Information Security in PHP: the CIA Triad Approach

Slide 1

Slide 1 text

Confidential - © All rights reserved. Zend Technologies, Inc . 1 Confidential - © All rights reserved. Zend Technologies, Inc . Information Security in PHP: the CIA triad approach Enrico Zimuel – enrico@zend.com Senior Software Engineer Zend Technologies Inc.

Slide 2

Slide 2 text

Confidential - © All rights reserved. Zend Technologies, Inc . 2 Information Security “Information Security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction” Wikipedia

Slide 3

Slide 3 text

Confidential - © All rights reserved. Zend Technologies, Inc . 3 Application security ● Application security is only about code? ● No, it also relates to servers, networks and data sources as well, basically anything that touches the application ● Code is only part of the equation, to really get a good sense of application security, you have to view the system as a whole ● We can use the CIA (Confidentiality, Integrity and Availability) approach to design security

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Confidential - © All rights reserved. Zend Technologies, Inc . 5 OWASP Top 10 vulnerability in 2013 1. Injection 2. Broken authentication and session management 3. Cross-site Scripting (XSS) 4. Insecure direct object references 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross-site request forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Source: http://www.owasp.org

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Confidential - © All rights reserved. Zend Technologies, Inc . 7 Confidentiality “Confidentiality is a set of rules or a promise that limits access or places restrictions on certain types of information” Wikipedia

Slide 8

Slide 8 text

Confidential - © All rights reserved. Zend Technologies, Inc . 8 Cryptography ● Cryptography is hard, and implement it is even more hard! ● PHP offers cryptographic primitives but you need to know how to use it (this is not straightforward) ● This can be a barrier that discouraged PHP developers

Slide 9

Slide 9 text

Confidential - © All rights reserved. Zend Technologies, Inc . 9 Cryptography in ZF2 ● Zend\Crypt help PHP developers to use cryptography in their projects ● In PHP we have built-in functions and extensions for cryptography scopes: – crypt() – Mcrypt – OpenSSL – Hash, (by default in PHP 5.1.2) – Mhash (emulated by Hash from PHP 5.3)

Slide 10

Slide 10 text

Confidential - © All rights reserved. Zend Technologies, Inc . 10 Zend\Crypt ● Zend\Crypt components: – Zend\Crypt\Password – Zend\Crypt\Key\Derivation – Zend\Crypt\Symmetic – Zend\Crypt\PublicKey – Zend\Crypt\Hash – Zend\Crypt\Hmac – Zend\Crypt\BlockCipher

Slide 11

Slide 11 text

Confidential - © All rights reserved. Zend Technologies, Inc . 11 Encrypt and authenticate ● Zend\Crypt\BlockCipher can be used to encrypt/decrypt sensitive data (symmetric encryption) ● Provides encryption + authentication (HMAC) ● Simplified API: – setKey($key) – encrypt($data) – decrypt($data) ● It uses the Mcrypt adapter

Slide 12

Slide 12 text

Confidential - © All rights reserved. Zend Technologies, Inc . 12 Default standards ● Default values used by BlockCipher: – AES algorithm (key of 256 bits) – CBC mode + HMAC (SHA-256) – PKCS7 padding mode (RFC 5652) – PBKDF2 to generate encryption key + authentication key for HMAC – Random IV for each encryption

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Confidential - © All rights reserved. Zend Technologies, Inc . 14 Example: encryption output 064b05b885342dc91e7915e492715acf0f89 6620dbf9d1e00dd0798b15e72e8cZg+hO3 4C3f3eb8TeJM9xWQRVex1y5zeLrBsNv+d YeVy3SBJa+pXZbUQYNZw0xS9s Zend\Crypt\BlockCipher::encrypt “This is the message to encrypt” “this is the encryption key” Legend: HMAC, IV, ciphertext

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Confidential - © All rights reserved. Zend Technologies, Inc . 16 How to safely store a password? ● Insecure methods: – MD5/SHA1(password) – MD5/SHA1(password . salt) where salt is a random string ● Secure methods: – bcrypt – scrypt

Slide 17

Slide 17 text

Confidential - © All rights reserved. Zend Technologies, Inc . 17 bcrypt ● bcrypt uses Blowfish cipher + iterations to generate secure hash values ● bcrypt is secure against brute force attacks because is slow, very slow (that means attacks need huge amount of time to be completed) ● The algorithm needs a salt value and a work factor parameter (cost), which allows you to determine how expensive the bcrypt function will be (default is 10)

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Confidential - © All rights reserved. Zend Technologies, Inc . 19 Access control ● Authentication – Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. ● Authorization – Authorization is the function of specifying access rights to resources related to information security and computer security in general and to access control in particular.

Slide 20

Slide 20 text

Confidential - © All rights reserved. Zend Technologies, Inc . 20 Zend\Authentication ● Zend\Authentication provides API for authentication and includes concrete authentication adapters for common use case scenarios ● Adapters: – Database Table – Digest – HTTP – LDAP – Your adapter

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Confidential - © All rights reserved. Zend Technologies, Inc . 22 Zend\Permission\Acl ● The component provides a lightweight and flexible Access Control List (ACL) implementation for privileges management ● Terminology: – a resource is an object to which access is controlled – a role is an object that may request access to a resource

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Confidential - © All rights reserved. Zend Technologies, Inc . 25 Integrity Integrity, in a security context, is more formally defined not only as the assurance that the data the application is providing is correct but also that it is protected from modification or corruption

Slide 26

Slide 26 text

Confidential - © All rights reserved. Zend Technologies, Inc . 26 Input validation ● Filter input, escape output ● Never trust in user's input ($_GET, $_POST) ● In ZF2 we can use: – Zend\Filter – Zend\InputFilter – Zend\Validator – Zend\Escaper

Slide 27

Slide 27 text

Confidential - © All rights reserved. Zend Technologies, Inc . 27 Zend\Filter Example: $htmlEntities = new Zend\Filter\HtmlEntities(); echo $htmlEntities->filter('&'); // & echo $htmlEntities->filter('"'); // " Example: echo StaticFilter::execute('&', 'HtmlEntities'); // &

Slide 28

Slide 28 text

Confidential - © All rights reserved. Zend Technologies, Inc . 28 Zend\Filter Example: $pluginManager = StaticFilter::getPluginManager() ->setInvokableClass( 'myNewFilter', 'MyCustom\Filter\MyNewFilter' ); StaticFilter::setPluginManager(new MyFilterPluginManager()); echo StaticFilter::execute('&', 'myNewFilter');

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Confidential - © All rights reserved. Zend Technologies, Inc . 33 Protect against modification ● Use Hash-based message authentication code (HMAC) to protect data integrity ● In PHP: – hash_hmac('sha256', $msg, $key) ● In ZF2: – Zend\Crypt\Hmac::compute($key, 'sha256', $msg);

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Confidential - © All rights reserved. Zend Technologies, Inc . 35 Availability ● Availability means the probability that a system is operational at a given time, i.e. the amount of time a device is actually operating as the percentage of total time it should be operating ● From the application security point of view: – Heath of the application server itself – Status of any data sources (like databases) – Network infrastructure and its saturation

Slide 36

Slide 36 text

Confidential - © All rights reserved. Zend Technologies, Inc . 36 Configuration over hard-coding ● One of the easiest things you can do to help make your application more flexible and easier to scale (or fix when it’s broken) is to allow it to be configured without requiring a code change ● In ZF2 we use configuration files for the application and the modules – config/application.config.php – config/autoload/*.global.php – config/autoload/*.local.php (excluded in .gitignore) – module/xxx/config/module.config.php

Slide 37

Slide 37 text

Confidential - © All rights reserved. Zend Technologies, Inc . 37 Plan for failure ● PHP is configured to give the most information possible when something goes wrong ● Disable error visualization in production ● In php.ini: – display_errors = 'off' log_errors = 'on' ● In ZF2 config: – 'view_manager' => array( 'display_not_found_reason' => false, 'display_exceptions' => false, )

Slide 38

Slide 38 text

Slide 39

Slide 39 text

Confidential - © All rights reserved. Zend Technologies, Inc . 39 Custom error handler ● Use set_error_handler(), in ZF2: – set_error_handler(array( 'Application\Module', 'handlePhpErrors' )); public static function handlePhpErrors($type, $message, $file, $line) { if (!($type & error_reporting())) { return; } throw new Exception(sprintf( 'Error %s in file %s at line %s', $message, $file, $line )); }

Slide 40

Slide 40 text

Confidential - © All rights reserved. Zend Technologies, Inc . 40 Some resources ● Chris Cornutt, Securing PHP: Core Concepts, http://leanpub.com/securingphp-coreconcepts ● Steve Maraspin, Error reporting in ZF2, ZFDay 2014 http://www.slideshare.net/maraspin/error-handling-in-z f2-form-messages-custom-error-pages-logging ● Enrico Zimuel, Encryption, authentication and data integrity in PHP, Dutch PHP Conference 2014 http://www.zimuel.it/slides/dpc2014.html ● Chris Shiflett, Essential PHP Security, O'Reilly Media http://shop.oreilly.com/product/9780596006563.do ● PHP Security Consortium, http://phpsec.org