Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

php[tek] 2108 - Cryptography Advances in PHP 7.2

89 views

Published on

There were some pretty substantial cryptography advances in PHP 7.2. Most of these changes were made to make advanced cryptography easier to use. That’s a good thing for developers and end users alike. The addition of libsodium is a game changer. It makes synchronous and asynchronous cryptography a no-brainer and adds better hashing than we've ever had. Argon2i for passwords is pretty substantial as well. We’ll go over the changes and have some practical examples of each. Developers need to know about these advances and just how awesome they are.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

php[tek] 2108 - Cryptography Advances in PHP 7.2

  1. 1. @adam_englander PHP[TEK] 2018 Wifi: Sheraton Conference Pass: phptek2018 Twitter: #phptek Rate the Talks https://joind.in/event/phptek-2018
  2. 2. @adam_englander Cryptography Advances in PHP 7.2 Adam Englander Software Architect, iovation
  3. 3. @adam_englander Half of the changes identified in the PHP7.2.0 release announcements were related to cryptography.
  4. 4. @adam_englander SSL is Dead! Long live TLS!
  5. 5. @adam_englander Streams ssl:// is now an alias of tls://
  6. 6. @adam_englander Steam Defaults STREAM_CRYPTO_METHOD_TLS_SERVER, STREAM_CRYPTO_METHOD_TLS_CLIENT, and tls:// default to TLSv1.0 + TLSv1.1 + TLSv1.2 Instead of TLSv1.0 only
  7. 7. @adam_englander Goodbye MCrypt!
  8. 8. @adam_englander
  9. 9. @adam_englander Hello NaCl! (Sodium)
  10. 10. @adam_englander Easy, Secure, and Fast
  11. 11. @adam_englander Easy Like Laravel
  12. 12. @adam_englander Opinionated for your pleasure
  13. 13. @adam_englander Simplifies Common Tasks
  14. 14. @adam_englander Does a Lot of Heavy Lifting
  15. 15. @adam_englander Secure Like the Phantom Zone
  16. 16. @adam_englander Strong Authenticated Encryption
  17. 17. @adam_englander Modern Algorithms Poly1305 XSalsa20ChaCha20 Argon2i Blake2
  18. 18. @adam_englander Helpers for Security
  19. 19. @adam_englander Constant-Time Test for Equality "abcdefg" == "hijklmnop" sodium_memcmp("abcdefg", "hijklmnop") "abcdefg" == "abcdefq" sodium_memcmp("abcdefg", "abcdefq")
  20. 20. @adam_englander String Memory Overwrite sodium_memzero($value); $value = "000000"; $value = "secret";
  21. 21. @adam_englander Fast Like the Millennium Falcon
  22. 22. @adam_englander ChaCha20 vs AES https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html
  23. 23. @adam_englander BLAKE2 vs Everything https://blake2.net/
  24. 24. @adam_englander Key Derivation a.k.a. password hashing
  25. 25. @adam_englander Argon2i
  26. 26. @adam_englander Best in Class
  27. 27. @adam_englander Blake2 Inside
  28. 28. @adam_englander Time based rather count based iterations
  29. 29. @adam_englander Parallelism and Memory Requirements
  30. 30. @adam_englander Exposed via Password Function
  31. 31. @adam_englander scrypt without PECL
  32. 32. @adam_englander Hashing Generic hashing
  33. 33. @adam_englander Blake2b for data validation
  34. 34. @adam_englander SipHash-2-4 for short hashes
  35. 35. @adam_englander Symmetric Key Encryption a.k.a secret key encryption
  36. 36. @adam_englander Authenticated encryption via auth tag
  37. 37. @adam_englander Stream based encryption
  38. 38. @adam_englander Encrypted message sets
  39. 39. @adam_englander XSalsa20-Poly1305
  40. 40. @adam_englander AES256-GCM if you like pain
  41. 41. @adam_englander Asymmetric Key Cryptography a.k.a. public key encryption
  42. 42. @adam_englander MAC authenticated encryption
  43. 43. @adam_englander Signatures can be attached or detached
  44. 44. @adam_englander XSalsa20-Poly1305
  45. 45. @adam_englander Example
  46. 46. @adam_englander Ed25519 signatures
  47. 47. @adam_englander Key Exchange Use with care!
  48. 48. @adam_englander Examples
  49. 49. @adam_englander Encryption
  50. 50. @adam_englander Key Generation $keyPair = sodium_crypto_box_keypair();
  51. 51. @adam_englander Getting Public/Private Key Pairs $secretKey = sodium_crypto_box_secretkey( $keyPair); $publicKey = sodium_crypto_box_publickey( $keyPair);
  52. 52. @adam_englander Creating Mixed Key Pairs sodium_crypto_box_keypair_from_secretkey_and_publickey( $mySecretKey, $theirPublicKey );
  53. 53. @adam_englander Encryption $nonce = random_bytes( SODIUM_CRYPTO_BOX_NONCEBYTES); $ciphertext = sodium_crypto_box( "Hello ,World!", $nonce, $keyPair);
  54. 54. @adam_englander Decryption $plaintext = sodium_crypto_box_open( $ciphertext, $nonce, $keyPair);
  55. 55. @adam_englander Digital Signatures
  56. 56. @adam_englander Key Generation $keyPair = sodium_crypto_sign_keypair();
  57. 57. @adam_englander Getting Public/Private Key Pairs $secretKey = sodium_crypto_sign_secretkey( $keyPair); $publicKey = sodium_crypto_sign_publickey( $keyPair);
  58. 58. @adam_englander Signing $signedMsg = sodium_crypto_sign( "Hello, World!", $secretKey );
  59. 59. @adam_englander Signature Verification $originalMsg = sodium_crypto_sign_open( $signedMsg, $publicKey ); if ($originalMsg === false) { throw new Exception("Fail!"); }
  60. 60. @adam_englander Hashing
  61. 61. @adam_englander Standard Hash $h = sodium_crypto_generichash("Msg"); print base64_encode($h); URvIHd4RGAg4xWLIK7NfMiP0YGHr3kqVXCez9InPHgM=
  62. 62. @adam_englander Signed Hash $key = random_bytes( SODIUM_CRYPTO_GENERICHASH_KEYBYTES); $h = sodium_crypto_generichash( "Msg", $key); print base64_encode($h); /qV2j5MfGBjJ9g60PQnnQYSt1Y/1csjJzq37C1pE4SE=
  63. 63. @adam_englander Short Hash $key = random_bytes( SODIUM_CRYPTO_SHORTHASH_KEYBYTES); $h = sodium_crypto_shorthash( "Msg", $key); print base64_encode($h); eCTWVTKkkKw=
  64. 64. @adam_englander Key Derivation
  65. 65. @adam_englander Create KDF Hash $hash = sodium_crypto_pwhash_str( 'Password', SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE ); print base64_encode($hash); $argon2id$v=19$m=65536,t=2,p=1$qCcD3BqZjmbYEFMKxgsUjA$5BzYYNuACwp3Zq p29QnT9upRxVZykU/P8isst91uKYE==
  66. 66. @adam_englander Verify KDF Hash sodium_crypto_pwhash_str_verify( $hash, 'Password' );
  67. 67. @adam_englander Password Extension
  68. 68. @adam_englander Create Password Hash $hash = password_hash( 'Password', PASSWORD_ARGON2I ); $argon2i$v=19$m=1024,t=2,p=2$WW15cG1NLjR0cXZET3Nzeg$ImFwKTaVgDHme95M ROV5S9ssG+e458gdpLz9Cwwiba8
  69. 69. @adam_englander Resources https://download.libsodium.org/doc/ https://paragonie.com/book/pecl-libsodium http://php.net/manual/en/book.sodium.php http://php.net/manual/en/function.password-hash.php
  70. 70. @adam_englander Thanks to Our Sponsors
  71. 71. @adam_englander Rate This Talk https://joind.in/talk/48fbd

×