A brief overview of cryptography, with examples focusing on using strong cryptography to store passwords in PHP. Given at the University of Kansas

1. Cryptography in PHP

2. What is cryptography The practice of studying and hiding information Replacing understandable text (plaintext) with a seemingly random set of characters (ciphertext) Covers encryption (hiding) and decryption (revealing) Modern cryptography involves lots of math & computing power

3. Why use it Because we say so (obviously) “We” here includes ITSO and several state& federal laws Protects user data, and by extension, you, and KU Data breaches can cause national press, and not the good kind The best way to prevent malicious users from getting something is to not store it Confidentiality, Authentication, Authorization, Integrity, Non-repudiation

4. Algorithms For this purpose, a method used to apply cryptography to text Several categories Many exist Many have known flaws

5. Types of algorithms Hashing “Digest” One way (non-reversible) Fast, commonly used to verify expected input Symmetric Slower (but that’s not a bad thing) Can be reversed Requires a key (usually known to both parties) Asymmetric – not covered here. Ex. RSA, PGP Typically used in conjunction w/symmetric

6. Algorithm life-cycle Proposed Rigorously and thoroughly tested in the open for 3+ years Adopted as a standard Broad user base Flaws discovered Declared “broken” and disregarded (but not by all users) Repeat

7. “You can’t hide secrets from the future with math” - MC Frontalot

8. Rainbow Tables Compares hashes to known values Fast to search Fast to generate (now) Fit on thumb drives (very soon)

9. Encryption options in PHP md5() – NO sha1() – there are better ones out there hash() Specify algorithm and key length, sha512 is pretty good crypt() one-way hashing, multiple algorithms Supports bcrypt as of PHP 5.3 mcrypt library OpenSSL library – mostly for asymmetric use

10. Initialization Vectors Used to add randomization to your cipher “seeds” additional randomness into the algorithm Make a new one for each user Use mcrypt_create_iv($size, MCRYPT_DEV_URANDOM) $size should be determined by the algorithm used. mcrypt_get_iv_size($algorithm, MCRYPT_MODE_CBC) IVs can be kept secret but don’t have to be Safe to store them with the encrypted value Not a salt (salting is just for hashes)

11. Best practices, pt 1 Don’t store everything your crypto system needs in one place Use symmetric, one way algorithms for passwords Base64-encode crypto output before storing Keys should be binary, not ASCII Try SHA256 on your key phrase

12. Best practices, pt 2 Use CBC mode instead of EBC Don’t re-run hashing functions Pad out user’s input to cipher’s block size Make sure the input is distinct from your padding Remember to take the padding off when retrieving KEEP IT [your key] SECRET. KEEP IT SAFE

13. Resources http://www.ciphersbyritter.com/GLOSSARY.HTM - terms https://github.com/archwisp/MindFrame2/blob/master/Crypto.php - example encrypt/decrypt object http://thinkdiff.net/mysql/encrypt-mysql-data-using-aes-techniques/ - encryption functions in MySQL http://www.zimuel.it/blog/2011/01/strong-cryptography-in-php/

14. Questions?