Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intro to PHP Encryption

Eric Mann
November 13, 2018
0
71

Intro to PHP Encryption

Modern PHP supports modern encryption: Sodium. This new interface provides a set of opinionated cryptographic primitives that help prevent you from making a costly mistake. Sodium allows symmetric encryption, public/private encryption, and data signing just like you’re used to in other languages. It’s also native to PHP as of version 7.2.

Learn about the new encryption layer provided by PHP and put your new knowledge into action with a hands-on workshop. Attendees will work with an existing application to add a layer of encryption, protecting its data both at rest and in transit.

Eric Mann

November 13, 2018
Tweet

More Decks by Eric Mann

See All by Eric Mann
Asynchronous Awesome
ericmann
0
54
WordPress, Meet AI
ericmann
0
23
Cooking with Credentials
ericmann
0
29
OWASP Top Ten in Review
ericmann
0
19
Monkeys in the Machine
ericmann
0
95
Asynchronous Awesome
ericmann
0
180
Evolution of PHP Security
ericmann
0
230
Web Application Security Update: Top Vulnerabilities
ericmann
0
96
Asynchronous Awesome
ericmann
0
74

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Documentation Writing (for coders)
carmenintech
55
3.3k
Mobile First: as difficult as doing things right
swwweet
214
8.2k
WebSockets: Embracing the real-time Web
robhawkes
58
6.5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
30k
In The Pink: A Labor of Love
frogandcode
135
21k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
184
15k
Designing the Hi-DPI Web
ddemaree
274
33k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.6k
Practical Orchestrator
shlominoach
179
9.3k
Agile that works and the tools we love
rasmusluckow
323
20k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.9k

Transcript

  1. Intro to PHP Encryption
    php[world] 2018

    View Slide

  2. Why Crypto?
    ● Your customers’ privacy
    ● Your business’ privacy
    ● Regulatory compliance
    ● The right thing to do
    ● It’s easy and fun

    View Slide

  3. PHP 7.2
    Enter Libsodium
    ● Fork of NaCl
    ● Many implementations
    ● Originally Pecl
    ● Core PHP extension
    ● MODERN CRYPTO

    View Slide

  4. Symmetric Encryption

    View Slide

  5. Symmetric Encryption
    Image by SSL2BUY

    View Slide

  6. Symmetric Encryption
    // Generating your encryption key
    $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
    // Using your key to encrypt information
    $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
    $ciphertext = sodium_crypto_secretbox($plaintext, $nonce, $key);
    // Encode
    $encoded = sodium_bin2hex($ciphertext);

    View Slide

  7. Symmetric Encryption
    // Load the same secret key
    $key = '';
    // Decode and split
    $decoded = sodium_hex2bin($encoded);
    $nonce = substr($encoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
    $ciphertext = substr($encoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
    // Using your key to decrypt information
    $plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
    // Check for errors
    if ($plaintext === false) throw new Exception('Bad ciphertext');

    View Slide

  8. Asymmetric Encryption

    View Slide

  9. Asymmetric Encryption
    Image by SSL2BUY

    View Slide

  10. Asymmetric Encryption
    // On Alice's computer:
    $alice_kp = sodium_crypto_box_keypair();
    // Split the key into public/private components
    $alice_secretkey = sodium_crypto_box_secretkey($alice_kp);
    $alice_publickey = sodium_crypto_box_publickey($alice_kp);
    // On Bob's computer:
    $bob_kp = sodium_crypto_box_keypair();
    $bob_secretkey = sodium_crypto_box_secretkey($bob_kp);
    $bob_publickey = sodium_crypto_box_publickey($bob_kp);

    View Slide

  11. Asymmetric Encryption
    // From Alice to Bob
    $alice_to_bob_kp =
    sodium_crypto_box_keypair_from_secretkey_and_publickey(
    $alice_secretkey, $bob_publickey
    );
    $message_nonce = random_bytes(SODIUM_CRYPTO_BOX_NONCEBYTES);
    $ciphertext = sodium_crypto_box(
    $message,
    $nonce,
    $alice_to_bob_kp
    );

    View Slide

  12. Asymmetric Encryption
    // Encoding - From Alice to Bob
    $encoded = sodium_bin2hex($nonce . $ciphertext);
    // Decoding - From Bob to Alice
    $decoded = sodium_hex2bin($encoded);
    $nonce = substr($decoded, 0, SODIUM_CRYPTO_BOX_NONCEBYTES);
    $ciphertext = substr($decoded, SODIUM_CRYPTO_BOX_NONCEBYTES);

    View Slide

  13. Asymmetric Encryption
    // On Bob's end
    $bob_to_alice_kp =
    sodium_crypto_box_keypair_from_secretkey_and_publickey(
    $bob_secretkey, $alice_publickey
    );
    $plaintext = sodium_crypto_box_open(
    $ciphertext,
    $nonce,
    $bob_to_alice_kp
    );
    if ($plaintext === false) throw new Exception('Bad message or MAC');

    View Slide

  14. Cryptographic Signatures

    View Slide

  15. Cryptographic Signatures
    Image from Crypto StackExchange

    View Slide

  16. Cryptographic Signatures
    $message = 'php[world] is the best community event of the year!';
    // Generate a keypair
    $sign_kp = sodium_crypto_sign_keypair();
    $sign_secretkey = sodium_crypto_sign_secretkey($sign_kp);
    $sign_publickey = sodium_crypto_sign_publickey($sign_kp);
    // Sign the message
    $signed_msg = sodium_crypto_sign(
    $message,
    $alice_sign_secretkey
    );

    View Slide

  17. Cryptographic Signatures - Verification
    $original_msg = sodium_crypto_sign_open(
    $signed_msg,
    $sign_publickey
    );
    // Verify the message
    if ($original_msg === false) {
    throw new Exception('Invalid signature');
    } else {
    echo $original_msg; // Displays the original message.
    }

    View Slide

  18. Password Hashing

    View Slide

  19. Password Hashing
    ● MD5
    ● SHA
    ● Blowfish
    ● Blake2

    View Slide

  20. Password Hashing

    View Slide

  21. Key Derivation

    View Slide

  22. Key Derivation
    // Create a high-entropy master key
    $master_key = sodium_crypto_kdf_keygen();
    // Derive any number of sub-keys
    $s1 = sodium_crypto_kdf_derive_from_key(32, 1, 'one', $master_key);
    $s2 = sodium_crypto_kdf_derive_from_key(32, 2, 'two', $master_key);
    $sN = sodium_crypto_kdf_derive_from_key(32, 999, 'N', $master_key);

    View Slide

  23. Key Derivation
    ● The Libsodium API can derive up to 2^64 subkeys
    ● 18,446,744,000,000,000,000 possible subkeys
    ● Subkeys can have an arbitrary length
    ○ Between 128 (16 bytes) and 512 bits (64 bytes).

    View Slide

  24. Secure Remote Passwords

    View Slide

  25. Secure Remote Passwords

    View Slide

  26. Secure Remote Passwords

    View Slide

  27. Cryptography at Rest

    View Slide

  28. Cryptography in Transit

    View Slide

  29. Questions?

    View Slide

  30. Thank You!
    https://joind.in/talk/95173

    View Slide