Cryptography in PHP: Some Use Cases

Cryptography in PHP:
some use cases

by Enrico Zimuel (enrico@zend.com)

Senior Software Engineer
Zend Framework Core Team
Zend Technologies Ltd

PHPTour Lille 2011 – 25 November
http://afup.org/pages/phptourlille2011/
© All rights reserved. Zend Technologies, Inc.

About me

• Software Engineer since 1996
– Assembly x86, C/C++, Java, Perl, PHP
• Enjoying PHP since 1999
• PHP Engineer at Zend since 2008
• ZF Core Team from April 2011
• Author of two italian books about
Email: enrico@zend.com
Twitter: @ezimuel applied cryptography
• B.Sc. Computer Science and Economics
from University of Pescara (Italy)


Summary

●
Cryptography in PHP
●
Some use cases:
▶ Safe way to store passwords
▶ Generate pseudo-random numbers
▶ Encrypt/decrypt sensitive data
●
Demo: encrypt PHP session data


Cryptography in PHP

● crypt()
● Mcrypt
● Hash
● OpenSSL


crypt()

●
One-way string hashing
●
Support strong cryptography
▶ bcrypt, sha-256, sha-512
● PHP 5.3.0 – bcrypt support
● PHP 5.3.2 – sha-256/512
● Note: don't use PHP 5.3.7 (bug #55439)


Mcrypt extension

● Mcrypt is an interface to the mcrypt library
●
Supports the following encryption algorithms:
▶ 3DES, ARCFOUR, BLOWFISH, CAST, DES,
ENIGMA, GOST, IDEA (non-free), LOKI97,
MARS, PANAMA, RIJNDAEL, RC2, RC4, RC6,
SAFER, SERPENT, SKIPJACK, TEAN,
TWOFISH, WAKE, XTEA


Hash extension

● Enabled by default from PHP 5.1.2
●
Hash or HMAC (Hash-based Message
Authentication Code)
●
Supported hash algorithms: MD4, MD5,
SHA1, SHA256, SHA384, SHA512,
RIPEMD, RIPEMD, WHIRLPOOL, GOST,
TIGER, HAVAL, etc


OpenSSL extension

● The OpenSSL extension uses the functions of the
OpenSSL project for generation and verification of
signatures and for sealing (encrypting) and opening
(decrypting) data
●
Public key cryptography (RSA algorithm)


Which algorithm to use?

● Some suggestions:
▶ Symmetric encryption:
Blowfish / Twofish
●

●
Rijndael (AES, FIST 197 standard
since 2001)
▶ Hash: SHA-256, 384, 512

▶ Public key: RSA


Cryptography vs. Security

●
Cryptography doesn't mean security
● Encryption is not enough
● Bruce Schneier quotes:
▶ “Security is only as strong as the
weakest link”
▶ “Security is a process, not a product”


When cryptography fails...


Use cases


Use case 1: store a password

●
Scenario:
▶ Web applications with a protect area
▶ Username and password to login
●
Problem:
▶ How to safely store a password?


Hash a password

●
md5($password) – not secure
▶ Dictionary attack (pre-built)
●
md5($salt . $password) – better but still insecure
▶ Dictionary attacks:
● 700'000'000 passwords a second using CUDA
(budget of 2000 $, a week)
●
Cloud computing, 500'000'000 passwords a
second (about $300/hour)


bcrypt

●
Better idea, use of bcrypt algorithm:
▶ bcrypt prevent the dictionary attacks because
is slow as hell
▶ Based on a variant of Blowfish
▶ Introduce a work factor, which allows you to
determine how expensive the hash function
will be


bcrypt in PHP

●
Hash the password using bcrypt (PHP 5.3+)

$salt = substr(str_replace('+', '.',
$salt = substr(str_replace('+', '.',
base64_encode($salt)), 0, 22);
base64_encode($salt)), 0, 22);
$hash = crypt($password,'$2a$'.$workload.'$'.$salt);
$hash = crypt($password,'$2a$'.$workload.'$'.$salt);

●
$salt is a random string (it is not a secret!)
●
$workload is the bcrypt's workload (from 10 to 31)


bcrypt workload benchmark

$workload time in sec
10 0.1
11 0.2
12 0.4
13 0.7
14 1.5
Suggestion:
15 3
Spend > 1 sec
16 6
17 12
18 24.3
19 48.7
OS: Linux kernel 2.6.38
CPU: Intel Core2, 2.1Ghz 20 97.3
RAM: 2 GB - PHP: 5.3.6 21 194.3


bcrypt output

●
Example of bcrypt's output:

$2a$14$c2Rmc2Fka2hmamhzYWRmauBpwLLDFKNPTfmCeuMHV
nMVaLatNlFZO

●
$2a$14$, bcrypt with workload 14
●
c2Rmc2Fka2hmamhzYWRmau is the salt
● BpwLLDFKNPTfmCeuMHVnMVaLatNlFZO, is the hash
output (60 btyes)


bcrypt authentication

●
How to check if a $userpassword is valid for
a $hash value?

if ($hash==crypt($userpassword,$hash)) {
if ($hash==crypt($userpassword,$hash)) {
echo 'The password is correct';
echo 'The password is correct';
} else {
} else {
echo 'The password is not correct!';
echo 'The password is not correct!';
}}


Use case 2: generate random data in PHP

●
Scenario:
▶ Generate random passwords for
● Login systems
●
API systems
●
Problem:
▶ How to generate random data in PHP?


Random number generators


PHP vs. randomness

● How generate a pseudo-random value in PHP?
● Not good for cryptography purpose:
▶ rand()
▶ mt_rand()
● Good for cryptography (PHP 5.3+):
▶ openssl_random_pseudo_bytes()
▶


rand() is real random?

Pseudo-random bits rand() in PHP on Windows

From random.org website


Use case 3: encrypt data

●
Scenario:
▶ We want to store some sensitive data
(e.g. credit card numbers)
●
Problem:
▶ How to encrypt this data in PHP?


Symmetric encryption

● Using Mcrypt extension:
▶ mcrypt_encrypt(string $cipher,string $key,
string $data,string $mode[,string $iv])
▶ mcrypt_decrypt(string $cipher,string $key,
string $data,string $mode[,string $iv])
● What are the $mode and $iv parameters?


Encryption mode

●
Symmetric encryption mode:
▶ ECB, CBC, CFB, OFB, NOFB or STREAM
● We are going to use the CBC that is the most used and
secure (as suggested by Schneier in [1])
● Cipher-Block Chaining (CBC) mode of operation was
invented in 1976 by IBM


CBC
The Plaintext (input) is divided into blocks

Block 1 Block 2 Block 3

...

Block 1 Block 2 Block 3

The Ciphertext (output) is the concatenation of the cipher-blocks


IV

●
Initialization Vector (IV) is a fixed-size input that is
typically required to be random or pseudo
●
The IV is not a secret, you can send it in plaintext
●
Usually IV is stored before the encrypted message
● Must be unique for each encrypted message


Encryption is not enough

● We cannot use only encryption to store sensitive
data, we need also authentication!
● Encryption doesn't prevent alteration of data
▶ Padding Oracle Attack (Vaudenay, EuroCrypt 2002)
●
We need to authenticate:
▶ MAC (Message Authentication Code)
▶ HMAC (Hash-based Message Authentication
Code)


HMAC

●
In PHP we can generate an HMAC using the
hash_hmac() function:

hash_hmac ($algo, $msg, $key)

$algo is the hash algorithm to use (e.g. sha256)
$msg is the message
$key is the key for the HMAC


Encryption + authentication

●
Three possible ways:
▶ Encrypt-then-authenticate
▶ Authenticate-then-encrypt
▶ Encrypt-and-authenticate
● We use encrypt-then-authenticate, as
suggested by Schneier in [1]


Demo: encrypt session data

● Specific PHP session handler to encrypt session data
using files
●
Use of AES (Rijndael 128) + HMAC (SHA-256)
●
Pseudo-random session key
● The encryption and authentication keys are stored
in a cookie variable
● Source code:
https://github.com/ezimuel/PHP-Secure-Session


Conclusion (1)

●
Use standard algorithms for cryptography:
▶ AES (Rijndael 128), SHA-* hash family, RSA
● Generate random data using the function:
▶ openssl_random_pseudo_bytes()
● Store passwords using bcrypt:
▶ crypt($password, '$2a$'.$workload.'$'.$salt)


Conclusion (2)

●
For symmetric encryption:
▶ Use CBC mode with a different random IV for
each encryption
▶ Always authenticate the encryption data
(using HMAC): encrypt-then-authenticate
●
Use HTTPS (SSL/TLS) to protect the communication
client/server


References

(1) N. Ferguson, B. Schneier, T. Kohno, “Cryptography Engineering”,
Wiley Publishing, 2010
(2) Serge Vaudenay, “Security Flaws Induced by CBC Padding
Applications to SSL, IPSEC, WTLS”, EuroCrypt 2002
● Web:
▶ PHP cryptography extensions
▶ How to safely store a password
▶ bcrypt algorithm
▶ SHA-1 challenge
▶ Nvidia CUDA
▶ Random.org


Thank you!

●
Comments and feedbacks:
▶ enrico@zend.com


Cryptography in PHP: Some Use Cases

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (8)

Semelhante a Cryptography in PHP: Some Use Cases

Semelhante a Cryptography in PHP: Some Use Cases (20)

Mais de Zend by Rogue Wave Software

Mais de Zend by Rogue Wave Software (20)

Último

Último (20)

Cryptography in PHP: Some Use Cases