The document summarizes advances in cryptography introduced in PHP 7.2, highlighting significant changes such as the deprecation of SSL in favor of TLS and the introduction of the sodium library for secure cryptographic operations. It discusses new features like strong authentication methods, modern encryption algorithms, and simple interfaces for implementing security practices. Additionally, it provides examples of key generation, encryption, and hashing functions using the sodium library.

1. @adam_englander
PHP[TEK] 2018
Wifi:
Sheraton Conference
Pass: phptek2018
Twitter:
#phptek
Rate the Talks
https://joind.in/event/phptek-2018

2. @adam_englander
Cryptography Advances
in PHP 7.2
Adam Englander
Software Architect, iovation

3. @adam_englander
Half of the changes identified in the
PHP7.2.0 release announcements
were related to cryptography.

4. @adam_englander
SSL is Dead!
Long live TLS!

5. @adam_englander
Streams
ssl:// is now an alias of tls://

6. @adam_englander
Steam Defaults
STREAM_CRYPTO_METHOD_TLS_SERVER,
STREAM_CRYPTO_METHOD_TLS_CLIENT,
and tls:// default to
TLSv1.0 + TLSv1.1 + TLSv1.2
Instead of TLSv1.0 only

7. @adam_englander
Goodbye MCrypt!

8. @adam_englander

9. @adam_englander
Hello NaCl!
(Sodium)

10. @adam_englander
Easy, Secure, and Fast

11. @adam_englander
Easy Like Laravel

12. @adam_englander
Opinionated for your pleasure

13. @adam_englander
Simplifies Common Tasks

14. @adam_englander
Does a Lot of Heavy Lifting

15. @adam_englander
Secure Like the Phantom Zone

16. @adam_englander
Strong Authenticated Encryption

17. @adam_englander
Modern Algorithms
Poly1305
XSalsa20ChaCha20
Argon2i
Blake2

18. @adam_englander
Helpers for Security

19. @adam_englander
Constant-Time Test for Equality
"abcdefg" == "hijklmnop"
sodium_memcmp("abcdefg", "hijklmnop")
"abcdefg" == "abcdefq"
sodium_memcmp("abcdefg", "abcdefq")

20. @adam_englander
String Memory Overwrite
sodium_memzero($value);
$value = "000000";
$value = "secret";

21. @adam_englander
Fast Like the Millennium Falcon

22. @adam_englander
ChaCha20 vs AES
https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html

23. @adam_englander
BLAKE2 vs Everything
https://blake2.net/

24. @adam_englander
Key Derivation
a.k.a. password hashing

25. @adam_englander
Argon2i

26. @adam_englander
Best in Class

27. @adam_englander
Blake2 Inside

28. @adam_englander
Time based rather count based
iterations

29. @adam_englander
Parallelism and Memory
Requirements

30. @adam_englander
Exposed via Password Function

31. @adam_englander
scrypt without PECL

32. @adam_englander
Hashing
Generic hashing

33. @adam_englander
Blake2b for data validation

34. @adam_englander
SipHash-2-4 for short hashes

35. @adam_englander
Symmetric Key Encryption
a.k.a secret key encryption

36. @adam_englander
Authenticated encryption via
auth tag

37. @adam_englander
Stream based encryption

38. @adam_englander
Encrypted message sets

39. @adam_englander
XSalsa20-Poly1305

40. @adam_englander
AES256-GCM if you like pain

41. @adam_englander
Asymmetric Key Cryptography
a.k.a. public key encryption

42. @adam_englander
MAC authenticated encryption

43. @adam_englander
Signatures can be attached or
detached

44. @adam_englander
XSalsa20-Poly1305

45. @adam_englander
Example

46. @adam_englander
Ed25519 signatures

47. @adam_englander
Key Exchange
Use with care!

48. @adam_englander
Examples

49. @adam_englander
Encryption

50. @adam_englander
Key Generation
$keyPair = sodium_crypto_box_keypair();

51. @adam_englander
Getting Public/Private Key Pairs
$secretKey = sodium_crypto_box_secretkey(
$keyPair);
$publicKey = sodium_crypto_box_publickey(
$keyPair);

52. @adam_englander
Creating Mixed Key Pairs
sodium_crypto_box_keypair_from_secretkey_and_publickey(
$mySecretKey, $theirPublicKey
);

53. @adam_englander
Encryption
$nonce = random_bytes(
SODIUM_CRYPTO_BOX_NONCEBYTES);
$ciphertext = sodium_crypto_box(
"Hello ,World!",
$nonce,
$keyPair);

54. @adam_englander
Decryption
$plaintext = sodium_crypto_box_open(
$ciphertext, $nonce, $keyPair);

55. @adam_englander
Digital Signatures

56. @adam_englander
Key Generation
$keyPair = sodium_crypto_sign_keypair();

57. @adam_englander
Getting Public/Private Key Pairs
$secretKey = sodium_crypto_sign_secretkey(
$keyPair);
$publicKey = sodium_crypto_sign_publickey(
$keyPair);

58. @adam_englander
Signing
$signedMsg = sodium_crypto_sign(
"Hello, World!",
$secretKey
);

59. @adam_englander
Signature Verification
$originalMsg = sodium_crypto_sign_open(
$signedMsg,
$publicKey
);
if ($originalMsg === false) {
throw new Exception("Fail!");
}

60. @adam_englander
Hashing

61. @adam_englander
Standard Hash
$h = sodium_crypto_generichash("Msg");
print base64_encode($h);
URvIHd4RGAg4xWLIK7NfMiP0YGHr3kqVXCez9InPHgM=

62. @adam_englander
Signed Hash
$key = random_bytes(
SODIUM_CRYPTO_GENERICHASH_KEYBYTES);
$h = sodium_crypto_generichash(
"Msg", $key);
print base64_encode($h);
/qV2j5MfGBjJ9g60PQnnQYSt1Y/1csjJzq37C1pE4SE=

63. @adam_englander
Short Hash
$key = random_bytes(
SODIUM_CRYPTO_SHORTHASH_KEYBYTES);
$h = sodium_crypto_shorthash(
"Msg", $key);
print base64_encode($h);
eCTWVTKkkKw=

64. @adam_englander
Key Derivation

65. @adam_englander
Create KDF Hash
$hash = sodium_crypto_pwhash_str(
'Password',
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);
print base64_encode($hash);
$argon2id$v=19$m=65536,t=2,p=1$qCcD3BqZjmbYEFMKxgsUjA$5BzYYNuACwp3Zq
p29QnT9upRxVZykU/P8isst91uKYE==

66. @adam_englander
Verify KDF Hash
sodium_crypto_pwhash_str_verify(
$hash,
'Password'
);

67. @adam_englander
Password Extension

68. @adam_englander
Create Password Hash
$hash = password_hash(
'Password',
PASSWORD_ARGON2I
);
$argon2i$v=19$m=1024,t=2,p=2$WW15cG1NLjR0cXZET3Nzeg$ImFwKTaVgDHme95M
ROV5S9ssG+e458gdpLz9Cwwiba8

69. @adam_englander
Resources
https://download.libsodium.org/doc/
https://paragonie.com/book/pecl-libsodium
http://php.net/manual/en/book.sodium.php
http://php.net/manual/en/function.password-hash.php

70. @adam_englander
Thanks to
Our Sponsors

71. @adam_englander
Rate This Talk
https://joind.in/talk/48fbd