Intro to PHP Encryption

46093583d8895095adb1b0071c505af2?s=47 Eric Mann
November 13, 2018
44

Intro to PHP Encryption

Modern PHP supports modern encryption: Sodium. This new interface provides a set of opinionated cryptographic primitives that help prevent you from making a costly mistake. Sodium allows symmetric encryption, public/private encryption, and data signing just like you’re used to in other languages. It’s also native to PHP as of version 7.2.

Learn about the new encryption layer provided by PHP and put your new knowledge into action with a hands-on workshop. Attendees will work with an existing application to add a layer of encryption, protecting its data both at rest and in transit.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

November 13, 2018
Tweet

Transcript

  1. Intro to PHP Encryption php[world] 2018

  2. Why Crypto? • Your customers’ privacy • Your business’ privacy

    • Regulatory compliance • The right thing to do • It’s easy and fun
  3. PHP 7.2 Enter Libsodium • Fork of NaCl • Many

    implementations • Originally Pecl • Core PHP extension • MODERN CRYPTO
  4. Symmetric Encryption

  5. Symmetric Encryption Image by SSL2BUY

  6. Symmetric Encryption // Generating your encryption key $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);

    // Using your key to encrypt information $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $ciphertext = sodium_crypto_secretbox($plaintext, $nonce, $key); // Encode $encoded = sodium_bin2hex($ciphertext);
  7. Symmetric Encryption // Load the same secret key $key =

    ''; // Decode and split $decoded = sodium_hex2bin($encoded); $nonce = substr($encoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $ciphertext = substr($encoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); // Using your key to decrypt information $plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key); // Check for errors if ($plaintext === false) throw new Exception('Bad ciphertext');
  8. Asymmetric Encryption

  9. Asymmetric Encryption Image by SSL2BUY

  10. Asymmetric Encryption // On Alice's computer: $alice_kp = sodium_crypto_box_keypair(); //

    Split the key into public/private components $alice_secretkey = sodium_crypto_box_secretkey($alice_kp); $alice_publickey = sodium_crypto_box_publickey($alice_kp); // On Bob's computer: $bob_kp = sodium_crypto_box_keypair(); $bob_secretkey = sodium_crypto_box_secretkey($bob_kp); $bob_publickey = sodium_crypto_box_publickey($bob_kp);
  11. Asymmetric Encryption // From Alice to Bob $alice_to_bob_kp = sodium_crypto_box_keypair_from_secretkey_and_publickey(

    $alice_secretkey, $bob_publickey ); $message_nonce = random_bytes(SODIUM_CRYPTO_BOX_NONCEBYTES); $ciphertext = sodium_crypto_box( $message, $nonce, $alice_to_bob_kp );
  12. Asymmetric Encryption // Encoding - From Alice to Bob $encoded

    = sodium_bin2hex($nonce . $ciphertext); // Decoding - From Bob to Alice $decoded = sodium_hex2bin($encoded); $nonce = substr($decoded, 0, SODIUM_CRYPTO_BOX_NONCEBYTES); $ciphertext = substr($decoded, SODIUM_CRYPTO_BOX_NONCEBYTES);
  13. Asymmetric Encryption // On Bob's end $bob_to_alice_kp = sodium_crypto_box_keypair_from_secretkey_and_publickey( $bob_secretkey,

    $alice_publickey ); $plaintext = sodium_crypto_box_open( $ciphertext, $nonce, $bob_to_alice_kp ); if ($plaintext === false) throw new Exception('Bad message or MAC');
  14. Cryptographic Signatures

  15. Cryptographic Signatures Image from Crypto StackExchange

  16. Cryptographic Signatures $message = 'php[world] is the best community event

    of the year!'; // Generate a keypair $sign_kp = sodium_crypto_sign_keypair(); $sign_secretkey = sodium_crypto_sign_secretkey($sign_kp); $sign_publickey = sodium_crypto_sign_publickey($sign_kp); // Sign the message $signed_msg = sodium_crypto_sign( $message, $alice_sign_secretkey );
  17. Cryptographic Signatures - Verification $original_msg = sodium_crypto_sign_open( $signed_msg, $sign_publickey );

    // Verify the message if ($original_msg === false) { throw new Exception('Invalid signature'); } else { echo $original_msg; // Displays the original message. }
  18. Password Hashing

  19. Password Hashing • MD5 • SHA • Blowfish • Blake2

  20. Password Hashing

  21. Key Derivation

  22. Key Derivation // Create a high-entropy master key $master_key =

    sodium_crypto_kdf_keygen(); // Derive any number of sub-keys $s1 = sodium_crypto_kdf_derive_from_key(32, 1, 'one', $master_key); $s2 = sodium_crypto_kdf_derive_from_key(32, 2, 'two', $master_key); $sN = sodium_crypto_kdf_derive_from_key(32, 999, 'N', $master_key);
  23. Key Derivation • The Libsodium API can derive up to

    2^64 subkeys • 18,446,744,000,000,000,000 possible subkeys • Subkeys can have an arbitrary length ◦ Between 128 (16 bytes) and 512 bits (64 bytes).
  24. Secure Remote Passwords

  25. Secure Remote Passwords

  26. Secure Remote Passwords

  27. Cryptography at Rest

  28. Cryptography in Transit

  29. Questions?

  30. Thank You! https://joind.in/talk/95173