PHP: mycrypt key?

Question

please don't mind me asking this but I'm new to php and I need to encrypt and decrypt a password. I want to send the password over a URL so I heard it's the safest way to use mycrypt.

I don't get the thing with the KEY in the mycrypt function? Shouldn't that be as secret as the password itself. eg I'm using this function from the PHP manual:

    <?php
    $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    $key = "this is my personal decryption key";
    $text = "Meet me at 11 o'clock behind the monument.";
    echo strlen($text) . "\n";

    $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
    echo strlen($crypttext) . "\n";
    ?>

can i set the $key to whatever i want? what if someone downloads the source of my document where i set up this $key. he is able to easily decrypt the $text again. isn't he? Or do i get something wrong with this function?

Answer 1

It would probably be simpler and more secure to use TLS (HTTPS). This can use the same technologies (eg AES/Rijndael), but handles many of the details, including key distribution, for you. If you use mcrypt, you need to figure out a safe way to exchange both key and IV (initialization vector).

You clearly also need to protect the key and IV. So if it's embedded in your PHP file, you must take care to secure that file. It's important to remember the distinction between server and client side, though. The key won't leak into the generated HTML file unless you have a bug in your script.