Cryptography in PHP

What is cryptography

The practice of studying and hiding information

Replacing understandable text (plaintext) with a seemingly random set of characters (ciphertext)

Covers encryption (hiding) and decryption (revealing)

Modern cryptography involves lots of math & computing power

Why use it

Because we say so (obviously)“We” here includes ITSO and several state & federal laws

Protects user data, and by extension, you, and KUData breaches can cause national press, and not the good kind

The best way to prevent malicious users from getting something is to not store it

Confidentiality, Authentication, Authorization, Integrity, Non-repudiation

Algorithms

For this purpose, a method used to apply cryptography to text

Several categories

Many existMany have known flaws

Types of algorithms

Hashing“Digest”

One way (non-reversible)

Fast, commonly used to verify expected input

SymmetricSlower (but that’s not a bad thing)

Can be reversed

Requires a key (usually known to both parties)

Asymmetric – not covered here. Ex. RSA, PGPTypically used in conjunction w/symmetric

Algorithm life-cycle

Proposed

Rigorously and thoroughly tested in the open for 3+ years

Adopted as a standard

Broad user base

Flaws discovered

Declared “broken” and disregarded (but not by all users)

Repeat

“You can’t hide secrets from the future with math”

- MC Frontalot

Rainbow Tables

Compares hashes to known values

Fast to search

Fast to generate (now)

Fit on thumb drives (very soon)

Encryption options in PHP

md5() – NO

sha1() – there are better ones out there

hash()Specify algorithm and key length, sha512 is pretty good

crypt()one-way hashing, multiple algorithms

Supports bcrypt as of PHP 5.3

mcrypt library

OpenSSL library – mostly for asymmetric use

Initialization Vectors

Used to add randomization to your cipher“seeds” additional randomness into the algorithm

Make a new one for each user

Use mcrypt_create_iv($size, MCRYPT_DEV_URANDOM)$size should be determined by the algorithm used.

mcrypt_get_iv_size($algorithm, MCRYPT_MODE_CBC)

IVs can be kept secret but don’t have to be

Safe to store them with the encrypted value

Not a salt (salting is just for hashes)

Best practices, pt 1

Don’t store everything your crypto system needs in one place

Use symmetric, one way algorithms for passwords

Base64-encode crypto output before storing

Keys should be binary, not ASCIITry SHA256 on your key phrase

Best practices, pt 2

Use CBC mode instead of EBC

Don’t re-run hashing functions

Pad out user’s input to cipher’s block sizeMake sure the input is distinct from your padding

Remember to take the padding off when retrieving

KEEP IT [your key] SECRET. KEEP IT SAFE

Resources

http://www.ciphersbyritter.com/GLOSSARY.HTM - terms

https://github.com/archwisp/MindFrame2/blob/master/Crypto.php - example encrypt/decrypt object

http://thinkdiff.net/mysql/encrypt-mysql-data-using-aes-techniques/ - encryption functions in MySQL

http://www.zimuel.it/blog/2011/01/strong-cryptography-in-php/

Questions?