defuse / php-encryption

Simple Encryption in PHP.
MIT License
3.79k stars 307 forks source link

Changes for cipher method: from aes-256-ctr to aes gcm #502

Closed iulianlaz closed 1 year ago

iulianlaz commented 1 year ago

Hello, is there any chance that in the future the cipher method will change from aes ctr to aes gcm? Thank you.

defuse commented 1 year ago

The cipher method will stay as CTR mode for the foreseeable future. Ciphertexts are authenticated using HMAC, so using this library you get all the same authentication guarantees as you do with GCM.

Additionally, because of the ciphertext format, this library is only intended to be compatible with itself, so it wouldn't be compatible with other GCM implementations.

Is there a different reason you'd like GCM?

iulianlaz commented 1 year ago

Hello and thanks for the response. I would like GCM as a security practice only, as far as I know it is newer and safer (https://csrc.nist.gov/publications/detail/sp/800-38d/final#pubs-documentation ). Thanks again!

defuse commented 1 year ago

Yeah, GCM is generally safer (and faster) because it combines encryption + authentication. CTR mode + HMAC authentication (what this library does) is just as secure, but the implementation is more complex and error-prone. php-encryption will stay on CTR+HMAC for the time being since there's no tangible difference in security for a correct implementation.

An even better option than GCM for other people implementing libraries is ChaCha20-Poly1305 (much faster), which is where we'd go if we ever updated the algorithm.

Thanks!