CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Implementing Security Routines with Zend Framework 2 by Er Galvão Abbott Authentication Brute-Force Filter & Validation Password Recovery Cryptography Authorization

Er Galvão Abbott is the President of ABRAPHP – Brazilian Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br

Goal Discuss in both conceptual and technical detail about how to implement Security Routines with Zend Framework 2. I'll present the following topics: → Authentication → Brute-force protection → Password recovery → Cryptography → Authorization → Data Filtering and Validation CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br

Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br * Not the framework (Hilarious!) Before we begin

Security != a piece of cake* Why? Because, for an example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Disclaimer (or the “Not my fault” part) $this is... !Fool proof !Perfect|Complete !The only|right way * Not the framework (Hilarious!) Found out an example why? Let me know! Before we begin

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?!

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication ZfcUser, right?! YES! Well...

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser Authentication

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form Authentication

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event Authentication * Yes, yes, it could be done as a Module, Plugin, etc... -.-”

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authentication Show me the code!

code Authentication & Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br

code Cryptography << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br

code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br

code Authentication << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. Until he does, don't allow him to login; 8. If the new pwd and/or token expires, inactivate, make him contact support; 9. Else, change the pwd, mark the user as “OK”. 10. If any step fails, see step 8! Password Recovery For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out; Brute Force

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Brute Force Show me the code!

code Brute Force << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br It's all about CAN & CAN'T 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. A few not-so-obvious-things to consider:

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Authorization Zend\Permission\Acl

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. Filter / Validation A few not-so-obvious-things to consider:

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) Filter / Validation A few not-so-obvious-things to consider:

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) Filter / Validation A few not-so-obvious-things to consider:

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter & Validation In the model In the form Separated Filter / Validation Flexibility in ZF2

CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter / Validation Show me the code!

code Filter & Validation << CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br

Muchas gracias! ? Questions? ↓ Criticism? ↑ Complements?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br