Information Security in PHP: the CIA Triad Approach

Information Security in PHP: the CIA Triad Approach

The CIA triad (confidentiality, integrity and availability) is one of the core principles of information security. After a brief introduction to the basic of CIA, we will show how to apply this principle in PHP, to create secure and robust web applications. We will present some pratical examples using Zend Framework 2, showing how this framework can simplify the life of developers instead of manage everything from scratch in PHP. This talk has been presented at ZendCon 2014 in Santa Clara (California).

D3a1203bb9b132944427746ec3eae323?s=128

Enrico Zimuel

October 29, 2014
Tweet

Transcript

  1. Confidential - © All rights reserved. Zend Technologies, Inc .

    1 Confidential - © All rights reserved. Zend Technologies, Inc . Information Security in PHP: the CIA triad approach Enrico Zimuel – enrico@zend.com Senior Software Engineer Zend Technologies Inc.
  2. Confidential - © All rights reserved. Zend Technologies, Inc .

    2 Information Security “Information Security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction” Wikipedia
  3. Confidential - © All rights reserved. Zend Technologies, Inc .

    3 Application security • Application security is only about code? • No, it also relates to servers, networks and data sources as well, basically anything that touches the application • Code is only part of the equation, to really get a good sense of application security, you have to view the system as a whole • We can use the CIA (Confidentiality, Integrity and Availability) approach to design security
  4. Confidential - © All rights reserved. Zend Technologies, Inc .

    4 CIA approach
  5. Confidential - © All rights reserved. Zend Technologies, Inc .

    5 OWASP Top 10 vulnerability in 2013 1. Injection 2. Broken authentication and session management 3. Cross-site Scripting (XSS) 4. Insecure direct object references 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross-site request forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Source: http://www.owasp.org
  6. Confidential - © All rights reserved. Zend Technologies, Inc .

    6 CONFIDENTIALITY
  7. Confidential - © All rights reserved. Zend Technologies, Inc .

    7 Confidentiality “Confidentiality is a set of rules or a promise that limits access or places restrictions on certain types of information” Wikipedia
  8. Confidential - © All rights reserved. Zend Technologies, Inc .

    8 Cryptography • Cryptography is hard, and implement it is even more hard! • PHP offers cryptographic primitives but you need to know how to use it (this is not straightforward) • This can be a barrier that discouraged PHP developers
  9. Confidential - © All rights reserved. Zend Technologies, Inc .

    9 Cryptography in ZF2 • Zend\Crypt help PHP developers to use cryptography in their projects • In PHP we have built-in functions and extensions for cryptography scopes: – crypt() – Mcrypt – OpenSSL – Hash, (by default in PHP 5.1.2) – Mhash (emulated by Hash from PHP 5.3)
  10. Confidential - © All rights reserved. Zend Technologies, Inc .

    10 Zend\Crypt • Zend\Crypt components: – Zend\Crypt\Password – Zend\Crypt\Key\Derivation – Zend\Crypt\Symmetic – Zend\Crypt\PublicKey – Zend\Crypt\Hash – Zend\Crypt\Hmac – Zend\Crypt\BlockCipher
  11. Confidential - © All rights reserved. Zend Technologies, Inc .

    11 Encrypt and authenticate • Zend\Crypt\BlockCipher can be used to encrypt/decrypt sensitive data (symmetric encryption) • Provides encryption + authentication (HMAC) • Simplified API: – setKey($key) – encrypt($data) – decrypt($data) • It uses the Mcrypt adapter
  12. Confidential - © All rights reserved. Zend Technologies, Inc .

    12 Default standards • Default values used by BlockCipher: – AES algorithm (key of 256 bits) – CBC mode + HMAC (SHA-256) – PKCS7 padding mode (RFC 5652) – PBKDF2 to generate encryption key + authentication key for HMAC – Random IV for each encryption
  13. Confidential - © All rights reserved. Zend Technologies, Inc .

    13 Example: AES encryption The encrypted text is encoded in Base64, you can switch to binary output using setBinaryOutput(true)
  14. Confidential - © All rights reserved. Zend Technologies, Inc .

    14 Example: encryption output 064b05b885342dc91e7915e492715acf0f89 6620dbf9d1e00dd0798b15e72e8cZg+hO3 4C3f3eb8TeJM9xWQRVex1y5zeLrBsNv+d YeVy3SBJa+pXZbUQYNZw0xS9s Zend\Crypt\BlockCipher::encrypt “This is the message to encrypt” “this is the encryption key” Legend: HMAC, IV, ciphertext
  15. Confidential - © All rights reserved. Zend Technologies, Inc .

    15 Example: decrypt
  16. Confidential - © All rights reserved. Zend Technologies, Inc .

    16 How to safely store a password? • Insecure methods: – MD5/SHA1(password) – MD5/SHA1(password . salt) where salt is a random string • Secure methods: – bcrypt – scrypt
  17. Confidential - © All rights reserved. Zend Technologies, Inc .

    17 bcrypt • bcrypt uses Blowfish cipher + iterations to generate secure hash values • bcrypt is secure against brute force attacks because is slow, very slow (that means attacks need huge amount of time to be completed) • The algorithm needs a salt value and a work factor parameter (cost), which allows you to determine how expensive the bcrypt function will be (default is 10)
  18. Confidential - © All rights reserved. Zend Technologies, Inc .

    18 Example: bcrypt The output of bcrypt ($hash) is a string of 60 bytes
  19. Confidential - © All rights reserved. Zend Technologies, Inc .

    19 Access control • Authentication – Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. • Authorization – Authorization is the function of specifying access rights to resources related to information security and computer security in general and to access control in particular.
  20. Confidential - © All rights reserved. Zend Technologies, Inc .

    20 Zend\Authentication • Zend\Authentication provides API for authentication and includes concrete authentication adapters for common use case scenarios • Adapters: – Database Table – Digest – HTTP – LDAP – Your adapter
  21. Confidential - © All rights reserved. Zend Technologies, Inc .

    21 Example: authentication
  22. Confidential - © All rights reserved. Zend Technologies, Inc .

    22 Zend\Permission\Acl • The component provides a lightweight and flexible Access Control List (ACL) implementation for privileges management • Terminology: – a resource is an object to which access is controlled – a role is an object that may request access to a resource
  23. Confidential - © All rights reserved. Zend Technologies, Inc .

    23 Example: ACL
  24. Confidential - © All rights reserved. Zend Technologies, Inc .

    24 INTEGRITY
  25. Confidential - © All rights reserved. Zend Technologies, Inc .

    25 Integrity Integrity, in a security context, is more formally defined not only as the assurance that the data the application is providing is correct but also that it is protected from modification or corruption
  26. Confidential - © All rights reserved. Zend Technologies, Inc .

    26 Input validation • Filter input, escape output • Never trust in user's input ($_GET, $_POST) • In ZF2 we can use: – Zend\Filter – Zend\InputFilter – Zend\Validator – Zend\Escaper
  27. Confidential - © All rights reserved. Zend Technologies, Inc .

    27 Zend\Filter Example: $htmlEntities = new Zend\Filter\HtmlEntities(); echo $htmlEntities->filter('&'); // & echo $htmlEntities->filter('"'); // " Example: echo StaticFilter::execute('&', 'HtmlEntities'); // &
  28. Confidential - © All rights reserved. Zend Technologies, Inc .

    28 Zend\Filter Example: $pluginManager = StaticFilter::getPluginManager() ->setInvokableClass( 'myNewFilter', 'MyCustom\Filter\MyNewFilter' ); StaticFilter::setPluginManager(new MyFilterPluginManager()); echo StaticFilter::execute('&', 'myNewFilter');
  29. Confidential - © All rights reserved. Zend Technologies, Inc .

    29 Zend\InputFilter
  30. Confidential - © All rights reserved. Zend Technologies, Inc .

    30 Zend\Validator
  31. Confidential - © All rights reserved. Zend Technologies, Inc .

    31 Zend\Validator
  32. Confidential - © All rights reserved. Zend Technologies, Inc .

    32 Zend\Escaper
  33. Confidential - © All rights reserved. Zend Technologies, Inc .

    33 Protect against modification • Use Hash-based message authentication code (HMAC) to protect data integrity • In PHP: – hash_hmac('sha256', $msg, $key) • In ZF2: – Zend\Crypt\Hmac::compute($key, 'sha256', $msg);
  34. Confidential - © All rights reserved. Zend Technologies, Inc .

    34 AVAILABILITY
  35. Confidential - © All rights reserved. Zend Technologies, Inc .

    35 Availability • Availability means the probability that a system is operational at a given time, i.e. the amount of time a device is actually operating as the percentage of total time it should be operating • From the application security point of view: – Heath of the application server itself – Status of any data sources (like databases) – Network infrastructure and its saturation
  36. Confidential - © All rights reserved. Zend Technologies, Inc .

    36 Configuration over hard-coding • One of the easiest things you can do to help make your application more flexible and easier to scale (or fix when it’s broken) is to allow it to be configured without requiring a code change • In ZF2 we use configuration files for the application and the modules – config/application.config.php – config/autoload/*.global.php – config/autoload/*.local.php (excluded in .gitignore) – module/xxx/config/module.config.php
  37. Confidential - © All rights reserved. Zend Technologies, Inc .

    37 Plan for failure • PHP is configured to give the most information possible when something goes wrong • Disable error visualization in production • In php.ini: – display_errors = 'off' log_errors = 'on' • In ZF2 config: – 'view_manager' => array( 'display_not_found_reason' => false, 'display_exceptions' => false, )
  38. Confidential - © All rights reserved. Zend Technologies, Inc .

    38 Disable error reporting? No, please. We need error log!!!
  39. Confidential - © All rights reserved. Zend Technologies, Inc .

    39 Custom error handler • Use set_error_handler(), in ZF2: – set_error_handler(array( 'Application\Module', 'handlePhpErrors' )); public static function handlePhpErrors($type, $message, $file, $line) { if (!($type & error_reporting())) { return; } throw new Exception(sprintf( 'Error %s in file %s at line %s', $message, $file, $line )); }
  40. Confidential - © All rights reserved. Zend Technologies, Inc .

    40 Some resources • Chris Cornutt, Securing PHP: Core Concepts, http://leanpub.com/securingphp-coreconcepts • Steve Maraspin, Error reporting in ZF2, ZFDay 2014 http://www.slideshare.net/maraspin/error-handling-in-z f2-form-messages-custom-error-pages-logging • Enrico Zimuel, Encryption, authentication and data integrity in PHP, Dutch PHP Conference 2014 http://www.zimuel.it/slides/dpc2014.html • Chris Shiflett, Essential PHP Security, O'Reilly Media http://shop.oreilly.com/product/9780596006563.do • PHP Security Consortium, http://phpsec.org
  41. Confidential - © All rights reserved. Zend Technologies, Inc .

    41 THANKS! Zend Framework 2: http://framework.zend.com Please rate this talk: https://joind.in/12076