$hashedPwd, 'salt' => $salt ]; } function deriveEncryptionKey($username, $password) { // Compute binary hash of salted-password (and salt) from username and password $pwdHash = getPasswordHash_Bin($username, $password); // Derive a secure key using PBKDF2 $iterations = 100000; // Number of iterations for PBKDF2 $keyLength = 32; // Key length = 32 bytes for AES-256 $key = hash_pbkdf2('sha256', $pwdHash['hash'], $pwdHash['salt'], $iterations, $keyLength, true); // Parameter 'true' computes hash_pbkdf2 in bin return $key; } // Encrypt data using AES-256-GCM function encryptData($data, $key) { $nonce = random_bytes(12); // 12 bytes for AES-GCM nonce $cipher = "aes-256-gcm"; // Encrypt the data $ciphertext = openssl_encrypt($data, $cipher, $key, OPENSSL_RAW_DATA, $nonce, $tag); //echo "nonce: " . bin2hex($nonce) . "
";; //echo "tag: " . bin2hex($tag) . "
";; // Concatenate nonce, tag, and ciphertext for storage $result = $nonce . $tag . $ciphertext; return base64_encode($result); // Encode to make it suitable for storage or transmission } // Decrypt data using AES-256-GCM, extracting nonce, tag, and ciphertext from the concatenated string function decryptData($encryptedData, $key) { $cipher = "aes-256-gcm"; // Decode the base64-encoded data $encryptedData = base64_decode($encryptedData); // Extract nonce (12 bytes), tag (16 bytes), and ciphertext $nonce = substr($encryptedData, 0, 12); $tag = substr($encryptedData, 12, 16); $ciphertext = substr($encryptedData, 28); // Decrypt the data $decryptedData = openssl_decrypt($ciphertext, $cipher, $key, OPENSSL_RAW_DATA, $nonce, $tag); return $decryptedData; } // Example Usage $username = "user123"; $password = "securepassword"; $dataToEncrypt = "Sensitive Data"; // Derive a symmetric encryption/dec key by hashing the password (and username as the salt) using PBKDF2 algorithm $encryptionKey = deriveEncryptionKey($username, $password); // Encrypt the data $encrypted = encryptData($dataToEncrypt, $encryptionKey); // Decrypt the data $decrypted = decryptData($encrypted, $encryptionKey); // Display results echo "Original Data: $dataToEncrypt
"; //echo "Encryption Key (in bin): " . $encryptionKey . "
"; //echo "Encryption Key (in hex): " . bin2hex($encryptionKey) . "
"; echo "Encrypted Data (in base64): " . $encrypted . "
"; //echo "Encrypted Data (in bin): " . base64_decode($encrypted) . "
"; //echo "Encrypted Data (in hex): " . bin2hex(base64_decode($encrypted)) . "
"; echo "Decrypted Data: $decrypted
"; ?>