SlideShare a Scribd company logo

PHP Identity and Data Security

Jonathan LeBlanc
Jonathan LeBlanc

This document provides an overview of password and data security best practices for PHP applications. It discusses common password attacks and how to protect against them using techniques like salting, key stretching algorithms and two-factor authentication. It also covers encrypting data using symmetric and asymmetric cryptography algorithms like AES, RSA and digital signatures. The document provides code examples for hashing and validating passwords, encrypting and decrypting messages and data at rest or in transit.

Technology
1 of 41
Download to read offline
PHP Identity and Data Security! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
Release Date:! July 2016! ! Book Details:! http://bit.ly/iddatasecurity! Identity & Data Security Book!
Security is Hard!
1: 123456 ! 2: password ! 3: 12345678 ! 4: qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars!
Protecting Identity!
Password Attack Vectors!
Brute Force Attacks! Calculate all key variations within a given length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks!
Salting and Peppering!
//hashing identical messages with no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts!
Storing Salts! Store alongside the hash! ! Salt Reuse! Salts should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts!
bcrypt! Designed for password security, based on the blowfish cipher, CPU & RAM intensive.! ! PBKDF2! Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.! ! scrypt! Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! Password Encryption Algorithms!
! //fetch password from user creation request! $password = $_POST['password'];! ! //salt option deprecated in PHP 7.0.0+! $options = [! 'cost' => 12! ];! ! //create 60 character hash, with default unique salt, and options ! $hash = password_hash($password, PASSWORD_BCRYPT, $options);! ! //STORE HASH IN USER DATABASE RECORD! //SALT IS BUILT INTO HASH! Hashing with bcrypt!
//fetch login request information! $username = $_POST['username'];! $password = $_POST['password'];! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //verify if login attempt password matches stored user hash! if (password_verify($password, $user->hash)){! echo "password matches";! } else {! echo "password doesn't match";! }! Login Hash Comparison with bcrypt!
! ! //fetch password from user creation request! $password = $_POST['password'];! ! //set iterations and random initialization vector! $iterations = 1000;! $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);! ! //hash password using sha256! $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);! ! //STORE HASH AND SALT IN USER DATABASE RECORD! Hashing with PBKDF2!
! //fetch login request info and set iterations! $username = $_POST['username'];! $password = $_POST['password'];! $iterations = 1000;! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //manually hash the login attempt password! $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);! ! //validate if hashes match! if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match';! } else {! echo 'password mismatch';! }! ! Login Hash Comparison with PBKDF2!
Protecting Data!
Ideal Scenario: SSL/TLS!
Domain Validation (DV)! Certificate authority (CA) validates domain access only! Certificate Types!
Organization Validation (OV)! ! CA validates DV and basic organization information! Certificate Types!
Extended Validation (EV)! CA validates DV, OV, and legal existance of the organization! Certificate Types!
//generate private key and self-signed certificate valid for 1 year! openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key!
//update httpd.conf file to enable SSL (uncomment the following)! #LoadModule ssl_module libexec/apache2/mod_ssl.so! #Include /private/etc/apache2/extra/httpd-ssl.conf! ! //update httpd-ssl.conf file for CRT location! SSLCertificateFile "/private/etc/apache2/server.crt"! ! //copy crt and private key files to above location! cp server.crt server.key /private/etc/apache2/! Configuring SSL capabilities and setting certificates on Apache server!
<VirtualHost *:443>! #general virtual hosts information! DocumentRoot "/Users/jleblanc/localhost/ssltest"! ServerName ssltest! ErrorLog "/private/var/log/apache2/local.example.com-error_log"! CustomLog "/private/var/log/apache2/local.example.com-access_log" common! ! #SSL details! SSLEngine on! SSLCertificateFile "/private/etc/apache2/server.crt”! SSLCertificateKeyFile "/private/etc/apache2/server.key"! ! #SSL engine options! <FilesMatch ".(cgi|shtml|phtml|php)$">! SSLOptions +StdEnvVars! </FilesMatch>! <Directory "/Library/WebServer/CGI-Executables">! SSLOptions +StdEnvVars! </Directory>! </VirtualHost>! Update httpd-vhosts.conf!
Synchronous Cryptography!
Single User Environment!
Encryption (ECB, CBC, OFB, CFB, CTR)! Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation!
//set initialization data! $numbytes = 16;! $strongcrypto = true;! $mode = 'aes-256-cbc';! $message = 'my secure message';! ! //creation initialization vector and shared private key! $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! ! //create ciphertext with no options! $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);! Configuring and encrypting message!
//----! // data sent to server: iv, ciphertext! // data known by server: key! //----! ! //set algorithm and mode! $mode = 'aes-256-cbc’;! ! //decrypt provided cipher! $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);! Decrypting ciphertext!
//display block ciphers and modes! print_r(openssl_get_cipher_methods());! Getting all available ciphers and modes !
Asynchronous Cryptography!
Multi-User Environment!
//create private key in private.key! openssl genrsa -out private.key 2048! ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys!
//set public key data from files and object to send! $public_key = openssl_get_publickey(file_get_contents('public.pem'));! $data = '{"message": "my super secure message"}';! ! //encrypt object and public keys! openssl_seal($data, $encrypted, $encpub, array($public_key));! ! //encrypted data and encrypted public key! $sealed_data = base64_encode($encrypted);! $envelope = base64_encode($encpub[0]);! ! //SEND SEALED DATA AND ENVELOPE TO RECIPIENT! Preparing Message, Encrypting, and Signing!
//OBTAIN SEALED DATA AND ENVELOPE FROM SENDER! ! //set private key data! $private_key = openssl_get_privatekey(file_get_contents('private.key'));! ! //decode data! $sealed_data = base64_decode($sealed_data);! $envelope = base64_decode($envelope);! ! //rypt data using private key! openssl_open($sealed_data, $plaintext, $envelope, $private_key);! ! //decrypted message available in $plaintext! Decrypting and Verifying Message!
Security Fundamentals Wrapup!
Thank You!! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!

Recommended

Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Token Based Authentication Systems
Token Based Authentication SystemsToken Based Authentication Systems
Token Based Authentication SystemsHüseyin BABAL
 
Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境
Yuriko IKEDA
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 

Recommended

Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Token Based Authentication Systems
Token Based Authentication SystemsToken Based Authentication Systems
Token Based Authentication SystemsHüseyin BABAL
 
Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境
Yuriko IKEDA
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'mStanisław Wasiutyński
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Redis
RedisRedis
RedisPuneet Kumar
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Automated Testing
Automated TestingAutomated Testing
Automated Testing
Speed FC
 
บท7
บท7บท7
บท7kiddy67
 
CGI.pm - 3ло?!
CGI.pm - 3ло?!CGI.pm - 3ло?!
CGI.pm - 3ло?!Anatoly Sharifulin
 
MongoDB: How it Works
MongoDB: How it WorksMongoDB: How it Works
MongoDB: How it Works
Mike Dirolf
 
Talk NullByteCon 2015
Talk NullByteCon 2015Talk NullByteCon 2015
Talk NullByteCon 2015
Roberto Soares
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptographyErik LaBianca
 
JSOP in 60 seconds
JSOP in 60 secondsJSOP in 60 seconds
JSOP in 60 seconds
David Nuescheler
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
F2e security
F2e securityF2e security
F2e securityjay li
 
Cookies
CookiesCookies
Cookies
amuthadeepa
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
siculars
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
Anthony Ferrara
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWest
Derrick Isaacson
 
Web security
Web securityWeb security
Web securitydavidahaskins
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSE
CloudIDSummit
 

More Related Content

What's hot

I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Automated Testing
Automated TestingAutomated Testing
Automated Testing
Speed FC
 
MongoDB: How it Works
MongoDB: How it WorksMongoDB: How it Works
MongoDB: How it Works
Mike Dirolf
 
Talk NullByteCon 2015
Talk NullByteCon 2015Talk NullByteCon 2015
Talk NullByteCon 2015
Roberto Soares
 
JSOP in 60 seconds
JSOP in 60 secondsJSOP in 60 seconds
JSOP in 60 seconds
David Nuescheler
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
F2e security
F2e securityF2e security
F2e securityjay li
 
Cookies
CookiesCookies
Cookies
amuthadeepa
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
siculars
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
Anthony Ferrara
 

What's hot (18)

Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'm
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Redis
RedisRedis
Redis
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Automated Testing
Automated TestingAutomated Testing
Automated Testing
 
บท7
บท7บท7
บท7
 
CGI.pm - 3ло?!
CGI.pm - 3ло?!CGI.pm - 3ло?!
CGI.pm - 3ло?!
 
MongoDB: How it Works
MongoDB: How it WorksMongoDB: How it Works
MongoDB: How it Works
 
Talk NullByteCon 2015
Talk NullByteCon 2015Talk NullByteCon 2015
Talk NullByteCon 2015
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
JSOP in 60 seconds
JSOP in 60 secondsJSOP in 60 seconds
JSOP in 60 seconds
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
 
F2e security
F2e securityF2e security
F2e security
 
Cookies
CookiesCookies
Cookies
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
 

Similar to PHP Identity and Data Security

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Krzysztof Kotowicz
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWest
Derrick Isaacson
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSE
CloudIDSummit
 
Maximize your Cache for No Cash
Maximize your Cache for No CashMaximize your Cache for No Cash
Maximize your Cache for No Cash
Yorick Phoenix
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
robertjd
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
Derrick Isaacson
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
Spin Lai
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Shakacon
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
Martin Vigo
 
Web application security
Web application securityWeb application security
Web application security
Ravi Raj
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
tladesignz
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
 
Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18
Derrick Isaacson
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjectsWO Community
 
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridasFrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
Loiane Groner
 
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
Xchym Hiệp
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 

Similar to PHP Identity and Data Security (20)

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWest
 
Web security
Web securityWeb security
Web security
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSE
 
Maximize your Cache for No Cash
Maximize your Cache for No CashMaximize your Cache for No Cash
Maximize your Cache for No Cash
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Web application security
Web application securityWeb application security
Web application security
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
 
Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjects
 
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridasFrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
 
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 

More from Jonathan LeBlanc

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
Jonathan LeBlanc
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
Jonathan LeBlanc
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
Jonathan LeBlanc
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
Jonathan LeBlanc
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
Jonathan LeBlanc
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
Jonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
Jonathan LeBlanc
 
BattleHack Los Angeles
BattleHack Los Angeles BattleHack Los Angeles
BattleHack Los Angeles
Jonathan LeBlanc
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with Beacons
Jonathan LeBlanc
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & Wearables
Jonathan LeBlanc
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and Trends
Jonathan LeBlanc
 
Rebuilding Commerce
Rebuilding CommerceRebuilding Commerce
Rebuilding Commerce
Jonathan LeBlanc
 

More from Jonathan LeBlanc (20)

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
 
BattleHack Los Angeles
BattleHack Los Angeles BattleHack Los Angeles
BattleHack Los Angeles
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with Beacons
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & Wearables
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and Trends
 
Rebuilding Commerce
Rebuilding CommerceRebuilding Commerce
Rebuilding Commerce
 

Recently uploaded

Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 

PHP Identity and Data Security

  • 1. PHP Identity and Data Security! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
  • 2. Release Date:! July 2016! ! Book Details:! http://bit.ly/iddatasecurity! Identity & Data Security Book!
  • 4. 1: 123456 ! 2: password ! 3: 12345678 ! 4: qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars!
  • 5.
  • 8. Brute Force Attacks! Calculate all key variations within a given length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks!
  • 10. //hashing identical messages with no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts!
  • 11. Storing Salts! Store alongside the hash! ! Salt Reuse! Salts should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts!
  • 12. bcrypt! Designed for password security, based on the blowfish cipher, CPU & RAM intensive.! ! PBKDF2! Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.! ! scrypt! Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! Password Encryption Algorithms!
  • 13. ! //fetch password from user creation request! $password = $_POST['password'];! ! //salt option deprecated in PHP 7.0.0+! $options = [! 'cost' => 12! ];! ! //create 60 character hash, with default unique salt, and options ! $hash = password_hash($password, PASSWORD_BCRYPT, $options);! ! //STORE HASH IN USER DATABASE RECORD! //SALT IS BUILT INTO HASH! Hashing with bcrypt!
  • 14. //fetch login request information! $username = $_POST['username'];! $password = $_POST['password'];! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //verify if login attempt password matches stored user hash! if (password_verify($password, $user->hash)){! echo "password matches";! } else {! echo "password doesn't match";! }! Login Hash Comparison with bcrypt!
  • 15. ! ! //fetch password from user creation request! $password = $_POST['password'];! ! //set iterations and random initialization vector! $iterations = 1000;! $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);! ! //hash password using sha256! $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);! ! //STORE HASH AND SALT IN USER DATABASE RECORD! Hashing with PBKDF2!
  • 16. ! //fetch login request info and set iterations! $username = $_POST['username'];! $password = $_POST['password'];! $iterations = 1000;! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //manually hash the login attempt password! $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);! ! //validate if hashes match! if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match';! } else {! echo 'password mismatch';! }! ! Login Hash Comparison with PBKDF2!
  • 19. Domain Validation (DV)! Certificate authority (CA) validates domain access only! Certificate Types!
  • 20. Organization Validation (OV)! ! CA validates DV and basic organization information! Certificate Types!
  • 21. Extended Validation (EV)! CA validates DV, OV, and legal existance of the organization! Certificate Types!
  • 22.
  • 23. //generate private key and self-signed certificate valid for 1 year! openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key!
  • 24. //update httpd.conf file to enable SSL (uncomment the following)! #LoadModule ssl_module libexec/apache2/mod_ssl.so! #Include /private/etc/apache2/extra/httpd-ssl.conf! ! //update httpd-ssl.conf file for CRT location! SSLCertificateFile "/private/etc/apache2/server.crt"! ! //copy crt and private key files to above location! cp server.crt server.key /private/etc/apache2/! Configuring SSL capabilities and setting certificates on Apache server!
  • 25. <VirtualHost *:443>! #general virtual hosts information! DocumentRoot "/Users/jleblanc/localhost/ssltest"! ServerName ssltest! ErrorLog "/private/var/log/apache2/local.example.com-error_log"! CustomLog "/private/var/log/apache2/local.example.com-access_log" common! ! #SSL details! SSLEngine on! SSLCertificateFile "/private/etc/apache2/server.crt”! SSLCertificateKeyFile "/private/etc/apache2/server.key"! ! #SSL engine options! <FilesMatch ".(cgi|shtml|phtml|php)$">! SSLOptions +StdEnvVars! </FilesMatch>! <Directory "/Library/WebServer/CGI-Executables">! SSLOptions +StdEnvVars! </Directory>! </VirtualHost>! Update httpd-vhosts.conf!
  • 26.
  • 28.
  • 30. Encryption (ECB, CBC, OFB, CFB, CTR)! Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation!
  • 31. //set initialization data! $numbytes = 16;! $strongcrypto = true;! $mode = 'aes-256-cbc';! $message = 'my secure message';! ! //creation initialization vector and shared private key! $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! ! //create ciphertext with no options! $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);! Configuring and encrypting message!
  • 32. //----! // data sent to server: iv, ciphertext! // data known by server: key! //----! ! //set algorithm and mode! $mode = 'aes-256-cbc’;! ! //decrypt provided cipher! $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);! Decrypting ciphertext!
  • 33. //display block ciphers and modes! print_r(openssl_get_cipher_methods());! Getting all available ciphers and modes !
  • 35.
  • 37. //create private key in private.key! openssl genrsa -out private.key 2048! ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys!
  • 38. //set public key data from files and object to send! $public_key = openssl_get_publickey(file_get_contents('public.pem'));! $data = '{"message": "my super secure message"}';! ! //encrypt object and public keys! openssl_seal($data, $encrypted, $encpub, array($public_key));! ! //encrypted data and encrypted public key! $sealed_data = base64_encode($encrypted);! $envelope = base64_encode($encpub[0]);! ! //SEND SEALED DATA AND ENVELOPE TO RECIPIENT! Preparing Message, Encrypting, and Signing!
  • 39. //OBTAIN SEALED DATA AND ENVELOPE FROM SENDER! ! //set private key data! $private_key = openssl_get_privatekey(file_get_contents('private.key'));! ! //decode data! $sealed_data = base64_decode($sealed_data);! $envelope = base64_decode($envelope);! ! //rypt data using private key! openssl_open($sealed_data, $plaintext, $envelope, $private_key);! ! //decrypted message available in $plaintext! Decrypting and Verifying Message!
  • 41. Thank You!! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!

Editor's Notes

  1. Where to store the salt Salt Reuse Salt Length
  2. Password attack vectors
  3. Where to store the salt Salt Reuse Salt Length
  4. Examples of not using a salt vs using a salt
  5. Moore’s law – computing power doubles every 2 years
  6. Examples of not using a salt vs using a salt
  7. Examples of not using a salt vs using a salt
  8. Examples of not using a salt vs using a salt
  9. Examples of not using a salt vs using a salt