sodium_crypto_box - PHP code example

PHP Function Sodium Crypto Box

php function sodium_crypto_box allows us to use a Cryptographically-secure pseudorandom number generator. The generated random numbers are used to encrypt and decrypt messages. A key is also generated for a message and must be kept secret. A nonce value is also generated for each message to prevent reuse of the same message by an attacker. The function is safe to use, and can be used for example:

It uses libsodium, a modern, portable, lightweight, and opinionated library to do cryptography, which simplifies the decision making for users. It supports a wide range of ciphers (AES, Blowfish, Twofish, GCM), provides authentication support, and much more. It is recommended to use the XChaCha20-Poly1305 – IETF cipher, as it is the most secure and is most likely supported by your CPU.

Aside from symmetric encryption, Sodium offers support for asymmetric encryption as well. With asymmetric encryption, each user has a pair of keys: One public and the other private. The public key can be distributed publicly and anyone can encrypt a message for that user, but the message will only be decrypted by the person who has the private key. To authenticate asymmetric encrypted messages, both parties must exchange their public keys with each other securely, which can be done via a key-exchange protocol or another means.

Sodium is a great alternative to the mcrypt and OpenSSL extensions, with better support for authentication and key lengths. Moreover, it offers a variety of additional functions like generate nonce or random_bytes, that are missing from the other extensions.

sodium_crypto_box example

ParagonIE_Sodium_Core_Util::declareScalarType($keypair, 'string', 3);

        /* Input validation: */
        if (ParagonIE_Sodium_Core_Util::strlen($nonce) !== self::CRYPTO_BOX_NONCEBYTES) {
            throw new SodiumException('Argument 2 must be CRYPTO_BOX_NONCEBYTES long.');
        }
        if (ParagonIE_Sodium_Core_Util::strlen($keypair) !== self::CRYPTO_BOX_KEYPAIRBYTES) {
            throw new SodiumException('Argument 3 must be CRYPTO_BOX_KEYPAIRBYTES long.');
        }

        if (self::useNewSodiumAPI()) {
            return (string) sodium_crypto_box($plaintext, $nonce, $keypair);
        }
        if (self::use_fallback('crypto_box')) {
            return (string) call_user_func('\\Sodium\\crypto_box', $plaintext, $nonce, $keypair);
        }
        if (PHP_INT_SIZE === 4) {
            return ParagonIE_Sodium_Crypto32::box($plaintext, $nonce, $keypair);
        }
        return ParagonIE_Sodium_Crypto::box($plaintext, $nonce, $keypair);
    }

    /** * Anonymous public-key encryption. Only the recipient may decrypt messages. * * Algorithm: X25519-XSalsa20-Poly1305, as with crypto_box. * The sender's X25519 keypair is ephemeral. * Nonce is generated from the BLAKE2b hash of both public keys. * * This provides ciphertext integrity. * * @param string $plaintext Message to be sealed * @param string $publicKey Your recipient's public key * @return string Sealed message that only your recipient can * decrypt * @throws SodiumException * @throws TypeError * @psalm-suppress MixedArgument */