Upload
brian-fenton
View
3.181
Download
1
Embed Size (px)
DESCRIPTION
A brief overview of cryptography, with examples focusing on using strong cryptography to store passwords in PHP. Given at the University of Kansas
Citation preview
Cryptography in PHP
What is cryptography
The practice of studying and hiding information
Replacing understandable text (plaintext) with a seemingly random set of characters (ciphertext)
Covers encryption (hiding) and decryption (revealing)
Modern cryptography involves lots of math & computing power
Why use it
Because we say so (obviously)“We” here includes ITSO and several state & federal laws
Protects user data, and by extension, you, and KUData breaches can cause national press, and not the good kind
The best way to prevent malicious users from getting something is to not store it
Confidentiality, Authentication, Authorization, Integrity, Non-repudiation
Algorithms
For this purpose, a method used to apply cryptography to text
Several categories
Many existMany have known flaws
Types of algorithms
Hashing“Digest”
One way (non-reversible)
Fast, commonly used to verify expected input
SymmetricSlower (but that’s not a bad thing)
Can be reversed
Requires a key (usually known to both parties)
Asymmetric – not covered here. Ex. RSA, PGPTypically used in conjunction w/symmetric
Algorithm life-cycle
Proposed
Rigorously and thoroughly tested in the open for 3+ years
Adopted as a standard
Broad user base
Flaws discovered
Declared “broken” and disregarded (but not by all users)
Repeat
“You can’t hide secrets from the future with math”
- MC Frontalot
Rainbow Tables
Compares hashes to known values
Fast to search
Fast to generate (now)
Fit on thumb drives (very soon)
Encryption options in PHP
md5() – NO
sha1() – there are better ones out there
hash()Specify algorithm and key length, sha512 is pretty good
crypt()one-way hashing, multiple algorithms
Supports bcrypt as of PHP 5.3
mcrypt library
OpenSSL library – mostly for asymmetric use
Initialization Vectors
Used to add randomization to your cipher“seeds” additional randomness into the algorithm
Make a new one for each user
Use mcrypt_create_iv($size, MCRYPT_DEV_URANDOM)$size should be determined by the algorithm used.
mcrypt_get_iv_size($algorithm, MCRYPT_MODE_CBC)
IVs can be kept secret but don’t have to be
Safe to store them with the encrypted value
Not a salt (salting is just for hashes)
Best practices, pt 1
Don’t store everything your crypto system needs in one place
Use symmetric, one way algorithms for passwords
Base64-encode crypto output before storing
Keys should be binary, not ASCIITry SHA256 on your key phrase
Best practices, pt 2
Use CBC mode instead of EBC
Don’t re-run hashing functions
Pad out user’s input to cipher’s block sizeMake sure the input is distinct from your padding
Remember to take the padding off when retrieving
KEEP IT [your key] SECRET. KEEP IT SAFE
Resources
http://www.ciphersbyritter.com/GLOSSARY.HTM - terms
https://github.com/archwisp/MindFrame2/blob/master/Crypto.php - example encrypt/decrypt object
http://thinkdiff.net/mysql/encrypt-mysql-data-using-aes-techniques/ - encryption functions in MySQL
http://www.zimuel.it/blog/2011/01/strong-cryptography-in-php/
Questions?