Which PHP mcrypt cipher is safest?

Question

So guys, there's plenty of different ciphers available - but which one is the safest to use nowadays?

List: http://www.php.net/manual/en/mcrypt.ciphers.php

Answer 1

If unsure use AES (also known as "Rijndael") with a 128-bit key. If you have developed some kind of fetish about key size then you could fulfill your irrational qualms by selecting a larger key, e.g. 192 or 256 bits; the extra cost is not high (+40% workload for AES-256, compared to AES-128, and it takes a very very fast network to actually observe that difference).

Beware that, regardless of the key size chosen, the correct mcrypt cipher for AES is always MCRYPT_RIJNDAEL_128. This is because the AES standard refers to the flavor of the Rijndael cipher with a 128-bit block size. If you want AES-256, you need to use MCRYPT_RIJNDAEL_128 with a 256-bit (32 byte) key, not MCRYPT_RIJNDAEL_256.

AES was published in 1998 and adopted by the US government as a federal standard in 2001, and it shows no sign of weakness nowadays. Some mathematical properties were found later on, but they do not impact actual security; mostly, they highlight that we have some relatively precise knowledge on why AES is secure. No other symmetric encryption algorithm has received as much attention (by thousands of talented cryptographers) than AES.

Most security issues come from how the cryptographic algorithm is used, not the algorithm itself. Use a proper chaining mode, add a MAC, manage padding, and most of all handle the keys securely. If you got all of this right (which is much more tricky than what it seems) then it becomes time to worry about choosing Rijndael, Twofish or whatever.

Answer 2

In addition to Thomas Pornin's great answer, you also must consider what you are trying to achieve in terms of "security" (confidentiality/integrity/authenticity/availability).

For every case, you'll need to address a few questions, like... Who does this apply to? Where and why is it being used (what are you protecting)? How long is it meant to last? etc.

For example, there's probably no point in really encrypting session data with a full blown succession of 256 bit operations when the data is really only meant to last for say 20-30 minutes. A secure 128bit algorithm would be near twice as fast or at least use loads less clock cycles and be just as (if not more) secure.

There's also no point in encrypting something that's meant to last a long time (like a confidential document or file, private key etc...) with a weak, short key method. You'd want at times multiple algorithms with some sort of authentication and proper use of padding. I have regularly encrypted and signed content upon request for clients using multiple algorithms (mostly twofish, AES, RSA).

And not to forget either (like Thomas pointed out), you can implement a secure method (or methods) insecurely. With the vast amounts of variants of each formula and the such, it can be tricky to actually implement something that is "secure".

Generally, something is as secure as the key is to unlock it. If I leave my car keys in the car with the car unlocked, the keys aren't secure and it's open for the taking by anyone walking past. Blowfish with a well dispersed 32 character key would be just as secure as anything else today. A 3 character key however could be broken in the blink of an eye.

Answer 3

"The strongest cipher is AES-256"

From details on Bruce Schneier's website, AES-256 might, ironically, be the least secure out of the three key sizes 128, 192, and 256. There are issues with the key generation in the 256-bit variant.

Answer 4

Some algorithms are better than others at different things - not sure what your criteria for "safest" is.

You certainly should not be using any of the DES based algorithms these days (assuming you have a free choice). AES (Rijndael) is the current standard for NIST and other bodies.

In general more bits for a specific algorithm means more secure, but do ensure that you use a initialization vector and do NOT use ECB.

HTH

C.

Answer 5

According to the NIST paper, RJINDAEL had a low security margin compared to MARS, twofish or serpent. If you really need the strongest cipher, choose one of those.

http://csrc.nist.gov/archive/aes/round2/r2report.pdf

To quote: "MARS appears to have a high security margin. A precise characterization of MARS is difficult because of the fact that MARS employs two different kinds of rounds. MARS has received some criticism based on its complexity, which may have hindered its security analysis during the timeframe of the AES development process.

Rijndael appears to have an adequate security margin. The security margin is a bit difficult to measure because the number of rounds changes with the key size. Rijndael has received some criticism on two grounds: that its security margin is on the low side among the finalists, and that its mathematical structure may lead to attacks. However, its structure is fairly simple, which may have facilitated its security analysis during the specified timeframe of the AES development process.

Serpent appears to have a high security margin. Serpent also has a simple structure, which may have facilitated its security analysis during the specified timeframe of the AES development process.

Twofish appears to have a high security margin. Since Twofish uses key-dependent round function, the notion of security margin may have less meaning for this algorithm than for the other finalists. The dependence of the Twofish S-boxes on only k/2 bits of entropy in the k-bit key case has led to a speculation that Twofish may be amenable to a divide-and-conquer attack, although no such attack has been found. Twofish has received some criticism for its complexity, making analysis difficult during the timeframe of the AES development process."

Answer 6

If you want to look at the details, there's an article, mainly by me, on block ciphers at http://en.citizendium.org/wiki/Block_cipher

To comply with current US standards, use AES, formerly Rijndael. Any of the other finalists from the AES competition -- Serpent, MARS, Twofish or RC-6 -- should be fine as well. I think you need a license for RC6, though.

Answer 7

I normally use AES-128 since AES is FIPS approved. The strongest cipher is AES-256 (MCRYPT_RIJNDAEL_256).

mcrypt has a modular design and new cipher can be added easily.