Jonathan LeBlanc, profile picture
Uploaded byJonathan LeBlanc
PDF, PPTX32,512 views

PHP Identity and Data Security

This document provides an overview of password and data security best practices for PHP applications. It discusses common password attacks and how to protect against them using techniques like salting, key stretching algorithms and two-factor authentication. It also covers encrypting data using symmetric and asymmetric cryptography algorithms like AES, RSA and digital signatures. The document provides code examples for hashing and validating passwords, encrypting and decrypting messages and data at rest or in transit.

Technology
Related topics:
Data Security

Embed presentation

Download as PDF, PPTX
PHP Identity and Data Security! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
Release Date:! July 2016! ! Book Details:! http://bit.ly/iddatasecurity! Identity & Data Security Book!
Security is Hard!
1: 123456 ! 2: password ! 3: 12345678 ! 4: qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars!
Protecting Identity!
Password Attack Vectors!
Brute Force Attacks! Calculate all key variations within a given length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks!
Salting and Peppering!
//hashing identical messages with no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts!
Storing Salts! Store alongside the hash! ! Salt Reuse! Salts should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts!
bcrypt! Designed for password security, based on the blowfish cipher, CPU & RAM intensive.! ! PBKDF2! Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.! ! scrypt! Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! Password Encryption Algorithms!
! //fetch password from user creation request! $password = $_POST['password'];! ! //salt option deprecated in PHP 7.0.0+! $options = [! 'cost' => 12! ];! ! //create 60 character hash, with default unique salt, and options ! $hash = password_hash($password, PASSWORD_BCRYPT, $options);! ! //STORE HASH IN USER DATABASE RECORD! //SALT IS BUILT INTO HASH! Hashing with bcrypt!
//fetch login request information! $username = $_POST['username'];! $password = $_POST['password'];! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //verify if login attempt password matches stored user hash! if (password_verify($password, $user->hash)){! echo "password matches";! } else {! echo "password doesn't match";! }! Login Hash Comparison with bcrypt!
! ! //fetch password from user creation request! $password = $_POST['password'];! ! //set iterations and random initialization vector! $iterations = 1000;! $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);! ! //hash password using sha256! $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);! ! //STORE HASH AND SALT IN USER DATABASE RECORD! Hashing with PBKDF2!
! //fetch login request info and set iterations! $username = $_POST['username'];! $password = $_POST['password'];! $iterations = 1000;! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //manually hash the login attempt password! $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);! ! //validate if hashes match! if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match';! } else {! echo 'password mismatch';! }! ! Login Hash Comparison with PBKDF2!
Protecting Data!
Ideal Scenario: SSL/TLS!
Domain Validation (DV)! Certificate authority (CA) validates domain access only! Certificate Types!
Organization Validation (OV)! ! CA validates DV and basic organization information! Certificate Types!
Extended Validation (EV)! CA validates DV, OV, and legal existance of the organization! Certificate Types!
//generate private key and self-signed certificate valid for 1 year! openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key!
//update httpd.conf file to enable SSL (uncomment the following)! #LoadModule ssl_module libexec/apache2/mod_ssl.so! #Include /private/etc/apache2/extra/httpd-ssl.conf! ! //update httpd-ssl.conf file for CRT location! SSLCertificateFile "/private/etc/apache2/server.crt"! ! //copy crt and private key files to above location! cp server.crt server.key /private/etc/apache2/! Configuring SSL capabilities and setting certificates on Apache server!
<VirtualHost *:443>! #general virtual hosts information! DocumentRoot "/Users/jleblanc/localhost/ssltest"! ServerName ssltest! ErrorLog "/private/var/log/apache2/local.example.com-error_log"! CustomLog "/private/var/log/apache2/local.example.com-access_log" common! ! #SSL details! SSLEngine on! SSLCertificateFile "/private/etc/apache2/server.crt”! SSLCertificateKeyFile "/private/etc/apache2/server.key"! ! #SSL engine options! <FilesMatch ".(cgi|shtml|phtml|php)$">! SSLOptions +StdEnvVars! </FilesMatch>! <Directory "/Library/WebServer/CGI-Executables">! SSLOptions +StdEnvVars! </Directory>! </VirtualHost>! Update httpd-vhosts.conf!
Synchronous Cryptography!
Single User Environment!
Encryption (ECB, CBC, OFB, CFB, CTR)! Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation!
//set initialization data! $numbytes = 16;! $strongcrypto = true;! $mode = 'aes-256-cbc';! $message = 'my secure message';! ! //creation initialization vector and shared private key! $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! ! //create ciphertext with no options! $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);! Configuring and encrypting message!
//----! // data sent to server: iv, ciphertext! // data known by server: key! //----! ! //set algorithm and mode! $mode = 'aes-256-cbc’;! ! //decrypt provided cipher! $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);! Decrypting ciphertext!
//display block ciphers and modes! print_r(openssl_get_cipher_methods());! Getting all available ciphers and modes !
Asynchronous Cryptography!
Multi-User Environment!
//create private key in private.key! openssl genrsa -out private.key 2048! ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys!
//set public key data from files and object to send! $public_key = openssl_get_publickey(file_get_contents('public.pem'));! $data = '{"message": "my super secure message"}';! ! //encrypt object and public keys! openssl_seal($data, $encrypted, $encpub, array($public_key));! ! //encrypted data and encrypted public key! $sealed_data = base64_encode($encrypted);! $envelope = base64_encode($encpub[0]);! ! //SEND SEALED DATA AND ENVELOPE TO RECIPIENT! Preparing Message, Encrypting, and Signing!
//OBTAIN SEALED DATA AND ENVELOPE FROM SENDER! ! //set private key data! $private_key = openssl_get_privatekey(file_get_contents('private.key'));! ! //decode data! $sealed_data = base64_decode($sealed_data);! $envelope = base64_decode($envelope);! ! //rypt data using private key! openssl_open($sealed_data, $plaintext, $envelope, $private_key);! ! //decrypted message available in $plaintext! Decrypting and Verifying Message!
Security Fundamentals Wrapup!
Thank You!! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!

More Related Content

PDF
Node.js Authentication and Data Security
byJonathan LeBlanc
 
PPTX
Secure Payments Over Mixed Communication Media
byJonathan LeBlanc
 
PDF
Secure Payments Over Mixed Communication Media
byJonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
byJonathan LeBlanc
 
PPTX
Token Based Authentication Systems
byHüseyin BABAL
 
PDF
Mac OS X Lion で作る WordPress local 環境
byYuriko IKEDA
 
PDF
I Don't Care About Security (And Neither Should You)
byJoel Lord
 
PPTX
Token Based Authentication Systems with AngularJS & NodeJS
byHüseyin BABAL
 
Node.js Authentication and Data Security
byJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
byJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
byJonathan LeBlanc
 
Protecting the Future of Mobile Payments
byJonathan LeBlanc
 
Token Based Authentication Systems
byHüseyin BABAL
 
Mac OS X Lion で作る WordPress local 環境
byYuriko IKEDA
 
I Don't Care About Security (And Neither Should You)
byJoel Lord
 
Token Based Authentication Systems with AngularJS & NodeJS
byHüseyin BABAL
 

What's hot

PDF
Couchdb w Ruby'm
byStanisław Wasiutyński
 
PDF
I Don't Care About Security (And Neither Should You)
byJoel Lord
 
PPTX
Redis
byPuneet Kumar
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
PDF
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
byiMasters
 
PDF
Modern API Security with JSON Web Tokens
byJonathan LeBlanc
 
PPTX
Automated Testing
bySpeed FC
 
PPTX
บท7
bykiddy67
 
PDF
CGI.pm - 3ло?!
byAnatoly Sharifulin
 
KEY
MongoDB: How it Works
byMike Dirolf
 
PDF
Talk NullByteCon 2015
byRoberto Soares
 
PPTX
Django cryptography
byErik LaBianca
 
PDF
JSOP in 60 seconds
byDavid Nuescheler
 
PDF
JSON Web Tokens (JWT)
byVladimir Dzhuvinov
 
PDF
F2e security
byjay li
 
PPTX
Cookies
byamuthadeepa
 
PDF
Riak at The NYC Cloud Computing Meetup Group
bysiculars
 
PDF
Password Storage And Attacking In PHP - PHP Argentina
byAnthony Ferrara
 
Couchdb w Ruby'm
byStanisław Wasiutyński
 
I Don't Care About Security (And Neither Should You)
byJoel Lord
 
Redis
byPuneet Kumar
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
byiMasters
 
Modern API Security with JSON Web Tokens
byJonathan LeBlanc
 
Automated Testing
bySpeed FC
 
บท7
bykiddy67
 
CGI.pm - 3ло?!
byAnatoly Sharifulin
 
MongoDB: How it Works
byMike Dirolf
 
Talk NullByteCon 2015
byRoberto Soares
 
Django cryptography
byErik LaBianca
 
JSOP in 60 seconds
byDavid Nuescheler
 
JSON Web Tokens (JWT)
byVladimir Dzhuvinov
 
F2e security
byjay li
 
Cookies
byamuthadeepa
 
Riak at The NYC Cloud Computing Meetup Group
bysiculars
 
Password Storage And Attacking In PHP - PHP Argentina
byAnthony Ferrara
 

Similar to PHP Identity and Data Security

PDF
Cryptography For The Average Developer - Sunshine PHP
byAnthony Ferrara
 
PDF
Cryptography For The Average Developer
byAnthony Ferrara
 
PPT
Web application security
byRavi Raj
 
PDF
Cryptography with Zend Framework
byEnrico Zimuel
 
PDF
Cryptography With PHP
byMark Niebergall
 
PPTX
Web security
bydavidahaskins
 
PDF
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
byJames Titcumb
 
PDF
Cryptography in PHP: Some Use Cases
byZend by Rogue Wave Software
 
PDF
Dip Your Toes in the Sea of Security (PHP UK 2016)
byJames Titcumb
 
PPTX
Encryption in php
bysana mateen
 
PDF
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
byJames Titcumb
 
PDF
Cryptography With PHP - ZendCon 2017 Workshop
byMark Niebergall
 
ODP
My app is secure... I think
byWim Godden
 
PDF
Cryptography with PHP (Workshop)
byMark Niebergall
 
PDF
Password (in)security
byEnrico Zimuel
 
PDF
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
byJames Titcumb
 
PPT
secure php
byRiyad Bin Zaman
 
PDF
Strong cryptography in PHP
byEnrico Zimuel
 
PDF
Dip Your Toes in the Sea of Security (CoderCruise 2017)
byJames Titcumb
 
PDF
2014 database - course 3 - PHP and MySQL
byHung-yu Lin
 
Cryptography For The Average Developer - Sunshine PHP
byAnthony Ferrara
 
Cryptography For The Average Developer
byAnthony Ferrara
 
Web application security
byRavi Raj
 
Cryptography with Zend Framework
byEnrico Zimuel
 
Cryptography With PHP
byMark Niebergall
 
Web security
bydavidahaskins
 
Dip Your Toes in the Sea of Security (PHP MiNDS January Meetup 2016)
byJames Titcumb
 
Cryptography in PHP: Some Use Cases
byZend by Rogue Wave Software
 
Dip Your Toes in the Sea of Security (PHP UK 2016)
byJames Titcumb
 
Encryption in php
bysana mateen
 
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
byJames Titcumb
 
Cryptography With PHP - ZendCon 2017 Workshop
byMark Niebergall
 
My app is secure... I think
byWim Godden
 
Cryptography with PHP (Workshop)
byMark Niebergall
 
Password (in)security
byEnrico Zimuel
 
Dip Your Toes in the Sea of Security (PHP Berkshire Nov 2015)
byJames Titcumb
 
secure php
byRiyad Bin Zaman
 
Strong cryptography in PHP
byEnrico Zimuel
 
Dip Your Toes in the Sea of Security (CoderCruise 2017)
byJames Titcumb
 
2014 database - course 3 - PHP and MySQL
byHung-yu Lin
 

More from Jonathan LeBlanc

PDF
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
PDF
Improving Developer Onboarding Through Intelligent Data Insights
byJonathan LeBlanc
 
PDF
Better Data with Machine Learning and Serverless
byJonathan LeBlanc
 
PPTX
Best Practices for Application Development with Box
byJonathan LeBlanc
 
PPTX
Box Platform Overview
byJonathan LeBlanc
 
PPTX
Box Platform Developer Workshop
byJonathan LeBlanc
 
PPTX
Modern Cloud Data Security Practices
byJonathan LeBlanc
 
PPTX
Box Authentication Types
byJonathan LeBlanc
 
PPTX
Understanding Box UI Elements
byJonathan LeBlanc
 
PPTX
Understanding Box applications, tokens, and scoping
byJonathan LeBlanc
 
PPTX
The Future of Online Money: Creating Secure Payments Globally
byJonathan LeBlanc
 
PPTX
Creating an In-Aisle Purchasing System from Scratch
byJonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
byJonathan LeBlanc
 
PPTX
Future of Identity, Data, and Wearable Security
byJonathan LeBlanc
 
PDF
Kill All Passwords
byJonathan LeBlanc
 
PDF
BattleHack Los Angeles
byJonathan LeBlanc
 
PDF
Building a Mobile Location Aware System with Beacons
byJonathan LeBlanc
 
PDF
Identity in the Future of Embeddables & Wearables
byJonathan LeBlanc
 
PDF
Internet Security and Trends
byJonathan LeBlanc
 
PDF
Rebuilding Commerce
byJonathan LeBlanc
 
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
byJonathan LeBlanc
 
Better Data with Machine Learning and Serverless
byJonathan LeBlanc
 
Best Practices for Application Development with Box
byJonathan LeBlanc
 
Box Platform Overview
byJonathan LeBlanc
 
Box Platform Developer Workshop
byJonathan LeBlanc
 
Modern Cloud Data Security Practices
byJonathan LeBlanc
 
Box Authentication Types
byJonathan LeBlanc
 
Understanding Box UI Elements
byJonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
byJonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
byJonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
byJonathan LeBlanc
 
Protecting the Future of Mobile Payments
byJonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
byJonathan LeBlanc
 
Kill All Passwords
byJonathan LeBlanc
 
BattleHack Los Angeles
byJonathan LeBlanc
 
Building a Mobile Location Aware System with Beacons
byJonathan LeBlanc
 
Identity in the Future of Embeddables & Wearables
byJonathan LeBlanc
 
Internet Security and Trends
byJonathan LeBlanc
 
Rebuilding Commerce
byJonathan LeBlanc
 

Recently uploaded

PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 

PHP Identity and Data Security

  • 1.
    PHP Identity and DataSecurity! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
  • 2.
    Release Date:! July 2016! ! BookDetails:! http://bit.ly/iddatasecurity! Identity & Data Security Book!
  • 3.
  • 4.
    1: 123456 ! 2:password ! 3: 12345678 ! 4: qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars!
  • 6.
  • 7.
  • 8.
    Brute Force Attacks! Calculateall key variations within a given length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks!
  • 9.
  • 10.
    //hashing identical messageswith no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts!
  • 11.
    Storing Salts! Store alongsidethe hash! ! Salt Reuse! Salts should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts!
  • 12.
    bcrypt! Designed for passwordsecurity, based on the blowfish cipher, CPU & RAM intensive.! ! PBKDF2! Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.! ! scrypt! Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! Password Encryption Algorithms!
  • 13.
    ! //fetch password fromuser creation request! $password = $_POST['password'];! ! //salt option deprecated in PHP 7.0.0+! $options = [! 'cost' => 12! ];! ! //create 60 character hash, with default unique salt, and options ! $hash = password_hash($password, PASSWORD_BCRYPT, $options);! ! //STORE HASH IN USER DATABASE RECORD! //SALT IS BUILT INTO HASH! Hashing with bcrypt!
  • 14.
    //fetch login requestinformation! $username = $_POST['username'];! $password = $_POST['password'];! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //verify if login attempt password matches stored user hash! if (password_verify($password, $user->hash)){! echo "password matches";! } else {! echo "password doesn't match";! }! Login Hash Comparison with bcrypt!
  • 15.
    ! ! //fetch password fromuser creation request! $password = $_POST['password'];! ! //set iterations and random initialization vector! $iterations = 1000;! $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);! ! //hash password using sha256! $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);! ! //STORE HASH AND SALT IN USER DATABASE RECORD! Hashing with PBKDF2!
  • 16.
    ! //fetch login requestinfo and set iterations! $username = $_POST['username'];! $password = $_POST['password'];! $iterations = 1000;! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //manually hash the login attempt password! $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);! ! //validate if hashes match! if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match';! } else {! echo 'password mismatch';! }! ! Login Hash Comparison with PBKDF2!
  • 17.
  • 18.
  • 19.
    Domain Validation (DV)! Certificateauthority (CA) validates domain access only! Certificate Types!
  • 20.
    Organization Validation (OV)! ! CA validatesDV and basic organization information! Certificate Types!
  • 21.
    Extended Validation (EV)! CAvalidates DV, OV, and legal existance of the organization! Certificate Types!
  • 23.
    //generate private keyand self-signed certificate valid for 1 year! openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key!
  • 24.
    //update httpd.conf fileto enable SSL (uncomment the following)! #LoadModule ssl_module libexec/apache2/mod_ssl.so! #Include /private/etc/apache2/extra/httpd-ssl.conf! ! //update httpd-ssl.conf file for CRT location! SSLCertificateFile "/private/etc/apache2/server.crt"! ! //copy crt and private key files to above location! cp server.crt server.key /private/etc/apache2/! Configuring SSL capabilities and setting certificates on Apache server!
  • 25.
    <VirtualHost *:443>! #general virtualhosts information! DocumentRoot "/Users/jleblanc/localhost/ssltest"! ServerName ssltest! ErrorLog "/private/var/log/apache2/local.example.com-error_log"! CustomLog "/private/var/log/apache2/local.example.com-access_log" common! ! #SSL details! SSLEngine on! SSLCertificateFile "/private/etc/apache2/server.crt”! SSLCertificateKeyFile "/private/etc/apache2/server.key"! ! #SSL engine options! <FilesMatch ".(cgi|shtml|phtml|php)$">! SSLOptions +StdEnvVars! </FilesMatch>! <Directory "/Library/WebServer/CGI-Executables">! SSLOptions +StdEnvVars! </Directory>! </VirtualHost>! Update httpd-vhosts.conf!
  • 27.
  • 29.
  • 30.
    Encryption (ECB, CBC,OFB, CFB, CTR)! Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation!
  • 31.
    //set initialization data! $numbytes= 16;! $strongcrypto = true;! $mode = 'aes-256-cbc';! $message = 'my secure message';! ! //creation initialization vector and shared private key! $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! ! //create ciphertext with no options! $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);! Configuring and encrypting message!
  • 32.
    //----! // data sentto server: iv, ciphertext! // data known by server: key! //----! ! //set algorithm and mode! $mode = 'aes-256-cbc’;! ! //decrypt provided cipher! $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);! Decrypting ciphertext!
  • 33.
    //display block ciphersand modes! print_r(openssl_get_cipher_methods());! Getting all available ciphers and modes !
  • 34.
  • 36.
  • 37.
    //create private keyin private.key! openssl genrsa -out private.key 2048! ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys!
  • 38.
    //set public keydata from files and object to send! $public_key = openssl_get_publickey(file_get_contents('public.pem'));! $data = '{"message": "my super secure message"}';! ! //encrypt object and public keys! openssl_seal($data, $encrypted, $encpub, array($public_key));! ! //encrypted data and encrypted public key! $sealed_data = base64_encode($encrypted);! $envelope = base64_encode($encpub[0]);! ! //SEND SEALED DATA AND ENVELOPE TO RECIPIENT! Preparing Message, Encrypting, and Signing!
  • 39.
    //OBTAIN SEALED DATAAND ENVELOPE FROM SENDER! ! //set private key data! $private_key = openssl_get_privatekey(file_get_contents('private.key'));! ! //decode data! $sealed_data = base64_decode($sealed_data);! $envelope = base64_decode($envelope);! ! //rypt data using private key! openssl_open($sealed_data, $plaintext, $envelope, $private_key);! ! //decrypted message available in $plaintext! Decrypting and Verifying Message!
  • 40.
  • 41.
    Thank You!! Jonathan LeBlanc! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!

Editor's Notes

  • #4 Where to store the salt Salt Reuse Salt Length
  • #7 Password attack vectors
  • #8 Where to store the salt Salt Reuse Salt Length
  • #10 Examples of not using a salt vs using a salt
  • #11 Moore’s law – computing power doubles every 2 years
  • #13 Examples of not using a salt vs using a salt
  • #14 Examples of not using a salt vs using a salt
  • #15 Examples of not using a salt vs using a salt
  • #16 Examples of not using a salt vs using a salt