Information Security in PHP: the CIA Triad Approach

Confidential - © All rights reserved. Zend Technologies, Inc
.
1
.
Information Security in
PHP: the CIA triad approach
Enrico Zimuel – [email protected]
Senior Software Engineer
Zend Technologies Inc.

View Slide

.
2
Information Security
“Information Security, sometimes shortened to InfoSec,
is the practice of defending information from
unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or
destruction” Wikipedia

View Slide

.
3
Application security
●
Application security is only about code?
●
No, it also relates to servers, networks and data
sources as well, basically anything that touches the
application
●
Code is only part of the equation, to really get a good
sense of application security, you have to view the
system as a whole
●
We can use the CIA (Confidentiality, Integrity and
Availability) approach to design security

View Slide

.
4
CIA approach

View Slide

.
5
OWASP Top 10 vulnerability in 2013
1. Injection
2. Broken authentication and session management
3. Cross-site Scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards
Source: http://www.owasp.org

View Slide

.
6
CONFIDENTIALITY

View Slide

.
7
Confidentiality
“Confidentiality is a set of rules or a promise that
limits access or places restrictions on certain types
of information” Wikipedia

View Slide

.
8
Cryptography
●
Cryptography is hard, and implement it is
even more hard!
●
PHP offers cryptographic primitives but you
need to know how to use it (this is not
straightforward)
●
This can be a barrier that discouraged PHP
developers

View Slide

.
9
Cryptography in ZF2
●
Zend\Crypt help PHP developers to use
cryptography in their projects
●
In PHP we have built-in functions and
extensions for cryptography scopes:
– crypt()
– Mcrypt
– OpenSSL
– Hash, (by default in PHP 5.1.2)
– Mhash (emulated by Hash from PHP 5.3)

View Slide

.
10
Zend\Crypt
●
Zend\Crypt components:
– Zend\Crypt\Password
– Zend\Crypt\Key\Derivation
– Zend\Crypt\Symmetic
– Zend\Crypt\PublicKey
– Zend\Crypt\Hash
– Zend\Crypt\Hmac
– Zend\Crypt\BlockCipher

View Slide

.
11
Encrypt and authenticate
●
Zend\Crypt\BlockCipher can be used to
encrypt/decrypt sensitive data (symmetric
encryption)
●
Provides encryption + authentication (HMAC)
●
Simplified API:
– setKey($key)
– encrypt($data)
– decrypt($data)
●
It uses the Mcrypt adapter

View Slide

.
12
Default standards
●
Default values used by BlockCipher:
– AES algorithm (key of 256 bits)
– CBC mode + HMAC (SHA-256)
– PKCS7 padding mode (RFC 5652)
– PBKDF2 to generate encryption key +
authentication key for HMAC
– Random IV for each encryption

View Slide

.
13
Example: AES encryption
The encrypted text is encoded in Base64, you can
switch to binary output using setBinaryOutput(true)

View Slide

.
14
Example: encryption output
064b05b885342dc91e7915e492715acf0f89
6620dbf9d1e00dd0798b15e72e8cZg+hO3
4C3f3eb8TeJM9xWQRVex1y5zeLrBsNv+d
YeVy3SBJa+pXZbUQYNZw0xS9s
Zend\Crypt\BlockCipher::encrypt
“This is the message to encrypt”
“this is the
encryption key”
Legend: HMAC, IV, ciphertext

View Slide

.
15
Example: decrypt

View Slide

.
16
How to safely store a password?
●
Insecure methods:
– MD5/SHA1(password)
– MD5/SHA1(password . salt)
where salt is a random string
●
Secure methods:
– bcrypt
– scrypt

View Slide

.
17
bcrypt
●
bcrypt uses Blowfish cipher + iterations to
generate secure hash values
●
bcrypt is secure against brute force attacks
because is slow, very slow (that means
attacks need huge amount of time to be
completed)
●
The algorithm needs a salt value and a work
factor parameter (cost), which allows you to
determine how expensive the bcrypt
function will be (default is 10)

View Slide

.
18
Example: bcrypt
The output of bcrypt ($hash) is a string of 60 bytes

View Slide

.
19
Access control
●
Authentication
– Authentication is the process of determining
whether someone or something is, in fact, who or
what it is declared to be.
●
Authorization
– Authorization is the function of specifying access
rights to resources related to information security
and computer security in general and to access
control in particular.

View Slide

.
20
Zend\Authentication
●
Zend\Authentication provides API for
authentication and includes concrete
authentication adapters for common use case
scenarios
●
Adapters:
– Database Table
– Digest
– HTTP
– LDAP
– Your adapter

View Slide

.
21
Example: authentication

View Slide

.
22
Zend\Permission\Acl
●
The component provides a lightweight and
flexible Access Control List (ACL)
implementation for privileges
management
●
Terminology:
– a resource is an object to which access
is controlled
– a role is an object that may request
access to a resource

View Slide

.
23
Example: ACL

View Slide

.
24
INTEGRITY

View Slide

.
25
Integrity
Integrity, in a security context, is more formally defined
not only as the assurance that the data the application is
providing is correct but also that it is protected from
modification or corruption

View Slide

.
26
Input validation
●
Filter input, escape output
●
Never trust in user's input ($_GET, $_POST)
●
In ZF2 we can use:
– Zend\Filter
– Zend\InputFilter
– Zend\Validator
– Zend\Escaper

View Slide

.
27
Zend\Filter
Example:
$htmlEntities = new Zend\Filter\HtmlEntities();
echo $htmlEntities->filter('&'); // &
echo $htmlEntities->filter('"'); // "
Example:
echo StaticFilter::execute('&', 'HtmlEntities'); // &

View Slide

.
28
Zend\Filter
Example:
$pluginManager = StaticFilter::getPluginManager()
->setInvokableClass(
'myNewFilter', 'MyCustom\Filter\MyNewFilter'
);
StaticFilter::setPluginManager(new
MyFilterPluginManager());
echo StaticFilter::execute('&', 'myNewFilter');

View Slide

.
29
Zend\InputFilter

View Slide

.
30
Zend\Validator

View Slide

.
31
Zend\Validator

View Slide

.
32
Zend\Escaper

View Slide

.
33
Protect against modification
●
Use Hash-based message authentication
code (HMAC) to protect data integrity
●
In PHP:
– hash_hmac('sha256', $msg, $key)
●
In ZF2:
– Zend\Crypt\Hmac::compute($key, 'sha256',
$msg);

View Slide

.
34
AVAILABILITY

View Slide

.
35
Availability
●
Availability means the probability that a system is
operational at a given time, i.e. the amount of time a
device is actually operating as the percentage of total
time it should be operating
●
From the application security point of view:
– Heath of the application server itself
– Status of any data sources (like databases)
– Network infrastructure and its saturation

View Slide

.
36
Configuration over hard-coding
●
One of the easiest things you can do to help make
your application more flexible and easier to scale
(or fix when it’s broken) is to allow it to be configured
without requiring a code change
●
In ZF2 we use configuration files for the application
and the modules
– config/application.config.php
– config/autoload/*.global.php
– config/autoload/*.local.php (excluded in .gitignore)
– module/xxx/config/module.config.php

View Slide

.
37
Plan for failure
●
PHP is configured to give the most information
possible when something goes wrong
●
Disable error visualization in production
●
In php.ini:
– display_errors = 'off'
log_errors = 'on'
●
In ZF2 config:
– 'view_manager' => array(
'display_not_found_reason' => false,
'display_exceptions' => false,
)

View Slide

.
38
Disable error reporting?
No, please. We need error log!!!

View Slide

.
39
Custom error handler
●
Use set_error_handler(), in ZF2:
– set_error_handler(array(
'Application\Module',
'handlePhpErrors'
));
public static function handlePhpErrors($type, $message, $file,
$line) {
if (!($type & error_reporting())) { return; }
throw new Exception(sprintf(
'Error %s in file %s at line %s',
$message,
$file,
$line
));
}

View Slide

.
40
Some resources
●
Chris Cornutt, Securing PHP: Core Concepts,
http://leanpub.com/securingphp-coreconcepts
●
Steve Maraspin, Error reporting in ZF2, ZFDay 2014
http://www.slideshare.net/maraspin/error-handling-in-z
f2-form-messages-custom-error-pages-logging
●
Enrico Zimuel, Encryption, authentication and data
integrity in PHP, Dutch PHP Conference 2014
http://www.zimuel.it/slides/dpc2014.html
●
Chris Shiflett, Essential PHP Security, O'Reilly Media
http://shop.oreilly.com/product/9780596006563.do
●
PHP Security Consortium, http://phpsec.org

View Slide

.
41
THANKS!
Zend Framework 2:
http://framework.zend.com
Please rate this talk: https://joind.in/12076

View Slide

Information Security in PHP: the CIA Triad Approach

Information Security in PHP: the CIA Triad Approach

Enrico Zimuel

More Decks by Enrico Zimuel

Other Decks in Programming

Featured

Transcript