2. Cryptography
● Keeping Data Secure
○ Safe From Viewing
○ Safe From Tampering
○ Safe From Forgery
● Not A Silver Bullet
○ XSS
○ SQLI
○ Social Engineering
● Very Hard To Do
○ Any bug will cause problems
6. Random!
The Foundation of Cryptography
● Classified Under Three Types:
○ Weak
■ For non-cryptographic usages
○ Strong
■ For cryptographic usages where security does
not depend on the strength of randomness
○ Cryptographically Secure
■ For cryptographic usage when security does
depend on the strength of randomness
7. Vulnerabilities of
Randomness
● Bias
○ Certain values tend to occur more often making it
easier to predict future numbers
● Predictability
○ Knowing past numbers helps predict future
numbers
● Poisoning
○ Ability to alter future random number generation
8. Weak Random in PHP
Not to be used for cryptographic usages!!!
● rand()
● mt_rand()
● uniqid()
● lcg_value()
9. Strong Random in PHP
● mcrypt_create_iv()
○ MCRYPT_DEV_URANDOM
● openssl_random_pseudo_bytes()
● /dev/urandom
○ For *nix systems only
10. Cryptographically Secure
● mcrypt_create_iv()
○ MCRYPT_DEV_RANDOM
● openssl_random_pseudo_bytes()
○ Maybe
● /dev/random
○ For *nix systems only
14. Encryption vs Hashing
● Encryption
○ Encoding
○ 2 Way / Reversible
○ Putting a lock on a box
● Hashing
○ Signing
○ 1 Way / Non-Reversible
○ Taking a person's finger-print
17. Terms
● Key
○ Secure string of data
● Plain-Text
○ The text you want to keep secret
● Cipher-Text
○ The encrypted output
18. Two Basic Types
● Symmetric Encryption
○ Like a Pad-Lock with a shared key
○ The only secret is the key
○ Both sides must have the same key
● Asymmetric Encryption
○ Like a pair of Pad-Locks
■ The "lock" is the public key
○ The only secret is the private key
○ Both sides have their own key
21. Secret Numbers
● We just invented the Caesar Cipher
○ Commonly known as "ROT13"
● But There Are Problems:
○ Vulnerable To Statistical Attacks
○ Vulnerable To Brute Forcing
■ Only 100 possible secret numbers!
23. How It Works
We can generate the pads in two ways
● Randomly
○ If we only use once, perfect security
■ Known as a one-time-pad
○ If we use multiple times, same as caesar
cipher
● With A Function
○ Give one or two inputs
■ A key, and an "input"
○ Generates a "stream" of pseudo random
numbers
24. Ciphers
● Take 2 inputs
○ A secret key
○ An "input"
● Produces Pseudo-Random Output
○ Looks random (statistically)
○ Is deterministic
■ Reproducible given same inputs
25. Modes
● Multiple ways to use the keystream
● Each way is known as a "Mode"
● Some are secure
○ Others are not
28. CBC
Cipher Block Chaining
● Uses an "Initialization Vector"
○ Helps "randomize" the plain-text
○ Ensures no non-unique blocks
○ Does NOT need to be secret
● Chains each block together
○ Propagating the generated "randomness"
● Plain-Text Must Be Padded
○ To a multiple of block-size
● Secure!
30. CFB
Cipher FeedBack
● Uses an "Initialization Vector"
● Plain-Text never enters cipher
○ Does not need to be padded
● "Decrypt" Is Never Used
● Secure!
32. Ciphers
● AES 128 & 256
○ Standard
■ NIST Approved
○ Also Known As RIJNDAEL-128
■ 128 here refers to "block size"
○ Very Strong
○ Note, the number after AES is *key size*
● Blowfish
● TwoFish
● Serpent
33. Authentication
How do you know it wasn't tampered
with / came from your friend?
● HMAC
○ Hash-based Message Authentication Code
● USE A SEPARATE KEY!
● Encrypt-Then-MAC
○ Always MAC after encryption
37. Please Don't Do It!
● Notice How Much Code It Took
○ Without error checking
● Notice How Complex It Is
○ Without flexibility
● Notice How Easy To Screw Up
○ Without Key Storage
● Notice How Many Decisions To Make
39. Common Encryption Needs
● Between Client / Server
○ Use SSL
○ Really, just use SSL
○ I'm not kidding, just use SSL
● Storage
○ Use disk encryption
○ Use database encryption
41. Encryption Resources
● Zend Framework Encryption
○ Very good and complete lib
○ ZF2
■ ZendCryptBlockCipher
● PHP Sec Lib
○ phpseclib.sourceforge.net
○ Pure PHP
● Not Many Others
○ Beware of online tutorials!!!
44. Password Hashes
● Use A Salt
○ Defeats Rainbow Tables
○ Makes Each Hash a "Proof Of Work"
○ Should be random!
■ Strong Randomness
● Should Be SLOW!
○ Salt is not enough
○ Salted SHA256: 11 BILLION per second
○ bcrypt: 3200 per second
46. Cost Parameter
● Target: 0.25 - 0.5 Seconds
○ As slow as you can afford
● Depends on hardware
○ Test it!
● Good Defaults:
○ BCrypt: 10
○ PBKDF2: 10,000
48. New API for 5.5
● string password_hash($pass, $algo, array $options =
array() )
○ Generates Salt, hashes password
● bool password_verify($pass, $hash)
○ Verifies Hash with Password
● bool password_needs_rehash($hash, $algo, array $options = array())
○ Determines if the hash is the same as
specified by algo and options
● array password_get_info($hash)
○ Returns information about the hash
49. Example
function register($user, $password) {
$hash = password_hash($password, PASSWORD_BCRYPT);
$this->store($user, $hash);
}
function login($user, $password) {
$hash = $this->fetchHash($user);
if (password_verify($password, $hash)) {
if (password_needs_rehahs($hash, PASSWORD_BCRYPT)) {
$hash = password_hash($password, PASSWORD_BCRYPT);
$this->store($user, $hash);
}
$this->startSession();
return true;
}
return false;
}