Presentation about basic cryptography in PHP given to the KU Web Developer community. Focuses on password hashing. Theory is still good but implementation is out of date. Use the PHP 5.5 password hashing tools instead (or backports)
hiding information ! Replacing understandable text (plaintext) with a seemingly random set of characters (ciphertext) ! Covers encryption (hiding) and decryption (revealing) ! Modern cryptography involves lots of math & computing power
! “We” here includes ITSO and several state & federal laws ! Protects user data, and by extension, you, and KU ! Data breaches can cause national press, and not the good kind ! The best way to prevent malicious users from getting something is to not store it ! Confidentiality, Authentication, Authorization, Integrity, Non-repudiation
One way (non-reversible) ! Fast, commonly used to verify expected input ! Symmetric ! Slower (but that’s not a bad thing) ! Can be reversed ! Requires a key (usually known to both parties) ! Asymmetric – not covered here. Ex. RSA, PGP ! Typically used in conjunction w/symmetric
tested in the open for 3+ years ! Adopted as a standard ! Broad user base ! Flaws discovered ! Declared “broken” and disregarded (but not by all users) ! Repeat
sha1() – there are better ones out there ! hash() ! Specify algorithm and key length, sha512 is pretty good ! crypt() ! one-way hashing, multiple algorithms ! Supports bcrypt as of PHP 5.3 ! mcrypt library ! OpenSSL library – mostly for asymmetric use
cipher ! “seeds” additional randomness into the algorithm ! Make a new one for each user ! Use mcrypt_create_iv($size, MCRYPT_DEV_URANDOM) ! $size should be determined by the algorithm used. ! mcrypt_get_iv_size($algorithm, MCRYPT_MODE_CBC) ! IVs can be kept secret but don’t have to be ! Safe to store them with the encrypted value ! Not a salt (salting is just for hashes)
crypto system needs in one place ! Use symmetric, one way algorithms for passwords ! Base64-encode crypto output before storing ! Keys should be binary, not ASCII ! Try SHA256 on your key phrase
of EBC ! Don’t re-run hashing functions ! Pad out user’s input to cipher’s block size ! Make sure the input is distinct from your padding ! Remember to take the padding off when retrieving ! KEEP IT [your key] SECRET. KEEP IT SAFE