Strong cipher algorithms are cryptographic systems resistant to cryptanalysis, they
are not vulnerable to well-known attacks like brute force attacks for example.
A general recommendation is to only use cipher algorithms intensively tested and promoted by the cryptographic community.
More specifically for block cipher, it’s not recommended to use algorithm with a block size inferior than 128 bits.
Noncompliant Code Example
<?php
// mcrypt_encrypt is deprecated since PHP 7.1
$c1 = mcrypt_encrypt(MCRYPT_DES, $key, $plaintext, $mode); // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
$c2 = mcrypt_encrypt(MCRYPT_DES_COMPAT, $key, $plaintext, $mode); // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
$c3 = mcrypt_encrypt(MCRYPT_TRIPLEDES, $key, $plaintext, $mode) // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
$c4 = mcrypt_encrypt(MCRYPT_3DES, $key, $plaintext, $mode); // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
$c5 = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plaintext, $mode); // Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks
$c6 = mcrypt_encrypt(MCRYPT_RC2, $key, $plaintext, $mode); // Noncompliant: RC2 is vulnerable to a related-key attack
$c7 = mcrypt_encrypt(MCRYPT_RC4, $key, $plaintext, $mode); // Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)
$c8 = openssl_encrypt($plaintext, "bf-ecb", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks
$c9 = openssl_encrypt($plaintext, "des-ede3", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
$c10 = openssl_encrypt($plaintext, "des-ofb", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
$c11 = openssl_encrypt($plaintext, "rc2-cbc", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: RC2 is vulnerable to a related-key attack
$c12 = openssl_encrypt($plaintext, "rc4", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)
Compliant Solution
<?php
$c1= openssl_encrypt($plaintext, "aes-256-gcm", $key, $options=OPENSSL_RAW_DATA, $iv); // Compliant
See
