Intro to PHP Encryption

46093583d8895095adb1b0071c505af2?s=47 Eric Mann
November 13, 2018
41

Intro to PHP Encryption

Modern PHP supports modern encryption: Sodium. This new interface provides a set of opinionated cryptographic primitives that help prevent you from making a costly mistake. Sodium allows symmetric encryption, public/private encryption, and data signing just like you’re used to in other languages. It’s also native to PHP as of version 7.2.

Learn about the new encryption layer provided by PHP and put your new knowledge into action with a hands-on workshop. Attendees will work with an existing application to add a layer of encryption, protecting its data both at rest and in transit.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

November 13, 2018
Tweet

Transcript

  1. 2.

    Why Crypto? • Your customers’ privacy • Your business’ privacy

    • Regulatory compliance • The right thing to do • It’s easy and fun
  2. 3.

    PHP 7.2 Enter Libsodium • Fork of NaCl • Many

    implementations • Originally Pecl • Core PHP extension • MODERN CRYPTO
  3. 6.

    Symmetric Encryption // Generating your encryption key $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);

    // Using your key to encrypt information $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $ciphertext = sodium_crypto_secretbox($plaintext, $nonce, $key); // Encode $encoded = sodium_bin2hex($ciphertext);
  4. 7.

    Symmetric Encryption // Load the same secret key $key =

    ''; // Decode and split $decoded = sodium_hex2bin($encoded); $nonce = substr($encoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $ciphertext = substr($encoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); // Using your key to decrypt information $plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key); // Check for errors if ($plaintext === false) throw new Exception('Bad ciphertext');
  5. 10.

    Asymmetric Encryption // On Alice's computer: $alice_kp = sodium_crypto_box_keypair(); //

    Split the key into public/private components $alice_secretkey = sodium_crypto_box_secretkey($alice_kp); $alice_publickey = sodium_crypto_box_publickey($alice_kp); // On Bob's computer: $bob_kp = sodium_crypto_box_keypair(); $bob_secretkey = sodium_crypto_box_secretkey($bob_kp); $bob_publickey = sodium_crypto_box_publickey($bob_kp);
  6. 11.

    Asymmetric Encryption // From Alice to Bob $alice_to_bob_kp = sodium_crypto_box_keypair_from_secretkey_and_publickey(

    $alice_secretkey, $bob_publickey ); $message_nonce = random_bytes(SODIUM_CRYPTO_BOX_NONCEBYTES); $ciphertext = sodium_crypto_box( $message, $nonce, $alice_to_bob_kp );
  7. 12.

    Asymmetric Encryption // Encoding - From Alice to Bob $encoded

    = sodium_bin2hex($nonce . $ciphertext); // Decoding - From Bob to Alice $decoded = sodium_hex2bin($encoded); $nonce = substr($decoded, 0, SODIUM_CRYPTO_BOX_NONCEBYTES); $ciphertext = substr($decoded, SODIUM_CRYPTO_BOX_NONCEBYTES);
  8. 13.

    Asymmetric Encryption // On Bob's end $bob_to_alice_kp = sodium_crypto_box_keypair_from_secretkey_and_publickey( $bob_secretkey,

    $alice_publickey ); $plaintext = sodium_crypto_box_open( $ciphertext, $nonce, $bob_to_alice_kp ); if ($plaintext === false) throw new Exception('Bad message or MAC');
  9. 16.

    Cryptographic Signatures $message = 'php[world] is the best community event

    of the year!'; // Generate a keypair $sign_kp = sodium_crypto_sign_keypair(); $sign_secretkey = sodium_crypto_sign_secretkey($sign_kp); $sign_publickey = sodium_crypto_sign_publickey($sign_kp); // Sign the message $signed_msg = sodium_crypto_sign( $message, $alice_sign_secretkey );
  10. 17.

    Cryptographic Signatures - Verification $original_msg = sodium_crypto_sign_open( $signed_msg, $sign_publickey );

    // Verify the message if ($original_msg === false) { throw new Exception('Invalid signature'); } else { echo $original_msg; // Displays the original message. }
  11. 22.

    Key Derivation // Create a high-entropy master key $master_key =

    sodium_crypto_kdf_keygen(); // Derive any number of sub-keys $s1 = sodium_crypto_kdf_derive_from_key(32, 1, 'one', $master_key); $s2 = sodium_crypto_kdf_derive_from_key(32, 2, 'two', $master_key); $sN = sodium_crypto_kdf_derive_from_key(32, 999, 'N', $master_key);
  12. 23.

    Key Derivation • The Libsodium API can derive up to

    2^64 subkeys • 18,446,744,000,000,000,000 possible subkeys • Subkeys can have an arbitrary length ◦ Between 128 (16 bytes) and 512 bits (64 bytes).