Mais conteúdo relacionado Semelhante a Cryptography in PHP: Some Use Cases (20) Mais de Zend by Rogue Wave Software (20) Cryptography in PHP: Some Use Cases1. Cryptography in PHP:
some use cases
by Enrico Zimuel (enrico@zend.com)
Senior Software Engineer
Zend Framework Core Team
Zend Technologies Ltd
PHPTour Lille 2011 – 25 November
http://afup.org/pages/phptourlille2011/
© All rights reserved. Zend Technologies, Inc.
2. About me
• Software Engineer since 1996
– Assembly x86, C/C++, Java, Perl, PHP
• Enjoying PHP since 1999
• PHP Engineer at Zend since 2008
• ZF Core Team from April 2011
• Author of two italian books about
Email: enrico@zend.com
Twitter: @ezimuel applied cryptography
• B.Sc. Computer Science and Economics
from University of Pescara (Italy)
© All rights reserved. Zend Technologies, Inc.
3. Summary
●
Cryptography in PHP
●
Some use cases:
▶ Safe way to store passwords
▶ Generate pseudo-random numbers
▶ Encrypt/decrypt sensitive data
●
Demo: encrypt PHP session data
© All rights reserved. Zend Technologies, Inc.
4. Cryptography in PHP
● crypt()
● Mcrypt
● Hash
● OpenSSL
© All rights reserved. Zend Technologies, Inc.
5. crypt()
●
One-way string hashing
●
Support strong cryptography
▶ bcrypt, sha-256, sha-512
● PHP 5.3.0 – bcrypt support
● PHP 5.3.2 – sha-256/512
● Note: don't use PHP 5.3.7 (bug #55439)
© All rights reserved. Zend Technologies, Inc.
6. Mcrypt extension
● Mcrypt is an interface to the mcrypt library
●
Supports the following encryption algorithms:
▶ 3DES, ARCFOUR, BLOWFISH, CAST, DES,
ENIGMA, GOST, IDEA (non-free), LOKI97,
MARS, PANAMA, RIJNDAEL, RC2, RC4, RC6,
SAFER, SERPENT, SKIPJACK, TEAN,
TWOFISH, WAKE, XTEA
© All rights reserved. Zend Technologies, Inc.
7. Hash extension
● Enabled by default from PHP 5.1.2
●
Hash or HMAC (Hash-based Message
Authentication Code)
●
Supported hash algorithms: MD4, MD5,
SHA1, SHA256, SHA384, SHA512,
RIPEMD, RIPEMD, WHIRLPOOL, GOST,
TIGER, HAVAL, etc
© All rights reserved. Zend Technologies, Inc.
8. OpenSSL extension
● The OpenSSL extension uses the functions of the
OpenSSL project for generation and verification of
signatures and for sealing (encrypting) and opening
(decrypting) data
●
Public key cryptography (RSA algorithm)
© All rights reserved. Zend Technologies, Inc.
9. Which algorithm to use?
● Some suggestions:
▶ Symmetric encryption:
Blowfish / Twofish
●
●
Rijndael (AES, FIST 197 standard
since 2001)
▶ Hash: SHA-256, 384, 512
▶ Public key: RSA
© All rights reserved. Zend Technologies, Inc.
10. Cryptography vs. Security
●
Cryptography doesn't mean security
● Encryption is not enough
● Bruce Schneier quotes:
▶ “Security is only as strong as the
weakest link”
▶ “Security is a process, not a product”
© All rights reserved. Zend Technologies, Inc.
12. Use cases
© All rights reserved. Zend Technologies, Inc.
13. Use case 1: store a password
●
Scenario:
▶ Web applications with a protect area
▶ Username and password to login
●
Problem:
▶ How to safely store a password?
© All rights reserved. Zend Technologies, Inc.
14. Hash a password
●
md5($password) – not secure
▶ Dictionary attack (pre-built)
●
md5($salt . $password) – better but still insecure
▶ Dictionary attacks:
● 700'000'000 passwords a second using CUDA
(budget of 2000 $, a week)
●
Cloud computing, 500'000'000 passwords a
second (about $300/hour)
© All rights reserved. Zend Technologies, Inc.
15. bcrypt
●
Better idea, use of bcrypt algorithm:
▶ bcrypt prevent the dictionary attacks because
is slow as hell
▶ Based on a variant of Blowfish
▶ Introduce a work factor, which allows you to
determine how expensive the hash function
will be
© All rights reserved. Zend Technologies, Inc.
16. bcrypt in PHP
●
Hash the password using bcrypt (PHP 5.3+)
$salt = substr(str_replace('+', '.',
$salt = substr(str_replace('+', '.',
base64_encode($salt)), 0, 22);
base64_encode($salt)), 0, 22);
$hash = crypt($password,'$2a$'.$workload.'$'.$salt);
$hash = crypt($password,'$2a$'.$workload.'$'.$salt);
●
$salt is a random string (it is not a secret!)
●
$workload is the bcrypt's workload (from 10 to 31)
© All rights reserved. Zend Technologies, Inc.
17. bcrypt workload benchmark
$workload time in sec
10 0.1
11 0.2
12 0.4
13 0.7
14 1.5
Suggestion:
15 3
Spend > 1 sec
16 6
17 12
18 24.3
19 48.7
OS: Linux kernel 2.6.38
CPU: Intel Core2, 2.1Ghz 20 97.3
RAM: 2 GB - PHP: 5.3.6 21 194.3
© All rights reserved. Zend Technologies, Inc.
18. bcrypt output
●
Example of bcrypt's output:
$2a$14$c2Rmc2Fka2hmamhzYWRmauBpwLLDFKNPTfmCeuMHV
nMVaLatNlFZO
●
$2a$14$, bcrypt with workload 14
●
c2Rmc2Fka2hmamhzYWRmau is the salt
● BpwLLDFKNPTfmCeuMHVnMVaLatNlFZO, is the hash
output (60 btyes)
© All rights reserved. Zend Technologies, Inc.
19. bcrypt authentication
●
How to check if a $userpassword is valid for
a $hash value?
if ($hash==crypt($userpassword,$hash)) {
if ($hash==crypt($userpassword,$hash)) {
echo 'The password is correct';
echo 'The password is correct';
} else {
} else {
echo 'The password is not correct!';
echo 'The password is not correct!';
}}
© All rights reserved. Zend Technologies, Inc.
20. Use case 2: generate random data in PHP
●
Scenario:
▶ Generate random passwords for
● Login systems
●
API systems
●
Problem:
▶ How to generate random data in PHP?
© All rights reserved. Zend Technologies, Inc.
22. PHP vs. randomness
● How generate a pseudo-random value in PHP?
● Not good for cryptography purpose:
▶ rand()
▶ mt_rand()
● Good for cryptography (PHP 5.3+):
▶ openssl_random_pseudo_bytes()
▶
© All rights reserved. Zend Technologies, Inc.
23. rand() is real random?
Pseudo-random bits rand() in PHP on Windows
From random.org website
© All rights reserved. Zend Technologies, Inc.
24. Use case 3: encrypt data
●
Scenario:
▶ We want to store some sensitive data
(e.g. credit card numbers)
●
Problem:
▶ How to encrypt this data in PHP?
© All rights reserved. Zend Technologies, Inc.
25. Symmetric encryption
● Using Mcrypt extension:
▶ mcrypt_encrypt(string $cipher,string $key,
string $data,string $mode[,string $iv])
▶ mcrypt_decrypt(string $cipher,string $key,
string $data,string $mode[,string $iv])
● What are the $mode and $iv parameters?
© All rights reserved. Zend Technologies, Inc.
26. Encryption mode
●
Symmetric encryption mode:
▶ ECB, CBC, CFB, OFB, NOFB or STREAM
● We are going to use the CBC that is the most used and
secure (as suggested by Schneier in [1])
● Cipher-Block Chaining (CBC) mode of operation was
invented in 1976 by IBM
© All rights reserved. Zend Technologies, Inc.
27. CBC
The Plaintext (input) is divided into blocks
Block 1 Block 2 Block 3
...
Block 1 Block 2 Block 3
The Ciphertext (output) is the concatenation of the cipher-blocks
© All rights reserved. Zend Technologies, Inc.
28. IV
●
Initialization Vector (IV) is a fixed-size input that is
typically required to be random or pseudo
●
The IV is not a secret, you can send it in plaintext
●
Usually IV is stored before the encrypted message
● Must be unique for each encrypted message
© All rights reserved. Zend Technologies, Inc.
29. Encryption is not enough
● We cannot use only encryption to store sensitive
data, we need also authentication!
● Encryption doesn't prevent alteration of data
▶ Padding Oracle Attack (Vaudenay, EuroCrypt 2002)
●
We need to authenticate:
▶ MAC (Message Authentication Code)
▶ HMAC (Hash-based Message Authentication
Code)
© All rights reserved. Zend Technologies, Inc.
30. HMAC
●
In PHP we can generate an HMAC using the
hash_hmac() function:
hash_hmac ($algo, $msg, $key)
$algo is the hash algorithm to use (e.g. sha256)
$msg is the message
$key is the key for the HMAC
© All rights reserved. Zend Technologies, Inc.
31. Encryption + authentication
●
Three possible ways:
▶ Encrypt-then-authenticate
▶ Authenticate-then-encrypt
▶ Encrypt-and-authenticate
● We use encrypt-then-authenticate, as
suggested by Schneier in [1]
© All rights reserved. Zend Technologies, Inc.
32. Demo: encrypt session data
● Specific PHP session handler to encrypt session data
using files
●
Use of AES (Rijndael 128) + HMAC (SHA-256)
●
Pseudo-random session key
● The encryption and authentication keys are stored
in a cookie variable
● Source code:
https://github.com/ezimuel/PHP-Secure-Session
© All rights reserved. Zend Technologies, Inc.
33. Conclusion (1)
●
Use standard algorithms for cryptography:
▶ AES (Rijndael 128), SHA-* hash family, RSA
● Generate random data using the function:
▶ openssl_random_pseudo_bytes()
● Store passwords using bcrypt:
▶ crypt($password, '$2a$'.$workload.'$'.$salt)
© All rights reserved. Zend Technologies, Inc.
34. Conclusion (2)
●
For symmetric encryption:
▶ Use CBC mode with a different random IV for
each encryption
▶ Always authenticate the encryption data
(using HMAC): encrypt-then-authenticate
●
Use HTTPS (SSL/TLS) to protect the communication
client/server
© All rights reserved. Zend Technologies, Inc.
35. References
(1) N. Ferguson, B. Schneier, T. Kohno, “Cryptography Engineering”,
Wiley Publishing, 2010
(2) Serge Vaudenay, “Security Flaws Induced by CBC Padding
Applications to SSL, IPSEC, WTLS”, EuroCrypt 2002
● Web:
▶ PHP cryptography extensions
▶ How to safely store a password
▶ bcrypt algorithm
▶ SHA-1 challenge
▶ Nvidia CUDA
▶ Random.org
© All rights reserved. Zend Technologies, Inc.
36. Thank you!
●
Comments and feedbacks:
▶ enrico@zend.com
© All rights reserved. Zend Technologies, Inc.