PHP Cryptography

Transcript

1. Cryptography in PHP

2. What is cryptography !   The practice of studying and

   hiding information !   Replacing understandable text (plaintext) with a seemingly random set of characters (ciphertext) !   Covers encryption (hiding) and decryption (revealing) !   Modern cryptography involves lots of math & computing power

3. Why use it !   Because we say so (obviously)

   !   “We” here includes ITSO and several state & federal laws !   Protects user data, and by extension, you, and KU !   Data breaches can cause national press, and not the good kind !   The best way to prevent malicious users from getting something is to not store it !   Confidentiality, Authentication, Authorization, Integrity, Non-repudiation

4. Algorithms !   For this purpose, a method used to

   apply cryptography to text !   Several categories !   Many exist !   Many have known flaws

5. Types of algorithms !   Hashing !   “Digest” !

     One way (non-reversible) !   Fast, commonly used to verify expected input !   Symmetric !   Slower (but that’s not a bad thing) !   Can be reversed !   Requires a key (usually known to both parties) !   Asymmetric – not covered here. Ex. RSA, PGP !   Typically used in conjunction w/symmetric

6. Algorithm life-cycle !   Proposed !   Rigorously and thoroughly

   tested in the open for 3+ years !   Adopted as a standard !   Broad user base !   Flaws discovered !   Declared “broken” and disregarded (but not by all users) !   Repeat

7. “You can’t hide secrets from the future with math” -

   MC Frontalot

8. Rainbow Tables !   Compares hashes to known values !

     Fast to search !   Fast to generate (now) !   Fit on thumb drives (very soon)

9. Encryption options in PHP !   md5() – NO !

     sha1() – there are better ones out there !   hash() !   Specify algorithm and key length, sha512 is pretty good !   crypt() !   one-way hashing, multiple algorithms !   Supports bcrypt as of PHP 5.3 ! mcrypt library ! OpenSSL library – mostly for asymmetric use

10. Initialization Vectors !   Used to add randomization to your

    cipher !   “seeds” additional randomness into the algorithm !   Make a new one for each user !   Use mcrypt_create_iv($size, MCRYPT_DEV_URANDOM) !   $size should be determined by the algorithm used. ! mcrypt_get_iv_size($algorithm, MCRYPT_MODE_CBC) !   IVs can be kept secret but don’t have to be !   Safe to store them with the encrypted value !   Not a salt (salting is just for hashes)

11. Best practices, pt 1 !   Don’t store everything your

    crypto system needs in one place !   Use symmetric, one way algorithms for passwords !   Base64-encode crypto output before storing !   Keys should be binary, not ASCII !   Try SHA256 on your key phrase

12. Best practices, pt 2 !   Use CBC mode instead

    of EBC !   Don’t re-run hashing functions !   Pad out user’s input to cipher’s block size !   Make sure the input is distinct from your padding !   Remember to take the padding off when retrieving !   KEEP IT [your key] SECRET. KEEP IT SAFE

13. Resources ! http://www.ciphersbyritter.com/GLOSSARY.HTM - terms ! https://github.com/archwisp/MindFrame2/blob/master/ Crypto.php - example

    encrypt/decrypt object ! http://thinkdiff.net/mysql/encrypt-mysql-data-using-aes- techniques/ - encryption functions in MySQL ! http://www.zimuel.it/blog/2011/01/strong-cryptography- in-php/

14. Questions?