SlideShare a Scribd company logo
1 of 20
Download to read offline
Cryptography in Zend Framework 2



                                    Enrico Zimuel
                                    Senior PHP Engineer
                                    Zend Framework Team
                                    Zend Technologies




Uncon – 9th June, Dutch PHP Conference 2012
ZendCrypt
●
    ZendCrypt is a new component of ZF2
    (>= 2.0.0beta4)
●
    Facilitates the usage of cryptography in PHP
    projects
●
    Supports strong cryptography (standards +
    best practices)
ZendCrypt: main features
●
    Symmetric encryption/decryption +
    authentication
●
    Public key cryptography
●
    Key Derivation Function (PBKDF2, Salted2SK)
●
    Secure password hashing (bcrypt)
●
    Hash
●
    Hash-based Message Authentication Code
    (HMAC)
Supported algorithms
●
    Mcrypt: AES (Rijndael-128), Rijndael-192/256,
    Blowfish, Twofish, DES, 3DES, CAST-128/256,
    Saferplus, Serpent,
●
    OpenSSL: RSA, Diffie Hellman
●
    PBKDF2, Salted2SK
●
    Bcrypt
●
    Hash/HMAC functions provided by PHP: MD5, SHA-
    1/224/256/384/512, RIPEMD, TIGER, AVAL, ...
ZendCrypt components
●
    ZendCryptSymmetricMcrypt
●
    ZendCryptPublicKeyRsa
●
    ZendCryptPublicKeyDiffieHellman
●
    ZendCryptPassword
●
    ZendCryptKeyDerivation
●
    ZendCryptBlockCipher
●
    ZendCryptHash
●
    ZendCryptHmac
Encryption + authentication
●
    ZendCryptBlockCipher
●
    Default:
    –   AES encryption in CBC mode
    –   HMAC authentication (SHA-256)
    –   Random IV for each encryption
    –   PKCS7 padding (RFC 5652)
    –   PBKDF2 for key derivation (encrypt and auth)
    –   Prevent timing attacks
Example: encrypt/decrypt

use ZendCryptBlockCipher;
use ZendCryptBlockCipher;
 
 
$cipher = BlockCipher::factory('mcrypt',
$cipher = BlockCipher::factory('mcrypt',
   array('algorithm' => 'aes')
   array('algorithm' => 'aes')
);
);
$cipher->setKey('this is the encryption key');
$cipher->setKey('this is the encryption key');
$text
$text      = 'This is the message to encrypt';
            = 'This is the message to encrypt';
$encrypted = $cipher->encrypt($text);
$encrypted = $cipher->encrypt($text);
 
 
printf("Encrypted text: %sn", $encrypted);
printf("Encrypted text: %sn", $encrypted);
$text
$text      = $cipher->decrypt($encrypted);
            = $cipher->decrypt($encrypted);
printf("Decrypted text: %sn", $text);
printf("Decrypted text: %sn", $text);
Encryption format
      Encryption = HMAC . IV . ENCRYPT

●
    MSG is the message to encrypt
●
    KEY is the encryption key (by PBKDF2)
●
    AUTH is the authentication key (by PBKDF2)
●
    ENCRYPT = AES(MSG, KEY)
●
    HMAC = HMAC('sha256', AUTH, 'AES' . IV . ENCRYPT)
●
    IV = random
How to store a password?
●
    “More than 6 million LinkedIn passwords
    stolen” 7th July 2012, cnnmoney.com
●
    Don't use only an hash algorithm (dictionary
    attacks)
●
    Even using a salt is insecure (brute force
    attacks)
How to safely store a password
●
    bcrypt is an adaptive cryptographic hash
    function for passwords
●
    It's considered secure because is slow
    (prevent dictionary attacks)
●
    Implemented using crypt() of PHP
●
    It uses a parameter, the workload (or cost)
    that specify the amount of work
●
    More work means more secure hash value
Example: usage of bcrypt

    use ZendCryptPasswordBcrypt;
    use ZendCryptPasswordBcrypt;
     
     
    $bcrypt
    $bcrypt   = new Bcrypt();
              = new Bcrypt();
    $password = $bcrypt->create('password');
    $password = $bcrypt->create('password');
    printf ("Password: %sn", $password);
    printf ("Password: %sn", $password);


●
    The output ($password) is a string of 60 bytes
●
    The default value of the working factor is 14
The bcrypt workload
Check for valid passwords

use ZendCryptPasswordBcrypt;
use ZendCryptPasswordBcrypt;
 
 
$bcrypt
$bcrypt   = new Bcrypt();
           = new Bcrypt();
$password = $_POST['password'];
$password = $_POST['password'];
$hash
$hash     = '…'; // i.e. get from a database
           = '…'; // i.e. get from a database
if ($bcrypt->verify($password, $hash)) {
if ($bcrypt->verify($password, $hash)) {
   echo “The password is valid”;
   echo “The password is valid”;
} else {
} else {
   Echo “The password is not valid”;
   Echo “The password is not valid”;
}
}
Key Derivation Function
●
    NEVER USE user's password as crypto key!
●
    Key Derivation Function generates
    cryptographic keys based on user's
    passwords
●
    PBKDF2 is a KDF (RFC 2898, PKCS #5 v2.0)
PBKDF2
  “PBKDF2 applies a pseudorandom function,
 such as a cryptographic hash, cipher, or HMAC
to the input password or passphrase along with
a salt value and repeats the process many times
  to produce a derived key, which can then be
   used as a cryptographic key in subsequent
   operations. The added computational work
 makes password cracking much more difficult,
   and is known as key stretching” From Wikipedia
Example: Pbkdf2

use ZendCryptKeyDerivationPbkdf2,
use ZendCryptKeyDerivationPbkdf2,
    ZendMathMath;
    ZendMathMath;
 
 
$salt = Math::randBytes(32);
$salt = Math::randBytes(32);
$pass = 'this is the password of the user';
$pass = 'this is the password of the user';
$hash = Pbkdf2::calc('sha256', $pass, $salt, 10000, 32);
$hash = Pbkdf2::calc('sha256', $pass, $salt, 10000, 32);



●
    It generates a crypto key of 32 bytes using
    SHA-256 + random salt with an interation of
    10'000 times
How many iterations we need?
●
    It depends on the CPU power that you use
●
    Suggestion: use at least 1 sec. of computation
●
    Using an Intel Core i5 CPU at 3.3Ghz you need
    at least 100’000 iterations to get about 1 sec.
    of computation
ZF2 random number generator
●
    ZendMathMath::randBytes($length, $strong = false)
●
    ZendMathMath::rand($min, $max, $strong = false)
●
    Fallback strategy:
    1) If OpenSSL: openssl_random_pseudo_bytes()
    2) If Mcrypt: mcrypt_create_iv()
    3) If (!$strong): mt_rand()
    4) else throwing exception “Cannot generate
      strong random numbers”
Some references
●
    Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno “
    Cryptography Engineering” John Wiley & Sons, 2010
●
    Dan Boneh, Cryptography Course, Stanford University,
    Coursera free online courses
●
    Coda Hale, How to safely store a password
●
    Zend Framework 2
●
    Anthony Ferrara, PHP-CryptLib
●
    E.Zimuel “Cryptography in PHP” Web & PHP Magazine, Issue
    2/2012
●
    E.Zimuel “Cryptography made easy with Zend Framework”
Thanks!
●
    Contacts:
     enrico@zend.com
     @ezimuel

More Related Content

What's hot

Zend Framework 2 - Basic Components
Zend Framework 2  - Basic ComponentsZend Framework 2  - Basic Components
Zend Framework 2 - Basic ComponentsMateusz Tymek
 
Zend Framework 2 Components
Zend Framework 2 ComponentsZend Framework 2 Components
Zend Framework 2 ComponentsShawn Stratton
 
Deprecated: Foundations of Zend Framework 2
Deprecated: Foundations of Zend Framework 2Deprecated: Foundations of Zend Framework 2
Deprecated: Foundations of Zend Framework 2Adam Culp
 
ZFConf 2012: Zend Framework 2, a quick start (Enrico Zimuel)
ZFConf 2012: Zend Framework 2, a quick start (Enrico Zimuel)ZFConf 2012: Zend Framework 2, a quick start (Enrico Zimuel)
ZFConf 2012: Zend Framework 2, a quick start (Enrico Zimuel)ZFConf Conference
 
ZFConf 2012: Dependency Management в PHP и Zend Framework 2 (Кирилл Чебунин)
ZFConf 2012: Dependency Management в PHP и Zend Framework 2 (Кирилл Чебунин)ZFConf 2012: Dependency Management в PHP и Zend Framework 2 (Кирилл Чебунин)
ZFConf 2012: Dependency Management в PHP и Zend Framework 2 (Кирилл Чебунин)ZFConf Conference
 
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf Conference
 
HTML5 Real-Time and Connectivity
HTML5 Real-Time and ConnectivityHTML5 Real-Time and Connectivity
HTML5 Real-Time and ConnectivityPeter Lubbers
 
Nodejs getting started
Nodejs getting startedNodejs getting started
Nodejs getting startedTriet Ho
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Bastian Feder
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Edureka!
 
Zend Framework 2 - presentation
Zend Framework 2 - presentationZend Framework 2 - presentation
Zend Framework 2 - presentationyamcsha
 
A Zend Architecture presentation
A Zend Architecture presentationA Zend Architecture presentation
A Zend Architecture presentationtechweb08
 
Node.js Explained
Node.js ExplainedNode.js Explained
Node.js ExplainedJeff Kunkle
 
Tricks and Tips With NIO Using the Grizzly Framework
Tricks and Tips With NIO Using the Grizzly FrameworkTricks and Tips With NIO Using the Grizzly Framework
Tricks and Tips With NIO Using the Grizzly Frameworkelliando dias
 

What's hot (20)

Zend Framework 2
Zend Framework 2Zend Framework 2
Zend Framework 2
 
Zend Framework 2 - Basic Components
Zend Framework 2  - Basic ComponentsZend Framework 2  - Basic Components
Zend Framework 2 - Basic Components
 
Zend Framework 2 Components
Zend Framework 2 ComponentsZend Framework 2 Components
Zend Framework 2 Components
 
Deprecated: Foundations of Zend Framework 2
Deprecated: Foundations of Zend Framework 2Deprecated: Foundations of Zend Framework 2
Deprecated: Foundations of Zend Framework 2
 
ZFConf 2012: Zend Framework 2, a quick start (Enrico Zimuel)
ZFConf 2012: Zend Framework 2, a quick start (Enrico Zimuel)ZFConf 2012: Zend Framework 2, a quick start (Enrico Zimuel)
ZFConf 2012: Zend Framework 2, a quick start (Enrico Zimuel)
 
Introduction to Zend Framework
Introduction to Zend FrameworkIntroduction to Zend Framework
Introduction to Zend Framework
 
ZFConf 2012: Dependency Management в PHP и Zend Framework 2 (Кирилл Чебунин)
ZFConf 2012: Dependency Management в PHP и Zend Framework 2 (Кирилл Чебунин)ZFConf 2012: Dependency Management в PHP и Zend Framework 2 (Кирилл Чебунин)
ZFConf 2012: Dependency Management в PHP и Zend Framework 2 (Кирилл Чебунин)
 
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
 
HTML5 Real-Time and Connectivity
HTML5 Real-Time and ConnectivityHTML5 Real-Time and Connectivity
HTML5 Real-Time and Connectivity
 
Nodejs getting started
Nodejs getting startedNodejs getting started
Nodejs getting started
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
 
Zend Framework 2 Patterns
Zend Framework 2 PatternsZend Framework 2 Patterns
Zend Framework 2 Patterns
 
Node js
Node jsNode js
Node js
 
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
Node.js Tutorial for Beginners | Node.js Web Application Tutorial | Node.js T...
 
Zend Framework 2 - presentation
Zend Framework 2 - presentationZend Framework 2 - presentation
Zend Framework 2 - presentation
 
A Zend Architecture presentation
A Zend Architecture presentationA Zend Architecture presentation
A Zend Architecture presentation
 
Node.js Explained
Node.js ExplainedNode.js Explained
Node.js Explained
 
Nodejs
NodejsNodejs
Nodejs
 
Tricks and Tips With NIO Using the Grizzly Framework
Tricks and Tips With NIO Using the Grizzly FrameworkTricks and Tips With NIO Using the Grizzly Framework
Tricks and Tips With NIO Using the Grizzly Framework
 
Node.js Basics
Node.js Basics Node.js Basics
Node.js Basics
 

Similar to Cryptography with Zend Framework

Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in rubyHiroshi Nakamura
 
Task 4 The key is hardcoded in the provided source DES enc.pdf
Task 4  The key is hardcoded in the provided source DES enc.pdfTask 4  The key is hardcoded in the provided source DES enc.pdf
Task 4 The key is hardcoded in the provided source DES enc.pdfabcfootcare
 
PBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android ApplicationsPBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android ApplicationsShiv Sahni
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploySimon Su
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Futuretcloudcomputing-tw
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Matthew McCullough
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application developmentNicolas Corrarello
 
Let s Enjoy Node.js
Let s Enjoy Node.jsLet s Enjoy Node.js
Let s Enjoy Node.jsFred Chien
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortalsM A Hossain Tonu
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newYiwei Ma
 
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuCryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuHasin Hayder
 

Similar to Cryptography with Zend Framework (20)

Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Information security programming in ruby
Information security programming in rubyInformation security programming in ruby
Information security programming in ruby
 
Cryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesCryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use Cases
 
Task 4 The key is hardcoded in the provided source DES enc.pdf
Task 4  The key is hardcoded in the provided source DES enc.pdfTask 4  The key is hardcoded in the provided source DES enc.pdf
Task 4 The key is hardcoded in the provided source DES enc.pdf
 
PBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android ApplicationsPBKDF2: Storing Sensitive Data Securely in Android Applications
PBKDF2: Storing Sensitive Data Securely in Android Applications
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010
 
A tale of application development
A tale of application developmentA tale of application development
A tale of application development
 
Let s Enjoy Node.js
Let s Enjoy Node.jsLet s Enjoy Node.js
Let s Enjoy Node.js
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
 
Cryptography for the mere mortals
Cryptography for the mere mortalsCryptography for the mere mortals
Cryptography for the mere mortals
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
 
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and TonuCryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
Cryptography for the mere mortals - for phpXperts Seminar 2011 by Hasin and Tonu
 

More from Enrico Zimuel

Integrare Zend Framework in Wordpress
Integrare Zend Framework in WordpressIntegrare Zend Framework in Wordpress
Integrare Zend Framework in WordpressEnrico Zimuel
 
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecnicheIntroduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecnicheEnrico Zimuel
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Framework software e Zend Framework
Framework software e Zend FrameworkFramework software e Zend Framework
Framework software e Zend FrameworkEnrico Zimuel
 
How to scale PHP applications
How to scale PHP applicationsHow to scale PHP applications
How to scale PHP applicationsEnrico Zimuel
 
Velocizzare Joomla! con Zend Server Community Edition
Velocizzare Joomla! con Zend Server Community EditionVelocizzare Joomla! con Zend Server Community Edition
Velocizzare Joomla! con Zend Server Community EditionEnrico Zimuel
 
Zend_Cache: how to improve the performance of PHP applications
Zend_Cache: how to improve the performance of PHP applicationsZend_Cache: how to improve the performance of PHP applications
Zend_Cache: how to improve the performance of PHP applicationsEnrico Zimuel
 
XCheck a benchmark checker for XML query processors
XCheck a benchmark checker for XML query processorsXCheck a benchmark checker for XML query processors
XCheck a benchmark checker for XML query processorsEnrico Zimuel
 
Introduzione alle tabelle hash
Introduzione alle tabelle hashIntroduzione alle tabelle hash
Introduzione alle tabelle hashEnrico Zimuel
 
Crittografia quantistica: fantascienza o realtà?
Crittografia quantistica: fantascienza o realtà?Crittografia quantistica: fantascienza o realtà?
Crittografia quantistica: fantascienza o realtà?Enrico Zimuel
 
Introduzione alla crittografia
Introduzione alla crittografiaIntroduzione alla crittografia
Introduzione alla crittografiaEnrico Zimuel
 
Crittografia è sinonimo di sicurezza?
Crittografia è sinonimo di sicurezza?Crittografia è sinonimo di sicurezza?
Crittografia è sinonimo di sicurezza?Enrico Zimuel
 
Sviluppo di applicazioni sicure
Sviluppo di applicazioni sicureSviluppo di applicazioni sicure
Sviluppo di applicazioni sicureEnrico Zimuel
 
Misure minime di sicurezza informatica
Misure minime di sicurezza informaticaMisure minime di sicurezza informatica
Misure minime di sicurezza informaticaEnrico Zimuel
 
La sicurezza delle applicazioni in PHP
La sicurezza delle applicazioni in PHPLa sicurezza delle applicazioni in PHP
La sicurezza delle applicazioni in PHPEnrico Zimuel
 

More from Enrico Zimuel (19)

Integrare Zend Framework in Wordpress
Integrare Zend Framework in WordpressIntegrare Zend Framework in Wordpress
Integrare Zend Framework in Wordpress
 
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecnicheIntroduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
 
PHP goes mobile
PHP goes mobilePHP goes mobile
PHP goes mobile
 
Zend Framework 2
Zend Framework 2Zend Framework 2
Zend Framework 2
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
 
Framework software e Zend Framework
Framework software e Zend FrameworkFramework software e Zend Framework
Framework software e Zend Framework
 
How to scale PHP applications
How to scale PHP applicationsHow to scale PHP applications
How to scale PHP applications
 
Velocizzare Joomla! con Zend Server Community Edition
Velocizzare Joomla! con Zend Server Community EditionVelocizzare Joomla! con Zend Server Community Edition
Velocizzare Joomla! con Zend Server Community Edition
 
Zend_Cache: how to improve the performance of PHP applications
Zend_Cache: how to improve the performance of PHP applicationsZend_Cache: how to improve the performance of PHP applications
Zend_Cache: how to improve the performance of PHP applications
 
XCheck a benchmark checker for XML query processors
XCheck a benchmark checker for XML query processorsXCheck a benchmark checker for XML query processors
XCheck a benchmark checker for XML query processors
 
Introduzione alle tabelle hash
Introduzione alle tabelle hashIntroduzione alle tabelle hash
Introduzione alle tabelle hash
 
Crittografia quantistica: fantascienza o realtà?
Crittografia quantistica: fantascienza o realtà?Crittografia quantistica: fantascienza o realtà?
Crittografia quantistica: fantascienza o realtà?
 
Introduzione alla crittografia
Introduzione alla crittografiaIntroduzione alla crittografia
Introduzione alla crittografia
 
Crittografia è sinonimo di sicurezza?
Crittografia è sinonimo di sicurezza?Crittografia è sinonimo di sicurezza?
Crittografia è sinonimo di sicurezza?
 
Sviluppo di applicazioni sicure
Sviluppo di applicazioni sicureSviluppo di applicazioni sicure
Sviluppo di applicazioni sicure
 
Misure minime di sicurezza informatica
Misure minime di sicurezza informaticaMisure minime di sicurezza informatica
Misure minime di sicurezza informatica
 
PHP e crittografia
PHP e crittografiaPHP e crittografia
PHP e crittografia
 
La sicurezza delle applicazioni in PHP
La sicurezza delle applicazioni in PHPLa sicurezza delle applicazioni in PHP
La sicurezza delle applicazioni in PHP
 
Firma digitale
Firma digitaleFirma digitale
Firma digitale
 

Recently uploaded

THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023Joshua Flannery
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxatharvdev2010
 
full stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdffull stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdfHulkTheDevil
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemSafe Software
 
Dublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxDublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxKunal Gupta
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureAntonio de Llamas
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Antonio de Llamas
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2DianaGray10
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Automation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementAutomation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementDianaGray10
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...BookNet Canada
 

Recently uploaded (20)

THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptx
 
full stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdffull stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdf
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data Ecosystem
 
Dublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxDublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptx
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for Rotogravure
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Automation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementAutomation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions management
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
BoSEU24 | Bill Thompson | Talk From Another Century
BoSEU24 | Bill Thompson | Talk From Another CenturyBoSEU24 | Bill Thompson | Talk From Another Century
BoSEU24 | Bill Thompson | Talk From Another Century
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
 

Cryptography with Zend Framework

  • 1. Cryptography in Zend Framework 2 Enrico Zimuel Senior PHP Engineer Zend Framework Team Zend Technologies Uncon – 9th June, Dutch PHP Conference 2012
  • 2. ZendCrypt ● ZendCrypt is a new component of ZF2 (>= 2.0.0beta4) ● Facilitates the usage of cryptography in PHP projects ● Supports strong cryptography (standards + best practices)
  • 3. ZendCrypt: main features ● Symmetric encryption/decryption + authentication ● Public key cryptography ● Key Derivation Function (PBKDF2, Salted2SK) ● Secure password hashing (bcrypt) ● Hash ● Hash-based Message Authentication Code (HMAC)
  • 4. Supported algorithms ● Mcrypt: AES (Rijndael-128), Rijndael-192/256, Blowfish, Twofish, DES, 3DES, CAST-128/256, Saferplus, Serpent, ● OpenSSL: RSA, Diffie Hellman ● PBKDF2, Salted2SK ● Bcrypt ● Hash/HMAC functions provided by PHP: MD5, SHA- 1/224/256/384/512, RIPEMD, TIGER, AVAL, ...
  • 5. ZendCrypt components ● ZendCryptSymmetricMcrypt ● ZendCryptPublicKeyRsa ● ZendCryptPublicKeyDiffieHellman ● ZendCryptPassword ● ZendCryptKeyDerivation ● ZendCryptBlockCipher ● ZendCryptHash ● ZendCryptHmac
  • 6. Encryption + authentication ● ZendCryptBlockCipher ● Default: – AES encryption in CBC mode – HMAC authentication (SHA-256) – Random IV for each encryption – PKCS7 padding (RFC 5652) – PBKDF2 for key derivation (encrypt and auth) – Prevent timing attacks
  • 7. Example: encrypt/decrypt use ZendCryptBlockCipher; use ZendCryptBlockCipher;     $cipher = BlockCipher::factory('mcrypt', $cipher = BlockCipher::factory('mcrypt', array('algorithm' => 'aes') array('algorithm' => 'aes') ); ); $cipher->setKey('this is the encryption key'); $cipher->setKey('this is the encryption key'); $text $text = 'This is the message to encrypt'; = 'This is the message to encrypt'; $encrypted = $cipher->encrypt($text); $encrypted = $cipher->encrypt($text);     printf("Encrypted text: %sn", $encrypted); printf("Encrypted text: %sn", $encrypted); $text $text = $cipher->decrypt($encrypted); = $cipher->decrypt($encrypted); printf("Decrypted text: %sn", $text); printf("Decrypted text: %sn", $text);
  • 8. Encryption format Encryption = HMAC . IV . ENCRYPT ● MSG is the message to encrypt ● KEY is the encryption key (by PBKDF2) ● AUTH is the authentication key (by PBKDF2) ● ENCRYPT = AES(MSG, KEY) ● HMAC = HMAC('sha256', AUTH, 'AES' . IV . ENCRYPT) ● IV = random
  • 9. How to store a password? ● “More than 6 million LinkedIn passwords stolen” 7th July 2012, cnnmoney.com ● Don't use only an hash algorithm (dictionary attacks) ● Even using a salt is insecure (brute force attacks)
  • 10. How to safely store a password ● bcrypt is an adaptive cryptographic hash function for passwords ● It's considered secure because is slow (prevent dictionary attacks) ● Implemented using crypt() of PHP ● It uses a parameter, the workload (or cost) that specify the amount of work ● More work means more secure hash value
  • 11. Example: usage of bcrypt use ZendCryptPasswordBcrypt; use ZendCryptPasswordBcrypt;     $bcrypt $bcrypt = new Bcrypt(); = new Bcrypt(); $password = $bcrypt->create('password'); $password = $bcrypt->create('password'); printf ("Password: %sn", $password); printf ("Password: %sn", $password); ● The output ($password) is a string of 60 bytes ● The default value of the working factor is 14
  • 13. Check for valid passwords use ZendCryptPasswordBcrypt; use ZendCryptPasswordBcrypt;     $bcrypt $bcrypt = new Bcrypt(); = new Bcrypt(); $password = $_POST['password']; $password = $_POST['password']; $hash $hash = '…'; // i.e. get from a database = '…'; // i.e. get from a database if ($bcrypt->verify($password, $hash)) { if ($bcrypt->verify($password, $hash)) { echo “The password is valid”; echo “The password is valid”; } else { } else { Echo “The password is not valid”; Echo “The password is not valid”; } }
  • 14. Key Derivation Function ● NEVER USE user's password as crypto key! ● Key Derivation Function generates cryptographic keys based on user's passwords ● PBKDF2 is a KDF (RFC 2898, PKCS #5 v2.0)
  • 15. PBKDF2 “PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching” From Wikipedia
  • 16. Example: Pbkdf2 use ZendCryptKeyDerivationPbkdf2, use ZendCryptKeyDerivationPbkdf2, ZendMathMath; ZendMathMath;     $salt = Math::randBytes(32); $salt = Math::randBytes(32); $pass = 'this is the password of the user'; $pass = 'this is the password of the user'; $hash = Pbkdf2::calc('sha256', $pass, $salt, 10000, 32); $hash = Pbkdf2::calc('sha256', $pass, $salt, 10000, 32); ● It generates a crypto key of 32 bytes using SHA-256 + random salt with an interation of 10'000 times
  • 17. How many iterations we need? ● It depends on the CPU power that you use ● Suggestion: use at least 1 sec. of computation ● Using an Intel Core i5 CPU at 3.3Ghz you need at least 100’000 iterations to get about 1 sec. of computation
  • 18. ZF2 random number generator ● ZendMathMath::randBytes($length, $strong = false) ● ZendMathMath::rand($min, $max, $strong = false) ● Fallback strategy: 1) If OpenSSL: openssl_random_pseudo_bytes() 2) If Mcrypt: mcrypt_create_iv() 3) If (!$strong): mt_rand() 4) else throwing exception “Cannot generate strong random numbers”
  • 19. Some references ● Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno “ Cryptography Engineering” John Wiley & Sons, 2010 ● Dan Boneh, Cryptography Course, Stanford University, Coursera free online courses ● Coda Hale, How to safely store a password ● Zend Framework 2 ● Anthony Ferrara, PHP-CryptLib ● E.Zimuel “Cryptography in PHP” Web & PHP Magazine, Issue 2/2012 ● E.Zimuel “Cryptography made easy with Zend Framework”
  • 20. Thanks! ● Contacts: enrico@zend.com @ezimuel