SlideShare a Scribd company logo

Encryption: It's For More Than Just Passwords

John Congdon
John Congdon

This is the version of the talk I gave for Nomad PHP on Jan 22, 2015. It's an improved version from my earlier ones.

1 of 109
Download to read offline
ENCRYPTION It's For More Than Just Password
JOHN CONGDON
JOHN CONGDON • PHP Since 2003
JOHN CONGDON • PHP Since 2003 • SDPHP Organizer
JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online
JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online • PhoneBurner.com
JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online • PhoneBurner.com • MeetingBurner.com
JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online • PhoneBurner.com • MeetingBurner.com • FaxBurner.com
JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online • PhoneBurner.com • MeetingBurner.com • FaxBurner.com • I am not a cryptographer
TODAY'S TOPICS Hashing & Encryption
The Evolution Of Password Maintenance
CLEAR TEXT $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 
 $authenticated = false;
 if ($user->password == $password) {
 $authenticated = true;
 } *example only: not meant to be used
MAJOR VULNERABILITY • Server compromise give complete username and password list • SQL-Injection does too
HASHING
CRYPTOGRAPHIC HASHING
CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest.
CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH
CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASHMessage
CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH DigestMessage
CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH DigestMessage
CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH DigestMessage 1abcb33beeb811dca15f0ac3e47b88d9unicorn
CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH DigestMessage 1abcb33beeb811dca15f0ac3e47b88d9unicorn
MD5 EXAMPLE $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 
 $authenticated = false;
 if ($user->password == md5($password)) {
 $authenticated = true;
 } *example only: not meant to be used
MD5 EXAMPLE $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 
 $authenticated = false;
 if ($user->password == md5($password)) {
 $authenticated = true;
 } *example only: not meant to be used
AVAILABLE ALGORITHMS <?php print_r(hash_algos()); Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512 [8] => ripemd128 [9] => ripemd160 [10] => ripemd256 [11] => ripemd320 [12] => whirlpool [13] => tiger128,3 [14] => tiger160,3 [15] => tiger192,3 [16] => tiger128,4 [17] => tiger160,4 [18] => tiger192,4 [19] => snefru [20] => snefru256 [21] => gost [22] => gost-crypto [23] => adler32 [24] => crc32 [25] => crc32b [26] => fnv132 [27] => fnv1a32 [28] => fnv164 [29] => fnv1a64 [30] => joaat [31] => haval128,3 [32] => haval160,3 [33] => haval192,3 [34] => haval224,3 [35] => haval256,3 [36] => haval128,4 [37] => haval160,4 [38] => haval192,4 [39] => haval224,4 [40] => haval256,4 [41] => haval128,5 [42] => haval160,5 [43] => haval192,5 [44] => haval224,5 [45] => haval256,5 )
VULNERABILITIES • SQL-Injection gives you hashed passwords
ADDING SALT
ADDING SALT In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
ADDING SALT In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks. $hash = md5('RAND_SALT' . $password);
ADDING SALT In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks. $hash = md5('RAND_SALT' . $password); RAND_SALT must come from a cryptographically secure source. Do not use (rand, mt_rand, uniqid) Do use (/dev/urandom, mcrypt, openssl)
$username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 
 $authenticated = false;
 if ($user->password == md5($user->salt . $password)) {
 $authenticated = true;
 } *example only: not meant to be used MD5+SALT EXAMPLE
function generateUserPassword ($salt_string, $password)
 {
 $str1 = substr($salt_string, 0, 8);
 $str2 = substr($salt_string, 8);
 return md5($str1 . $password . $str2);
 }
function hashPassword($password)
 {
 return sha1(
 $this->Salt1 . $password . $this->Salt2
 );
 }
USE TODAY'S STANDARDS Currently: BCrypt • Slower by design • Configurable to help withstand the test of time • Should be configured to take 0.25 to 0.50 seconds • Start with a cost of 10, use higher if possible https://github.com/johncongdon/bcrypt-cost-finder
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php
PHP 5.5 Password Hashing API
PHP 5.5 Password Hashing API
PHP 5.5 Password Hashing API $authenticated = false;
 if ($user->password == md5($password)) {
 $authenticated = true;
 }
PHP 5.5 Password Hashing API function authenticate($user, $password) {
 $authenticated = false;
 if ($user->password == md5($password)) {
 $authenticated = true;
 }
 return $authenticated
 }
PHP 5.5 Password Hashing API function authenticate($user, $password) {
 $authenticated = false;
 $hash = $user->password;
 if (password_verify($password, $hash)) {
 $authenticated = true;
 }
 if ($user->password == md5($password)) {
 $authenticated = true;
 }
 return $authenticated
 }
PHP 5.5 Password Hashing API $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 if (authenticate($user, $password)) {
 if (password_needs_rehash
 ($user->password, PASSWORD_DEFAULT))
 {
 $user->password = 
 password_hash($password, PASSWORD_DEFAULT);
 $user->save();
 }
 }
I Lied: Available in PHP >= 5.3.7 https://github.com/ircmaxell/password_compat A forward compatible password API implementation that will work until you are ready to upgrade to 5.5. This will work for all versions of PHP that has the $2y fix. Upgrading to 5.5 will not break your current code if you use this library.
Want More? Get Statistics Here http://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.html
Passwords Are Easy We don't need to know it, except for user login
ENCRYPTION
AVOID ENCRYPTION AT ALL COSTS!
AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt.
AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt. Before deciding to collect and store this information, ask yourself why you need it.
AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt. Before deciding to collect and store this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward?
AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt. Before deciding to collect and store this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there any alternative solutions available to you?
AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt. Before deciding to collect and store this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there any alternative solutions available to you? Example: Credit card companies usually offer a token solution
SYMMETRIC VS ASYMMETRIC
SYMMETRIC VS ASYMMETRIC Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand
SYMMETRIC VS ASYMMETRIC Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand Asymmetric Two keys (Public and Private) Encryption/Decryption Public key encrypts Private key decrypts Signing/Verifying Private key signs Public key verifies
SYMMETRIC ENCRYPTION a.k.a. Shared-Key Encryption
KEYS, CIPHERS, MODES, AND IV OH MY!
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret)
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them)
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book)
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) Initialization Vectors
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) Initialization Vectors Similar to SALT in hashing (It's not a secret)
KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) Initialization Vectors Similar to SALT in hashing (It's not a secret) Must be random per encrypted text
EXAMPLE: ENCRYPT USING CRYPT $crypt_key = 'MySecretKey';
 $message = "Do not tell my boss, but I did xyz";
 $iv_size = mcrypt_get_iv_size(
 MCRYPT_BLOWFISH,
 MCRYPT_MODE_CBC
 ); $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);
 $cipher = mcrypt_encrypt(
 MCRYPT_BLOWFISH,
 $crypt_key,
 $message,
 MCRYPT_MODE_CBC,
 $iv
 );
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with.
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting:
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting: Always encrypt first, and then get the signature of the Cipher Text.
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting: Always encrypt first, and then get the signature of the Cipher Text. Store the signature with your IV and Cipher Text.
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting: Always encrypt first, and then get the signature of the Cipher Text. Store the signature with your IV and Cipher Text. When Decrypting:
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting: Always encrypt first, and then get the signature of the Cipher Text. Store the signature with your IV and Cipher Text. When Decrypting: Always verify the signature first, and then decrypt if successful.
EXAMPLE: USING HMAC $crypt_key = 'MySecretKey';
 $hmac_key = 'HashingKey';
 
 $hmac = hash_hmac('sha512', $cipher, $hmac_key);
 
 //Store it with your encrypted data
 $encoded_data = base64_encode($iv . $cipher . $hmac);
$decoded_data = base64_decode($encoded_data);
 $iv = substr($decoded_data, 0, $iv_size);
 $hmac = substr($decoded_data, -128);
 $cipher = substr($decoded_data, $iv_size, -128);
 
 if ($hmac != hash_hmac('sha512', $cipher, $hmac_key))
 {
 throw new Exception('HMAC does not match');
 }
 $message = mcrypt_decrypt(
 MCRYPT_BLOWFISH,
 $crypt_key,
 $cipher,
 MCRYPT_MODE_CBC,
 $iv
 ); EXAMPLE: DECRYPTING USING HMAC
USE A LIBRARY http://phpseclib.sourceforge.net They've done the hard parts, save yourself the headache and just use it. It's even PHP4+ compatible, so no excuses.
EXAMPLE: USING PHPSECLIB $crypt_key = 'MySecretKey';
 $hmac_key = 'HashingKey';
 $message = "Do not tell my boss, but I did xyz";
 
 require 'Crypt/DES.php';
 require 'Crypt/Hash.php';
 
 $des = new Crypt_DES();
 $des->setKey($crypt_key);
 $cipher = $des->encrypt($message);
 
 $hash = new Crypt_Hash('sha512');
 $hash->setKey($hmac_key);
 $hmac = bin2hex($hash->hash($cipher));
EXAMPLE: USING PHPSECLIB require 'Crypt/DES.php';
 require 'Crypt/Hash.php';
 
 $hash = new Crypt_Hash('sha512');
 $hash->setKey($hmac_key);
 $verify_hmac = bin2hex($hash->hash($cipher));
 
 if ($verify_hmac == $hmac) {
 $des = new Crypt_DES();
 $des->setKey($crypt_key);
 $message = $des->decrypt($cipher);
 }
ASYMMETRIC ENCRYPTION a.k.a. Public-Key Encryption
COMMON ASYMMETRIC USES SSH Keys HTTPS / SSL PGP: Pretty Good Privacy Email Files Really any message
EXAMPLE: ASYMMETRIC CODE http://codereaper.com/blog/2014/asymmetric-encryption-in-php/
EXAMPLE: ASYMMETRIC CODE http://codereaper.com/blog/2014/asymmetric-encryption-in-php/ openssl req -x509 -newkey rsa:2048 -keyout private.pem -out public.pem -days 365
EXAMPLE: ASYMMETRIC CODE http://codereaper.com/blog/2014/asymmetric-encryption-in-php/ $key = file_get_contents('public.pem');
 $public_key = openssl_get_publickey($key);
 
 $message = "Do not tell my boss, but I did xyz";
 $cipher = $e = null;
 openssl_seal($message, $cipher, $e, array($public_key));
 
 $sealed_data = base64_encode($cipher);
 $envelope = base64_encode($e[0]); openssl req -x509 -newkey rsa:2048 -keyout private.pem -out public.pem -days 365
EXAMPLE: ASYMMETRIC CODE http://codereaper.com/blog/2014/asymmetric-encryption-in-php/ $key = file_get_contents('private.pem');
 $priv_key = openssl_get_privatekey($key, $passphrase);
 $input = base64_decode($sealed_data);
 $einput = base64_decode($envelope);
 
 $message = null;
 openssl_open($input, $message, $einput, $priv_key);
ENCRYPTION !== PROTECTION
ENCRYPTION !== PROTECTION Data obtained through SQL Injection attacks should be relatively secure.
ENCRYPTION !== PROTECTION Data obtained through SQL Injection attacks should be relatively secure. For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of the system will disclose the key to the attacker, leaving ALL encryption useless.
ENCRYPTION !== PROTECTION Data obtained through SQL Injection attacks should be relatively secure. For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of the system will disclose the key to the attacker, leaving ALL encryption useless. Apache environment variable, memory, config files, password entered during system start, etc... do not keep the key private.
AVOID ENCRYPTION AT ALL COSTS! There is no such thing as 100% secure.
OTHER THINGS TO CONSIDER
OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server
OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity
OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity • Any server breach can still decrypt data
OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity • Any server breach can still decrypt data • With enough thought and monitoring, you can kill the decryption server to limit the damage done
OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity • Any server breach can still decrypt data • With enough thought and monitoring, you can kill the decryption server to limit the damage done • Think about restricting requests per second
OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity • Any server breach can still decrypt data • With enough thought and monitoring, you can kill the decryption server to limit the damage done • Think about restricting requests per second Paranoid about password safety? Consider encrypting the hash. Renders SQL Injection and rainbow tables/brute force mostly useless without the key.
OTHER THINGS TO CONSIDER
OTHER THINGS TO CONSIDER Do you need access to the user's information without them on the system?
OTHER THINGS TO CONSIDER Do you need access to the user's information without them on the system? If your user must be present, then consider making them partially responsible for the security. Have them use a second password or passphrase that you can add to your key to use in the encryption.
FINAL WORDS... I've learned a ton while preparing this presentation. Thanks especially to Anthony Ferrara (@ircmaxell) http://blog.ircmaxell.com
THANK YOU!

Recommended

Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
n|u - The Open Security Community
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
Anthony Ferrara
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
Daniel-Constantin Mierla
 
Philipp Krenn "Make Your Data FABulous"
Philipp Krenn "Make Your Data FABulous"Philipp Krenn "Make Your Data FABulous"
Philipp Krenn "Make Your Data FABulous"
Fwdays
 
Hashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsHashing Considerations In Web Applications
Hashing Considerations In Web Applications
Islam Heggo
 
JWT! JWT! Let it all out!
JWT! JWT! Let it all out!JWT! JWT! Let it all out!
JWT! JWT! Let it all out!
John Anderson
 
Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018
Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018
Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018
Codemotion
 
Who moved my pixels?!
Who moved my pixels?!Who moved my pixels?!
Who moved my pixels?!
Mikhail Sosonkin
 

Recommended

Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
n|u - The Open Security Community
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
Anthony Ferrara
 
Kamailio and VoIP Wild World
Kamailio and VoIP Wild WorldKamailio and VoIP Wild World
Kamailio and VoIP Wild World
Daniel-Constantin Mierla
 
Philipp Krenn "Make Your Data FABulous"
Philipp Krenn "Make Your Data FABulous"Philipp Krenn "Make Your Data FABulous"
Philipp Krenn "Make Your Data FABulous"
Fwdays
 
Hashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsHashing Considerations In Web Applications
Hashing Considerations In Web Applications
Islam Heggo
 
JWT! JWT! Let it all out!
JWT! JWT! Let it all out!JWT! JWT! Let it all out!
JWT! JWT! Let it all out!
John Anderson
 
Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018
Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018
Philipp Krenn | Make Your Data FABulous | Codemotion Madrid 2018
Codemotion
 
Who moved my pixels?!
Who moved my pixels?!Who moved my pixels?!
Who moved my pixels?!
Mikhail Sosonkin
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
Python tutorial
Python tutorialPython tutorial
Python tutorial
nazzf
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
Luís Cobucci
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
Enrico Zimuel
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
Yukiya Hayashi
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
Priyanka Aash
 
New text document
New text documentNew text document
New text document
Abdul Manan Hamza
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance Tuning
Puneet Behl
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca
 
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
siculars
 
Building Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDBBuilding Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDB
MongoDB
 
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
Dev2Dev
 
Don’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data StructuresDon’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data Structures
Christopher Brown
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
Avi Networks
 
MongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima ApplicazioneMongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima Applicazione
Massimo Brignoli
 
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
BookNet Canada
 
MongoDB 3.2 - Analytics
MongoDB 3.2 - AnalyticsMongoDB 3.2 - Analytics
MongoDB 3.2 - Analytics
Massimo Brignoli
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?
Asaf Gery
 
Encryption for Everyone
Encryption for EveryoneEncryption for Everyone
Encryption for Everyone
Coastal Pet Products, Inc.
 
End-to-end encryption explained
End-to-end encryption explainedEnd-to-end encryption explained
End-to-end encryption explained
Todd Merrill
 

More Related Content

What's hot

JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
Python tutorial
Python tutorialPython tutorial
Python tutorial
nazzf
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
Luís Cobucci
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
Enrico Zimuel
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
Yukiya Hayashi
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
Priyanka Aash
 
New text document
New text documentNew text document
New text document
Abdul Manan Hamza
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance Tuning
Puneet Behl
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca
 
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
siculars
 
Building Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDBBuilding Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDB
MongoDB
 
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
Dev2Dev
 
Don’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data StructuresDon’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data Structures
Christopher Brown
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
Avi Networks
 
MongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima ApplicazioneMongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima Applicazione
Massimo Brignoli
 
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
BookNet Canada
 
MongoDB 3.2 - Analytics
MongoDB 3.2 - AnalyticsMongoDB 3.2 - Analytics
MongoDB 3.2 - Analytics
Massimo Brignoli
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?
Asaf Gery
 

What's hot (20)

JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
 
Python tutorial
Python tutorialPython tutorial
Python tutorial
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
 
New text document
New text documentNew text document
New text document
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance Tuning
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
 
Building Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDBBuilding Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDB
 
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
Линзы - комбинаторная манипуляция данными Александр Гранин Dev2Dev v2.0 30.05...
 
Don’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data StructuresDon’t Get Lost in Translation for Serializing Data Structures
Don’t Get Lost in Translation for Serializing Data Structures
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platformTop 10 F5 iRules to migrate to a modern load balancing platform
Top 10 F5 iRules to migrate to a modern load balancing platform
 
MongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima ApplicazioneMongoDB - Back to Basics - La tua prima Applicazione
MongoDB - Back to Basics - La tua prima Applicazione
 
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017
 
MongoDB 3.2 - Analytics
MongoDB 3.2 - AnalyticsMongoDB 3.2 - Analytics
MongoDB 3.2 - Analytics
 
Who is Afraid of Cookies?
Who is Afraid of Cookies?Who is Afraid of Cookies?
Who is Afraid of Cookies?
 

Viewers also liked

Encryption for Everyone
Encryption for EveryoneEncryption for Everyone
Encryption for Everyone
Coastal Pet Products, Inc.
 
End-to-end encryption explained
End-to-end encryption explainedEnd-to-end encryption explained
End-to-end encryption explained
Todd Merrill
 
End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes - End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes -
Thomas Seropian
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
Mark Niebergall
 
Simulated Analysis and Enhancement of Blowfish Algorithm
Simulated Analysis and Enhancement of Blowfish AlgorithmSimulated Analysis and Enhancement of Blowfish Algorithm
Simulated Analysis and Enhancement of Blowfish Algorithm
iosrjce
 
WhatsApp security
WhatsApp securityWhatsApp security
WhatsApp security
Javi Hurtado
 
Implementation of aes and blowfish algorithm
Implementation of aes and blowfish algorithmImplementation of aes and blowfish algorithm
Implementation of aes and blowfish algorithm
eSAT Publishing House
 
Gregor kopf , bernhard brehm. deniability in messaging protocols
Gregor kopf , bernhard brehm. deniability in messaging protocolsGregor kopf , bernhard brehm. deniability in messaging protocols
Gregor kopf , bernhard brehm. deniability in messaging protocols
Yury Chemerkin
 
Review on Whatsapp's End to End encryption and Facebook integration
Review on Whatsapp's End to End encryption and Facebook integrationReview on Whatsapp's End to End encryption and Facebook integration
Review on Whatsapp's End to End encryption and Facebook integration
Govindarrajan NV
 
WhatsApp End to End encryption
WhatsApp End to End encryptionWhatsApp End to End encryption
WhatsApp End to End encryption
Venkatesh Kariappa
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
drewz lin
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
subhradeep mitra
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptography
Rutvik Mehta
 
Internet security
Internet securityInternet security
Internet security
Suneel Dogra
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
raf_slide
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
Triad Square InfoSec
 

Viewers also liked (16)

Encryption for Everyone
Encryption for EveryoneEncryption for Everyone
Encryption for Everyone
 
End-to-end encryption explained
End-to-end encryption explainedEnd-to-end encryption explained
End-to-end encryption explained
 
End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes - End to End Encryption in 10 minutes -
End to End Encryption in 10 minutes -
 
Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!Security in PHP Applications: An absolute must!
Security in PHP Applications: An absolute must!
 
Simulated Analysis and Enhancement of Blowfish Algorithm
Simulated Analysis and Enhancement of Blowfish AlgorithmSimulated Analysis and Enhancement of Blowfish Algorithm
Simulated Analysis and Enhancement of Blowfish Algorithm
 
WhatsApp security
WhatsApp securityWhatsApp security
WhatsApp security
 
Implementation of aes and blowfish algorithm
Implementation of aes and blowfish algorithmImplementation of aes and blowfish algorithm
Implementation of aes and blowfish algorithm
 
Gregor kopf , bernhard brehm. deniability in messaging protocols
Gregor kopf , bernhard brehm. deniability in messaging protocolsGregor kopf , bernhard brehm. deniability in messaging protocols
Gregor kopf , bernhard brehm. deniability in messaging protocols
 
Review on Whatsapp's End to End encryption and Facebook integration
Review on Whatsapp's End to End encryption and Facebook integrationReview on Whatsapp's End to End encryption and Facebook integration
Review on Whatsapp's End to End encryption and Facebook integration
 
WhatsApp End to End encryption
WhatsApp End to End encryptionWhatsApp End to End encryption
WhatsApp End to End encryption
 
12 symmetric key cryptography
12 symmetric key cryptography12 symmetric key cryptography
12 symmetric key cryptography
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
 
3 public key cryptography
3 public key cryptography3 public key cryptography
3 public key cryptography
 
Internet security
Internet securityInternet security
Internet security
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 

Similar to Encryption: It's For More Than Just Passwords

Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
Spin Lai
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
Enrico Zimuel
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
Mohammed Mushtaq Ahmed
 
FizzBuzzではじめるテスト
FizzBuzzではじめるテストFizzBuzzではじめるテスト
FizzBuzzではじめるテスト
Masashi Shinbara
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvm
Elizabeth Smith
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
Derrick Isaacson
 
Web security
Web securityWeb security
Web security
davidahaskins
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
Frank Denis
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHP
Shweta A
 
PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)
Nikita Popov
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
Jonathan Katz
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
Ajay Ohri
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Jonathan Katz
 
PDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwordsPDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwords
Ryan Smith
 
The slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationThe slower the stronger a story of password hash migration
The slower the stronger a story of password hash migration
OWASP
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonight
Damien Seguy
 
Php basic for vit university
Php basic for vit universityPhp basic for vit university
Php basic for vit university
Mandakini Kumari
 
Secure password storing with saltedpasswords in TYPO3
Secure password storing with saltedpasswords in TYPO3Secure password storing with saltedpasswords in TYPO3
Secure password storing with saltedpasswords in TYPO3
Steffen Gebert
 
Hacking hhvm
Hacking hhvmHacking hhvm
Hacking hhvm
wajrcs
 
Lecture2_IntroductionToPHP_Spring2023.pdf
Lecture2_IntroductionToPHP_Spring2023.pdfLecture2_IntroductionToPHP_Spring2023.pdf
Lecture2_IntroductionToPHP_Spring2023.pdf
ShaimaaMohamedGalal
 

Similar to Encryption: It's For More Than Just Passwords (20)

Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
 
FizzBuzzではじめるテスト
FizzBuzzではじめるテストFizzBuzzではじめるテスト
FizzBuzzではじめるテスト
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvm
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
 
Web security
Web securityWeb security
Web security
 
Improving password-based authentication
Improving password-based authenticationImproving password-based authentication
Improving password-based authentication
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHP
 
PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
 
PDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwordsPDX Tech Meetup - The changing landscape of passwords
PDX Tech Meetup - The changing landscape of passwords
 
The slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationThe slower the stronger a story of password hash migration
The slower the stronger a story of password hash migration
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonight
 
Php basic for vit university
Php basic for vit universityPhp basic for vit university
Php basic for vit university
 
Secure password storing with saltedpasswords in TYPO3
Secure password storing with saltedpasswords in TYPO3Secure password storing with saltedpasswords in TYPO3
Secure password storing with saltedpasswords in TYPO3
 
Hacking hhvm
Hacking hhvmHacking hhvm
Hacking hhvm
 
Lecture2_IntroductionToPHP_Spring2023.pdf
Lecture2_IntroductionToPHP_Spring2023.pdfLecture2_IntroductionToPHP_Spring2023.pdf
Lecture2_IntroductionToPHP_Spring2023.pdf
 

Recently uploaded

Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 

Recently uploaded (19)

Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 

Encryption: It's For More Than Just Passwords

  • 1. ENCRYPTION It's For More Than Just Password
  • 3. JOHN CONGDON • PHP Since 2003
  • 4. JOHN CONGDON • PHP Since 2003 • SDPHP Organizer
  • 5. JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online
  • 6. JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online • PhoneBurner.com
  • 7. JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online • PhoneBurner.com • MeetingBurner.com
  • 8. JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online • PhoneBurner.com • MeetingBurner.com • FaxBurner.com
  • 9. JOHN CONGDON • PHP Since 2003 • SDPHP Organizer • Developer for Networx Online • PhoneBurner.com • MeetingBurner.com • FaxBurner.com • I am not a cryptographer
  • 12. CLEAR TEXT $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 
 $authenticated = false;
 if ($user->password == $password) {
 $authenticated = true;
 } *example only: not meant to be used
  • 13. MAJOR VULNERABILITY • Server compromise give complete username and password list • SQL-Injection does too
  • 16. CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest.
  • 17. CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH
  • 18. CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASHMessage
  • 19. CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH DigestMessage
  • 20. CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH DigestMessage
  • 21. CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH DigestMessage 1abcb33beeb811dca15f0ac3e47b88d9unicorn
  • 22. CRYPTOGRAPHIC HASHING Wikipedia Definition:A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value.The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply the digest. HASH DigestMessage 1abcb33beeb811dca15f0ac3e47b88d9unicorn
  • 23. MD5 EXAMPLE $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 
 $authenticated = false;
 if ($user->password == md5($password)) {
 $authenticated = true;
 } *example only: not meant to be used
  • 24. MD5 EXAMPLE $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 
 $authenticated = false;
 if ($user->password == md5($password)) {
 $authenticated = true;
 } *example only: not meant to be used
  • 25. AVAILABLE ALGORITHMS <?php print_r(hash_algos()); Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512 [8] => ripemd128 [9] => ripemd160 [10] => ripemd256 [11] => ripemd320 [12] => whirlpool [13] => tiger128,3 [14] => tiger160,3 [15] => tiger192,3 [16] => tiger128,4 [17] => tiger160,4 [18] => tiger192,4 [19] => snefru [20] => snefru256 [21] => gost [22] => gost-crypto [23] => adler32 [24] => crc32 [25] => crc32b [26] => fnv132 [27] => fnv1a32 [28] => fnv164 [29] => fnv1a64 [30] => joaat [31] => haval128,3 [32] => haval160,3 [33] => haval192,3 [34] => haval224,3 [35] => haval256,3 [36] => haval128,4 [37] => haval160,4 [38] => haval192,4 [39] => haval224,4 [40] => haval256,4 [41] => haval128,5 [42] => haval160,5 [43] => haval192,5 [44] => haval224,5 [45] => haval256,5 )
  • 27.
  • 28.
  • 29.
  • 30.
  • 32. ADDING SALT In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
  • 33. ADDING SALT In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks. $hash = md5('RAND_SALT' . $password);
  • 34. ADDING SALT In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1]The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks. $hash = md5('RAND_SALT' . $password); RAND_SALT must come from a cryptographically secure source. Do not use (rand, mt_rand, uniqid) Do use (/dev/urandom, mcrypt, openssl)
  • 35. $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 
 $authenticated = false;
 if ($user->password == md5($user->salt . $password)) {
 $authenticated = true;
 } *example only: not meant to be used MD5+SALT EXAMPLE
  • 36.
  • 37. function generateUserPassword ($salt_string, $password)
 {
 $str1 = substr($salt_string, 0, 8);
 $str2 = substr($salt_string, 8);
 return md5($str1 . $password . $str2);
 }
  • 39.
  • 40. USE TODAY'S STANDARDS Currently: BCrypt • Slower by design • Configurable to help withstand the test of time • Should be configured to take 0.25 to 0.50 seconds • Start with a cost of 10, use higher if possible https://github.com/johncongdon/bcrypt-cost-finder
  • 41. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php
  • 42. PHP 5.5 Password Hashing API
  • 43. PHP 5.5 Password Hashing API
  • 44. PHP 5.5 Password Hashing API $authenticated = false;
 if ($user->password == md5($password)) {
 $authenticated = true;
 }
  • 45. PHP 5.5 Password Hashing API function authenticate($user, $password) {
 $authenticated = false;
 if ($user->password == md5($password)) {
 $authenticated = true;
 }
 return $authenticated
 }
  • 46. PHP 5.5 Password Hashing API function authenticate($user, $password) {
 $authenticated = false;
 $hash = $user->password;
 if (password_verify($password, $hash)) {
 $authenticated = true;
 }
 if ($user->password == md5($password)) {
 $authenticated = true;
 }
 return $authenticated
 }
  • 47. PHP 5.5 Password Hashing API $username = $_POST['username'];
 $password = $_POST['password'];
 
 $user = getUserByUsername($username);
 if (authenticate($user, $password)) {
 if (password_needs_rehash
 ($user->password, PASSWORD_DEFAULT))
 {
 $user->password = 
 password_hash($password, PASSWORD_DEFAULT);
 $user->save();
 }
 }
  • 48. I Lied: Available in PHP >= 5.3.7 https://github.com/ircmaxell/password_compat A forward compatible password API implementation that will work until you are ready to upgrade to 5.5. This will work for all versions of PHP that has the $2y fix. Upgrading to 5.5 will not break your current code if you use this library.
  • 49. Want More? Get Statistics Here http://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.html
  • 50. Passwords Are Easy We don't need to know it, except for user login
  • 52.
  • 53. AVOID ENCRYPTION AT ALL COSTS!
  • 54. AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt.
  • 55. AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt. Before deciding to collect and store this information, ask yourself why you need it.
  • 56. AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt. Before deciding to collect and store this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward?
  • 57. AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt. Before deciding to collect and store this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there any alternative solutions available to you?
  • 58. AVOID ENCRYPTION AT ALL COSTS! Clarification: Avoid storing any data that you need to encrypt. Before deciding to collect and store this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there any alternative solutions available to you? Example: Credit card companies usually offer a token solution
  • 60. SYMMETRIC VS ASYMMETRIC Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand
  • 61. SYMMETRIC VS ASYMMETRIC Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand Asymmetric Two keys (Public and Private) Encryption/Decryption Public key encrypts Private key decrypts Signing/Verifying Private key signs Public key verifies
  • 63. KEYS, CIPHERS, MODES, AND IV OH MY!
  • 64. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret)
  • 65. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers
  • 66. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
  • 67. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes
  • 68. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them)
  • 69. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book)
  • 70. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
  • 71. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) Initialization Vectors
  • 72. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) Initialization Vectors Similar to SALT in hashing (It's not a secret)
  • 73. KEYS, CIPHERS, MODES, AND IV OH MY! Keys should be easy enough (Keep it secret) Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish) Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) Initialization Vectors Similar to SALT in hashing (It's not a secret) Must be random per encrypted text
  • 74. EXAMPLE: ENCRYPT USING CRYPT $crypt_key = 'MySecretKey';
 $message = "Do not tell my boss, but I did xyz";
 $iv_size = mcrypt_get_iv_size(
 MCRYPT_BLOWFISH,
 MCRYPT_MODE_CBC
 ); $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);
 $cipher = mcrypt_encrypt(
 MCRYPT_BLOWFISH,
 $crypt_key,
 $message,
 MCRYPT_MODE_CBC,
 $iv
 );
  • 75. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
  • 76. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with.
  • 77. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting:
  • 78. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting: Always encrypt first, and then get the signature of the Cipher Text.
  • 79. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting: Always encrypt first, and then get the signature of the Cipher Text. Store the signature with your IV and Cipher Text.
  • 80. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting: Always encrypt first, and then get the signature of the Cipher Text. Store the signature with your IV and Cipher Text. When Decrypting:
  • 81. HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with. When encrypting: Always encrypt first, and then get the signature of the Cipher Text. Store the signature with your IV and Cipher Text. When Decrypting: Always verify the signature first, and then decrypt if successful.
  • 82. EXAMPLE: USING HMAC $crypt_key = 'MySecretKey';
 $hmac_key = 'HashingKey';
 
 $hmac = hash_hmac('sha512', $cipher, $hmac_key);
 
 //Store it with your encrypted data
 $encoded_data = base64_encode($iv . $cipher . $hmac);
  • 83. $decoded_data = base64_decode($encoded_data);
 $iv = substr($decoded_data, 0, $iv_size);
 $hmac = substr($decoded_data, -128);
 $cipher = substr($decoded_data, $iv_size, -128);
 
 if ($hmac != hash_hmac('sha512', $cipher, $hmac_key))
 {
 throw new Exception('HMAC does not match');
 }
 $message = mcrypt_decrypt(
 MCRYPT_BLOWFISH,
 $crypt_key,
 $cipher,
 MCRYPT_MODE_CBC,
 $iv
 ); EXAMPLE: DECRYPTING USING HMAC
  • 84. USE A LIBRARY http://phpseclib.sourceforge.net They've done the hard parts, save yourself the headache and just use it. It's even PHP4+ compatible, so no excuses.
  • 85. EXAMPLE: USING PHPSECLIB $crypt_key = 'MySecretKey';
 $hmac_key = 'HashingKey';
 $message = "Do not tell my boss, but I did xyz";
 
 require 'Crypt/DES.php';
 require 'Crypt/Hash.php';
 
 $des = new Crypt_DES();
 $des->setKey($crypt_key);
 $cipher = $des->encrypt($message);
 
 $hash = new Crypt_Hash('sha512');
 $hash->setKey($hmac_key);
 $hmac = bin2hex($hash->hash($cipher));
  • 86. EXAMPLE: USING PHPSECLIB require 'Crypt/DES.php';
 require 'Crypt/Hash.php';
 
 $hash = new Crypt_Hash('sha512');
 $hash->setKey($hmac_key);
 $verify_hmac = bin2hex($hash->hash($cipher));
 
 if ($verify_hmac == $hmac) {
 $des = new Crypt_DES();
 $des->setKey($crypt_key);
 $message = $des->decrypt($cipher);
 }
  • 88. COMMON ASYMMETRIC USES SSH Keys HTTPS / SSL PGP: Pretty Good Privacy Email Files Really any message
  • 90. EXAMPLE: ASYMMETRIC CODE http://codereaper.com/blog/2014/asymmetric-encryption-in-php/ openssl req -x509 -newkey rsa:2048 -keyout private.pem -out public.pem -days 365
  • 91. EXAMPLE: ASYMMETRIC CODE http://codereaper.com/blog/2014/asymmetric-encryption-in-php/ $key = file_get_contents('public.pem');
 $public_key = openssl_get_publickey($key);
 
 $message = "Do not tell my boss, but I did xyz";
 $cipher = $e = null;
 openssl_seal($message, $cipher, $e, array($public_key));
 
 $sealed_data = base64_encode($cipher);
 $envelope = base64_encode($e[0]); openssl req -x509 -newkey rsa:2048 -keyout private.pem -out public.pem -days 365
  • 92. EXAMPLE: ASYMMETRIC CODE http://codereaper.com/blog/2014/asymmetric-encryption-in-php/ $key = file_get_contents('private.pem');
 $priv_key = openssl_get_privatekey($key, $passphrase);
 $input = base64_decode($sealed_data);
 $einput = base64_decode($envelope);
 
 $message = null;
 openssl_open($input, $message, $einput, $priv_key);
  • 94. ENCRYPTION !== PROTECTION Data obtained through SQL Injection attacks should be relatively secure.
  • 95. ENCRYPTION !== PROTECTION Data obtained through SQL Injection attacks should be relatively secure. For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of the system will disclose the key to the attacker, leaving ALL encryption useless.
  • 96. ENCRYPTION !== PROTECTION Data obtained through SQL Injection attacks should be relatively secure. For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of the system will disclose the key to the attacker, leaving ALL encryption useless. Apache environment variable, memory, config files, password entered during system start, etc... do not keep the key private.
  • 97. AVOID ENCRYPTION AT ALL COSTS! There is no such thing as 100% secure.
  • 98. OTHER THINGS TO CONSIDER
  • 99. OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server
  • 100. OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity
  • 101. OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity • Any server breach can still decrypt data
  • 102. OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity • Any server breach can still decrypt data • With enough thought and monitoring, you can kill the decryption server to limit the damage done
  • 103. OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity • Any server breach can still decrypt data • With enough thought and monitoring, you can kill the decryption server to limit the damage done • Think about restricting requests per second
  • 104. OTHER THINGS TO CONSIDER • Encrypt / decrypt on a separate server • More overhead and complexity • Any server breach can still decrypt data • With enough thought and monitoring, you can kill the decryption server to limit the damage done • Think about restricting requests per second Paranoid about password safety? Consider encrypting the hash. Renders SQL Injection and rainbow tables/brute force mostly useless without the key.
  • 105. OTHER THINGS TO CONSIDER
  • 106. OTHER THINGS TO CONSIDER Do you need access to the user's information without them on the system?
  • 107. OTHER THINGS TO CONSIDER Do you need access to the user's information without them on the system? If your user must be present, then consider making them partially responsible for the security. Have them use a second password or passphrase that you can add to your key to use in the encryption.
  • 108. FINAL WORDS... I've learned a ton while preparing this presentation. Thanks especially to Anthony Ferrara (@ircmaxell) http://blog.ircmaxell.com