PHP Identity and Data Security! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity! 

Security is Hard! 

1: 123456 ! 2: password ! 3: 12345678 ! 4: qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars! 

No content

Protecting Identity! 

Password Attack Vectors! 

Brute Force Attacks! Calculate all key variations within a given length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks! 

Salting and Peppering! 

//hashing identical messages with no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts! 

Storing Salts! Store alongside the hash! ! Salt Reuse! Salts should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts! 

bcrypt! key derivation function designed for passwords, and is based on the blowfish cipher! ! scrypt! designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! ! PBKDF2! key derivation function that has an academic background, coming from RSA laboratories! Password Encryption Algorithms! 

! //fetch password from user creation request! $password = $_POST['password'];! ! //salt option deprecated in PHP 7.0.0+! $options = [! 'cost' => 12! ];! ! //create 60 character hash, with default unique salt, and options ! $hash = password_hash($password, PASSWORD_BCRYPT, $options);! ! //STORE HASH IN USER DATABASE RECORD! //SALT IS BUILT INTO HASH! Hashing with bcrypt! 

//fetch login request information! $username = $_POST['username'];! $password = $_POST['password'];! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //verify if login attempt password matches stored user hash! if (password_verify($password, $user->hash)){! echo "password matches";! } else {! echo "password doesn't match";! }! Login Hash Comparison with bcrypt! 

! ! //fetch password from user creation request! $password = $_POST['password'];! ! //set iterations and random initialization vector! $iterations = 1000;! $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);! ! //hash password using sha256! $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);! ! //STORE HASH AND SALT IN USER DATABASE RECORD! Hashing with PBKDF2! 

! //fetch login request info and set iterations! $username = $_POST['username'];! $password = $_POST['password'];! $iterations = 1000;! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //manually hash the login attempt password! $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);! ! //validate if hashes match! if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match';! } else {! echo 'password mismatch';! }! ! Login Hash Comparison with PBKDF2! 

Protecting Data! 

Ideal Scenario: SSL/TLS! 

Domain Validation (DV)! Certificate authority (CA) validates domain access only! Certificate Types! 

Organization Validation (OV)! ! CA validates DV and basic organization information! Certificate Types! 

Extended Validation (EV)! CA validates DV, OV, and legal existance of the organization! Certificate Types! 

No content

//generate private key and self-signed certificate valid for 1 year! openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key! 

//update httpd.conf file to enable SSL (uncomment the following)! #LoadModule ssl_module libexec/apache2/mod_ssl.so! #Include /private/etc/apache2/extra/httpd-ssl.conf! ! //update httpd-ssl.conf file for CRT location! SSLCertificateFile "/private/etc/apache2/server.crt"! ! //copy crt and private key files to above location! cp server.crt server.key /private/etc/apache2/! Configuring SSL capabilities and setting certificates on Apache server! 

! #general virtual hosts information! DocumentRoot "/Users/jleblanc/localhost/ssltest"! ServerName ssltest! ErrorLog "/private/var/log/apache2/local.example.com-error_log"! CustomLog "/private/var/log/apache2/local.example.com-access_log" common! ! #SSL details! SSLEngine on! SSLCertificateFile "/private/etc/apache2/server.crt”! SSLCertificateKeyFile "/private/etc/apache2/server.key"! ! #SSL engine options! ! SSLOptions +StdEnvVars! ! ! SSLOptions +StdEnvVars! ! ! Update httpd-vhosts.conf! 

No content

Synchronous Cryptography! 

No content

Single User Environment! 

Encryption (ECB, CBC, OFB, CFB, CTR)! Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation! 

//set initialization data! $numbytes = 16;! $strongcrypto = true;! $mode = 'aes-256-cbc';! $message = 'my secure message';! ! //creation initialization vector and shared private key! $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! ! //create ciphertext with no options! $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);! Configuring and encrypting message! 

//----! // data sent to server: iv, ciphertext! // data known by server: key! //----! ! //set algorithm and mode! $mode = 'aes-256-cbc’;! ! //decrypt provided cipher! $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);! Decrypting ciphertext! 

//display block ciphers and modes! print_r(openssl_get_cipher_methods());! Getting all available ciphers and modes ! 

Asynchronous Cryptography! 

No content

Multi-User Environment! 

//create private key in private.key! openssl genrsa -out private.key 2048! ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys! 

//set public key data from files and object to send! $public_key = openssl_get_publickey(file_get_contents('public.pem'));! $data = '{"message": "my super secure message"}';! ! //encrypt object and public keys! openssl_seal($data, $encrypted, $encpub, array($public_key));! ! //encrypted data and encrypted public key! $sealed_data = base64_encode($encrypted);! $envelope = base64_encode($encpub[0]);! ! //SEND SEALED DATA AND ENVELOPE TO RECIPIENT! Preparing Message, Encrypting, and Signing! 

//OBTAIN SEALED DATA AND ENVELOPE FROM SENDER! ! //set private key data! $private_key = openssl_get_privatekey(file_get_contents('private.key'));! ! //decode data! $sealed_data = base64_decode($sealed_data);! $envelope = base64_decode($envelope);! ! //rypt data using private key! openssl_open($sealed_data, $plaintext, $envelope, $private_key);! ! //decrypted message available in $plaintext! Decrypting and Verifying Message! 

Security Fundamentals Wrapup! 

Thank You!! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!