This document provides an overview of password and data security best practices for PHP applications. It discusses common password attacks and how to protect against them using techniques like salting, key stretching algorithms and two-factor authentication. It also covers encrypting data using symmetric and asymmetric cryptography algorithms like AES, RSA and digital signatures. The document provides code examples for hashing and validating passwords, encrypting and decrypting messages and data at rest or in transit.
8. Brute Force Attacks!
Calculate all key variations within a given length, then
trying each one until the password is guessed. !
Protect via: Key stretching, CAPTCHA, 2FA!
!
Dictionary Attacks!
Use a list of predetermined words/phrase to guess password.!
Protect via: Salting!
!
Rainbow Tables!
Use precalculated password hashes to break encryption.!
Protect via: Salting !
Protecting Against Password Attacks!
10. //hashing identical messages with no salt!
hash('mechagodzilla') = !
162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227!
hash('mechagodzilla') = !
162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227!
!
//hashing identical messages with random salt!
hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = !
f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6!
hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = !
7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866!
hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = !
6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e!
Hashing with and without salts!
11. Storing Salts!
Store alongside the hash!
!
Salt Reuse!
Salts should be be unique per password!
!
Salt Length!
Same size as hash? 64 bits? 128 bits?!
Considerations when using Salts!
12. bcrypt!
Designed for password security, based on the blowfish
cipher, CPU & RAM intensive.!
!
PBKDF2!
Comes from RSA laboratories, performs the HMAC (hash +
key) over a specific number of iterations.!
!
scrypt!
Designed to make it costly to perform large-scale
hardware attacks by requiring large amounts of memory!
Password Encryption Algorithms!
13. !
//fetch password from user creation request!
$password = $_POST['password'];!
!
//salt option deprecated in PHP 7.0.0+!
$options = [!
'cost' => 12!
];!
!
//create 60 character hash, with default unique salt, and options !
$hash = password_hash($password, PASSWORD_BCRYPT, $options);!
!
//STORE HASH IN USER DATABASE RECORD!
//SALT IS BUILT INTO HASH!
Hashing with bcrypt!
14. //fetch login request information!
$username = $_POST['username'];!
$password = $_POST['password'];!
!
//fetch user record from database!
$user = fetchDBRecord($username);!
!
//verify if login attempt password matches stored user hash!
if (password_verify($password, $user->hash)){!
echo "password matches";!
} else {!
echo "password doesn't match";!
}!
Login Hash Comparison with bcrypt!
15. !
!
//fetch password from user creation request!
$password = $_POST['password'];!
!
//set iterations and random initialization vector!
$iterations = 1000;!
$salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);!
!
//hash password using sha256!
$hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);!
!
//STORE HASH AND SALT IN USER DATABASE RECORD!
Hashing with PBKDF2!
16. !
//fetch login request info and set iterations!
$username = $_POST['username'];!
$password = $_POST['password'];!
$iterations = 1000;!
!
//fetch user record from database!
$user = fetchDBRecord($username);!
!
//manually hash the login attempt password!
$loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);!
!
//validate if hashes match!
if (hash_equals ($loginhash, $user->hash)){ !
echo 'password match';!
} else {!
echo 'password mismatch';!
}!
!
Login Hash Comparison with PBKDF2!
30. Encryption (ECB, CBC, OFB, CFB, CTR)!
Data privacy and confidentiality mode. Attacker
cannot obtain info on the plaintext data.!
!
Authentication(CMAC)!
Data authenticity mode. Receiver can validate
whether cleartext came from intended sender.!
!
Authenticated Encryption (CCM, GCM, KW/KWP/TKW)!
Includes both data privacy and authenticity.!
Modes of Operation!
32. //----!
// data sent to server: iv, ciphertext!
// data known by server: key!
//----!
!
//set algorithm and mode!
$mode = 'aes-256-cbc’;!
!
//decrypt provided cipher!
$decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);!
Decrypting ciphertext!
33. //display block ciphers and modes!
print_r(openssl_get_cipher_methods());!
Getting all available ciphers and modes !
37. //create private key in private.key!
openssl genrsa -out private.key 2048!
!
//create public key in public.pem!
openssl rsa -in private.key -outform PEM -pubout -out public.pem!
Generating Public / Private Keys!
38. //set public key data from files and object to send!
$public_key = openssl_get_publickey(file_get_contents('public.pem'));!
$data = '{"message": "my super secure message"}';!
!
//encrypt object and public keys!
openssl_seal($data, $encrypted, $encpub, array($public_key));!
!
//encrypted data and encrypted public key!
$sealed_data = base64_encode($encrypted);!
$envelope = base64_encode($encpub[0]);!
!
//SEND SEALED DATA AND ENVELOPE TO RECIPIENT!
Preparing Message, Encrypting, and Signing!
39. //OBTAIN SEALED DATA AND ENVELOPE FROM SENDER!
!
//set private key data!
$private_key = openssl_get_privatekey(file_get_contents('private.key'));!
!
//decode data!
$sealed_data = base64_decode($sealed_data);!
$envelope = base64_decode($envelope);!
!
//rypt data using private key!
openssl_open($sealed_data, $plaintext, $envelope, $private_key);!
!
//decrypted message available in $plaintext!
Decrypting and Verifying Message!