Cryptography in PHP: use cases

October 2011Cryptography in PHP:use casesEnrico ZimuelZend Technologies

About me October 2011 • Enrico Zimuel (ezimuel) • Software Engineer since 1996 – Assembly x86, C/C++, Java, Perl, PHP • Enjoying PHP since 1999 • Senior PHP Engineer at Zend Technologies since 2008 • Author of two italian books aboutEmail: enrico@zend.com applied cryptography • B.Sc. Computer Science and Economics from University of Pescara (Italy)

Summary October 2011● Cryptography in PHP● Some use cases: ● Safe way to store passwords ● Generate pseudo-random numbers ● Encrypt/decrypt sensitive data● Demo: encrypt PHP session data

Cryptography in PHP October 2011● crypt()● Mcrypt● Hash● OpenSSL

crypt() October 2011● One-way string hashing● Support strong cryptography ● bcrypt, sha-256, sha-512● PHP 5.3.0 – bcrypt support● PHP 5.3.2 – sha-256/512● Note: dont use PHP 5.3.7 (bug #55439)

Mcrypt October 2011● Mcrypt is an interface to the mcrypt library● Supports the following encryption algorithms: ● 3DES, ARCFOUR, BLOWFISH, CAST, DES, ENIGMA, GOST, IDEA (non-free), LOKI97, MARS, PANAMA, RIJNDAEL, RC2, RC4, RC6, SAFER, SERPENT, SKIPJACK, TEAN, TWOFISH, WAKE, XTEA

Hash October 2011● Enabled by default from PHP 5.1.2● Hash or HMAC (Hash-based Message Authentication Code)● Supported hash algorithms: MD4, MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD, RIPEMD, WHIRLPOOL, GOST, TIGER, HAVAL, etc

OpenSSL October 2011● The OpenSSL extension uses the functions of the OpenSSL project for generation and verification of signatures and for sealing (encrypting) and opening (decrypting) data● Public key cryptography (RSA algorithm)

Which algorithm? October 2011● Some suggestions: ● Symmetric encryption: – Blowfish / Twofish – Rijndael (AES, FIST 197 standard since 2001) ● Hash: SHA-256, 384, 512 ● Public key: RSA

Cryptography vs. Security October 2011● Cryptography doesnt mean security● Encryption is not enough● Bruce Schneier quotes: ● “Security is only as strong as the weakest link” ● “Security is a process, not a product”

Cryptography vs. Security October 2011

October 2011Use cases

Use case 1: store a password October 2011● Scenario: ● Web applications with a protect area ● Username and password to login● Problem: how to safely store a password?

Hash a password October 2011● Basic ideas, use of hash algorithms: ● md5($password) – not secure – Dictionary attack (pre-built) ● md5($salt . $password) – better but still insecure – Dictionary attacks: ● 700000000 passwords a second using CUDA (budget of 2000 $, a week) ● Cloud computing, 500000000 passwords a second (about $300/hour)

bcrypt October 2011● Better idea, use of bcrypt algorithm: ● bcrypt prevent the dictionary attacks because is slow as hell ● Based on a variant of Blowfish ● Introduce a work factor, which allows you to determine how expensive the hash function will be

bcrypt in PHP October 2011 ● Hash the password using bcrypt (PHP 5.3+)$salt = substr(str_replace(+, .,$salt = substr(str_replace(+, ., base64_encode($salt)), 0, 22); base64_encode($salt)), 0, 22);$hash = crypt($password,$2a$.$workload.$.$salt);$hash = crypt($password,$2a$.$workload.$.$salt);● $salt is a random string (it is not a secret!)● $workload is the bcrypts workload (from 10 to 31)

bcrypt workload benchmark $workload time in sec October 2011 10 0.1 11 0.2 12 0.4 13 0.7 14 1.5Suggestion:Spend ≈ 1 sec (or more) 15 3 16 6 17 12 18 24.3 19 48.7 20 97.3 21 194.3 OS: Linux kernel 2.6.38CPU: Intel Core2, 2.1Ghz 22 388.2RAM: 2 GB - PHP: 5.3.6 … …

bcrypt output October 2011 ● Example of bcrypts output:$2a$14$c2Rmc2Fka2hmamhzYWRmauBpwLLDFKNPTfmCeuMHVnMVaLatNlFZO ● c2Rmc2Fka2hmamhzYWRmau is the salt ● Workload: 14 ● Length of 60 btyes

bcrypt authentication October 2011● How to check if a $userpassword is valid for a $hash value?if ($hash==crypt($userpassword,$hash)) { if ($hash==crypt($userpassword,$hash)) { echo The password is correct; echo The password is correct;} else { } else { echo The password is not correct!; echo The password is not correct!;}}

Use case 2: generate random data in PHP October 2011● Scenario: ● Generate random passwords for – Login systems – API systems ● Problem: how to generate random data in PHP?

Random number generators October 2011

PHP vs. randomness October 2011● How generate a pseudo-random value in PHP?● Not good for cryptography purpose: ● rand() ● mt_rand()● Good for cryptography (PHP 5.3+): ● openssl_random_pseudo_bytes()

rand() is real random? October 2011Pseudo-random bits rand() in PHP on Windows From random.org website

Use case 3: encrypt data October 2011● Scenario: ● We want to store some sensitive data (e.g. credit card numbers)● Problem: ● How to encrypt this data in PHP?

Symmetric encryption October 2011● Using Mcrypt extension: ● mcrypt_encrypt(string $cipher,string $key, string $data,string $mode[,string $iv]) ● mcrypt_decrypt(string $cipher,string $key, string $data,string $mode[,string $iv])● What are these $mode and $iv parameters?

Encryption mode October 2011● Symmetric encryption mode: ● ECB, CBC, CFB, OFB, NOFB or STREAM● We are going to use the CBC that is the most used and secure● Cipher-Block Chaining (CBC) mode of operation was invented in 1976 by IBM

CBC October 2011 The Plaintext (input) is divided into blocks Block 1 Block 2 Block 3 ... Block 1 Block 2 Block 3The Ciphertext (output) is the concatenation of the cipher-blocks

IV October 2011● Initialization Vector (IV) is a fixed-size input that is typically required to be random or pseudo● The IV is not a secret, you can send it in plaintext● Usually IV is stored before the encrypted message● Must be unique for each encrypted message

Encryption is not enough October 2011● We cannot use only encryption to store sensitive data, we need also authentication!● Encryption doesnt prevent alteration of data ● Padding Oracle Attack (Vaudenay, EuroCrypt 2002)● We need to authenticate: ● MAC (Message Authentication Code) ● HMAC (Hash-based Message Authentication Code)

HMAC October 2011● In PHP we can generate an HMAC using the hash_hmac() function: hash_hmac ($algo, $msg, $key) $algo is the hash algorithm to use (e.g. sha256) $msg is the message $key is the key for the HMAC

Encryption + authentication October 2011● Three possible ways: ● Encrypt-then-authenticate ● Authenticate-then-encrypt ● Encrypt-and-authenticate● We will use encrypt-then-authenticate, as suggested by Schneier in [1]

Demo: encrypt session data October 2011● Specific PHP session handler to encrypt session data using files● Use of AES (Rijndael 128) + HMAC (SHA-256)● Pseudo-random session key● The encryption and authentication keys are stored in a cookie variable● Source code: https://github.com/ezimuel/PHP-Secure-Session

Conclusion (1) October 2011● Use standard algorithms for cryptography: ● AES (Rijndael 128), SHA-* hash family, RSA● Generate random data using the function: ● openssl_random_pseudo_bytes()● Store passwords using bcrypt: ● crypt($password, $2a$.$workload.$.$salt)

Conclusion (2) October 2011● For symmetric encryption: ● Use CBC mode with a different random IV for each encryption ● Always authenticate the encryption data (using HMAC): encrypt-then-authenticate● Use HTTPS (SSL/TLS) to protect the communication client/server

References October 2011(1) N. Ferguson, B. Schneier, T. Kohno, “Cryptography Engineering”, Wiley Publishing, 2010(2) Serge Vaudenay, “Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS”, EuroCrypt 2002● Web: ● PHP cryptography extensions ● How to safely store a password ● bcrypt algorithm ● SHA-1 challenge ● Nvidia CUDA ● Random.org

Thank you! October 2011● Vote this talk: ● http://joind.in/3748● Comments and feedbacks: ● enrico@zend.com

http://www.zimuel.it	1453
http://a0.twimg.com	4
http://webcache.googleusercontent.com	1

Cryptography in PHP: use cases

by Enrico Zimuel on Nov 14, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 1,458

Statistics

Cryptography in PHP: use cases — Presentation Transcript