Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP Identity and Data Security

PHP Identity and Data Security

There is an assumption in the industry, amongst companies large and small alike, that if they store sensitive user data (and sometimes do some mild encryption) in their database, it's locked in and secured from potential attacks. People rely too heavily on their false assumptions of security, and it usually ends up costing them extensively when that is proven wrong.

In this session, Jonathan will build a foundation for identity and data security that everyone dealing with sensitive data should understand. We'll break down concepts of identity security, common attack vectors and how to protect yourself, and how to harden your web application.

Jonathan LeBlanc

February 05, 2016
Tweet

More Decks by Jonathan LeBlanc

Other Decks in Technology

Transcript

  1. 1: 123456 ! 2: password ! 3: 12345678 ! 4:

    qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars!
  2. Brute Force Attacks! Calculate all key variations within a given

    length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks!
  3. //hashing identical messages with no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227!

    hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts!
  4. Storing Salts! Store alongside the hash! ! Salt Reuse! Salts

    should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts!
  5. bcrypt! key derivation function designed for passwords, and is based

    on the blowfish cipher! ! scrypt! designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! ! PBKDF2! key derivation function that has an academic background, coming from RSA laboratories! Password Encryption Algorithms!
  6. ! //fetch password from user creation request! $password = $_POST['password'];!

    ! //salt option deprecated in PHP 7.0.0+! $options = [! 'cost' => 12! ];! ! //create 60 character hash, with default unique salt, and options ! $hash = password_hash($password, PASSWORD_BCRYPT, $options);! ! //STORE HASH IN USER DATABASE RECORD! //SALT IS BUILT INTO HASH! Hashing with bcrypt!
  7. //fetch login request information! $username = $_POST['username'];! $password = $_POST['password'];!

    ! //fetch user record from database! $user = fetchDBRecord($username);! ! //verify if login attempt password matches stored user hash! if (password_verify($password, $user->hash)){! echo "password matches";! } else {! echo "password doesn't match";! }! Login Hash Comparison with bcrypt!
  8. ! ! //fetch password from user creation request! $password =

    $_POST['password'];! ! //set iterations and random initialization vector! $iterations = 1000;! $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);! ! //hash password using sha256! $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);! ! //STORE HASH AND SALT IN USER DATABASE RECORD! Hashing with PBKDF2!
  9. ! //fetch login request info and set iterations! $username =

    $_POST['username'];! $password = $_POST['password'];! $iterations = 1000;! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //manually hash the login attempt password! $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);! ! //validate if hashes match! if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match';! } else {! echo 'password mismatch';! }! ! Login Hash Comparison with PBKDF2!
  10. //generate private key and self-signed certificate valid for 1 year!

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key!
  11. //update httpd.conf file to enable SSL (uncomment the following)! #LoadModule

    ssl_module libexec/apache2/mod_ssl.so! #Include /private/etc/apache2/extra/httpd-ssl.conf! ! //update httpd-ssl.conf file for CRT location! SSLCertificateFile "/private/etc/apache2/server.crt"! ! //copy crt and private key files to above location! cp server.crt server.key /private/etc/apache2/! Configuring SSL capabilities and setting certificates on Apache server!
  12. <VirtualHost *:443>! #general virtual hosts information! DocumentRoot "/Users/jleblanc/localhost/ssltest"! ServerName ssltest!

    ErrorLog "/private/var/log/apache2/local.example.com-error_log"! CustomLog "/private/var/log/apache2/local.example.com-access_log" common! ! #SSL details! SSLEngine on! SSLCertificateFile "/private/etc/apache2/server.crt”! SSLCertificateKeyFile "/private/etc/apache2/server.key"! ! #SSL engine options! <FilesMatch "\.(cgi|shtml|phtml|php)$">! SSLOptions +StdEnvVars! </FilesMatch>! <Directory "/Library/WebServer/CGI-Executables">! SSLOptions +StdEnvVars! </Directory>! </VirtualHost>! Update httpd-vhosts.conf!
  13. Encryption (ECB, CBC, OFB, CFB, CTR)! Data privacy and confidentiality

    mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation!
  14. //set initialization data! $numbytes = 16;! $strongcrypto = true;! $mode

    = 'aes-256-cbc';! $message = 'my secure message';! ! //creation initialization vector and shared private key! $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! ! //create ciphertext with no options! $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);! Configuring and encrypting message!
  15. //----! // data sent to server: iv, ciphertext! // data

    known by server: key! //----! ! //set algorithm and mode! $mode = 'aes-256-cbc’;! ! //decrypt provided cipher! $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);! Decrypting ciphertext!
  16. //create private key in private.key! openssl genrsa -out private.key 2048!

    ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys!
  17. //set public key data from files and object to send!

    $public_key = openssl_get_publickey(file_get_contents('public.pem'));! $data = '{"message": "my super secure message"}';! ! //encrypt object and public keys! openssl_seal($data, $encrypted, $encpub, array($public_key));! ! //encrypted data and encrypted public key! $sealed_data = base64_encode($encrypted);! $envelope = base64_encode($encpub[0]);! ! //SEND SEALED DATA AND ENVELOPE TO RECIPIENT! Preparing Message, Encrypting, and Signing!
  18. //OBTAIN SEALED DATA AND ENVELOPE FROM SENDER! ! //set private

    key data! $private_key = openssl_get_privatekey(file_get_contents('private.key'));! ! //decode data! $sealed_data = base64_decode($sealed_data);! $envelope = base64_decode($envelope);! ! //rypt data using private key! openssl_open($sealed_data, $plaintext, $envelope, $private_key);! ! //decrypted message available in $plaintext! Decrypting and Verifying Message!