php[world] 2016 - Tales From the Crypto: A Cryptography Primer
Cryptography in PHP: use cases
-
Upload
enrico-zimuel -
Category
Technology
-
view
16.183 -
download
0
description
Transcript of Cryptography in PHP: use cases
October 2011
Cryptography in PHP:use cases
Enrico ZimuelZend Technologies
October 2011
• Enrico Zimuel (ezimuel)
• Software Engineer since 1996– Assembly x86, C/C++, Java, Perl, PHP
• Enjoying PHP since 1999
• Senior PHP Engineer at Zend
Technologies since 2008
• Author of two italian books about
applied cryptography
• B.Sc. Computer Science and
Economics from University of
Pescara (Italy)
About me
Email: [email protected]
October 2011
Summary
● Cryptography in PHP● Some use cases:
● Safe way to store passwords● Generate pseudo-random numbers● Encrypt/decrypt sensitive data
● Demo: encrypt PHP session data
October 2011
Cryptography in PHP
● crypt()● Mcrypt● Hash● OpenSSL
October 2011
crypt()
● One-way string hashing● Support strong cryptography
● bcrypt, sha-256, sha-512● PHP 5.3.0 – bcrypt support● PHP 5.3.2 – sha-256/512● Note: don't use PHP 5.3.7 (bug #55439)
October 2011
Mcrypt
● Mcrypt is an interface to the mcrypt library
● Supports the following encryption algorithms:
● 3DES, ARCFOUR, BLOWFISH, CAST, DES, ENIGMA, GOST, IDEA (non-free), LOKI97, MARS, PANAMA, RIJNDAEL, RC2, RC4, RC6, SAFER, SERPENT, SKIPJACK, TEAN, TWOFISH, WAKE, XTEA
October 2011
Hash
● Enabled by default from PHP 5.1.2● Hash or HMAC (Hash-based Message
Authentication Code)● Supported hash algorithms: MD4, MD5,
SHA1, SHA256, SHA384, SHA512, RIPEMD, RIPEMD, WHIRLPOOL, GOST, TIGER, HAVAL, etc
October 2011
OpenSSL
● The OpenSSL extension uses the functions of the OpenSSL project for generation and verification of signatures and for sealing (encrypting) and opening (decrypting) data
● Public key cryptography (RSA algorithm)
October 2011
Which algorithm?
● Some suggestions:● Symmetric encryption:
– Blowfish / Twofish– Rijndael (AES, FIST 197 standard
since 2001)● Hash: SHA-256, 384, 512● Public key: RSA
October 2011
Cryptography vs. Security
● Cryptography doesn't mean security● Encryption is not enough● Bruce Schneier quotes:
● “Security is only as strong as the weakest link”
● “Security is a process, not a product”
October 2011
Cryptography vs. Security
October 2011
Use cases
October 2011
Use case 1: store a password
● Scenario:● Web applications with a protect area● Username and password to login
● Problem: how to safely store a password?
October 2011
Hash a password
● Basic ideas, use of hash algorithms:● md5($password) – not secure
– Dictionary attack (pre-built)
● md5($salt . $password) – better but still insecure– Dictionary attacks:
● 700'000'000 passwords a second using CUDA (budget of 2000 $, a week)
● Cloud computing, 500'000'000 passwords a second (about $300/hour)
October 2011
bcrypt
● Better idea, use of bcrypt algorithm:● bcrypt prevent the dictionary attacks
because is slow as hell● Based on a variant of Blowfish● Introduce a work factor, which allows you to
determine how expensive the hash function will be
October 2011
bcrypt in PHP
● Hash the password using bcrypt (PHP 5.3+)
$salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22);
$hash = crypt($password,'$2a$'.$workload.'$'.$salt);
$salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22);
$hash = crypt($password,'$2a$'.$workload.'$'.$salt);
● $salt is a random string (it is not a secret!)
● $workload is the bcrypt's workload (from 10 to 31)
October 2011
$workload time in sec
10 0.1
11 0.2
12 0.4
13 0.7
14 1.5
15 3
16 6
17 12
18 24.3
19 48.7
20 97.3
21 194.3
22 388.2
… …
bcrypt workload benchmark
OS: Linux kernel 2.6.38CPU: Intel Core2, 2.1GhzRAM: 2 GB - PHP: 5.3.6
Suggestion:Spend ≈ 1 sec (or more)
October 2011
bcrypt output
● Example of bcrypt's output:
● c2Rmc2Fka2hmamhzYWRmau is the salt
● Workload: 14
● Length of 60 btyes
$2a$14$c2Rmc2Fka2hmamhzYWRmauBpwLLDFKNPTfmCeuMHVnMVaLatNlFZO
October 2011
bcrypt authentication
● How to check if a $userpassword is valid for a $hash value?
if ($hash==crypt($userpassword,$hash)) { echo 'The password is correct';} else { echo 'The password is not correct!';}
if ($hash==crypt($userpassword,$hash)) { echo 'The password is correct';} else { echo 'The password is not correct!';}
October 2011
Use case 2: generate random data in PHP
● Scenario:● Generate random passwords for
– Login systems– API systems
● Problem: how to generate random data in PHP?
October 2011
Random number generators
October 2011
PHP vs. randomness
● How generate a pseudo-random value in PHP?
● Not good for cryptography purpose:
● rand()● mt_rand()
● Good for cryptography (PHP 5.3+):
● openssl_random_pseudo_bytes()
October 2011
rand() is real random?
rand() in PHP on Windows Pseudo-random bits
From random.org website
October 2011
Use case 3: encrypt data
● Scenario:● We want to store some sensitive data
(e.g. credit card numbers)● Problem:
● How to encrypt this data in PHP?
October 2011
Symmetric encryption
● Using Mcrypt extension:● mcrypt_encrypt(string $cipher,string $key, string $data,string $mode[,string $iv])
● mcrypt_decrypt(string $cipher,string $key, string $data,string $mode[,string $iv])
● What are these $mode and $iv parameters?
October 2011
Encryption mode
● Symmetric encryption mode:
● ECB, CBC, CFB, OFB, NOFB or STREAM● We are going to use the CBC that is the most
used and secure
● Cipher-Block Chaining (CBC) mode of operation was invented in 1976 by IBM
October 2011
CBC
...
The Plaintext (input) is divided into blocks
Block 1 Block 2 Block 3
Block 1 Block 2 Block 3
The Ciphertext (output) is the concatenation of the cipher-blocks
October 2011
IV
● Initialization Vector (IV) is a fixed-size input that is typically required to be random or pseudo
● The IV is not a secret, you can send it in plaintext
● Usually IV is stored before the encrypted message
● Must be unique for each encrypted message
October 2011
Encryption is not enough
● We cannot use only encryption to store sensitive data, we need also authentication!
● Encryption doesn't prevent alteration of data
● Padding Oracle Attack (Vaudenay, EuroCrypt 2002)
● We need to authenticate:
● MAC (Message Authentication Code)● HMAC (Hash-based Message Authentication
Code)
October 2011
HMAC
● In PHP we can generate an HMAC using the hash_hmac() function:
hash_hmac ($algo, $msg, $key)
$algo is the hash algorithm to use (e.g. sha256)$msg is the message$key is the key for the HMAC
October 2011
Encryption + authentication
● Three possible ways:● Encrypt-then-authenticate● Authenticate-then-encrypt● Encrypt-and-authenticate
● We will use encrypt-then-authenticate, as suggested by Schneier in [1]
October 2011
Demo: encrypt session data
● Specific PHP session handler to encrypt session data using files
● Use of AES (Rijndael 128) + HMAC (SHA-256)
● Pseudo-random session key
● The encryption and authentication keys are stored in a cookie variable
● Source code: https://github.com/ezimuel/PHP-Secure-Session
October 2011
Conclusion (1)
● Use standard algorithms for cryptography:
● AES (Rijndael 128), SHA-* hash family, RSA● Generate random data using the function:
● openssl_random_pseudo_bytes()● Store passwords using bcrypt:
● crypt($password, '$2a$'.$workload.'$'.$salt)
October 2011
Conclusion (2)
● For symmetric encryption:
● Use CBC mode with a different random IV for each encryption
● Always authenticate the encryption data (using HMAC): encrypt-then-authenticate
● Use HTTPS (SSL/TLS) to protect the communication client/server
October 2011
(1) N. Ferguson, B. Schneier, T. Kohno, “Cryptography Engineering”, Wiley Publishing, 2010
(2) Serge Vaudenay, “Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS”, EuroCrypt 2002
● Web:● PHP cryptography extensions● How to safely store a password● bcrypt algorithm● SHA-1 challenge● Nvidia CUDA● Random.org
References
October 2011
● Vote this talk:● http://joind.in/3748
● Comments and feedbacks:● [email protected]
Thank you!