SlideShare a Scribd company logo

Cryptography For The Average Developer - Sunshine PHP

Anthony Ferrara
Anthony Ferrara

Slides for a talk I gave on 2/9/13 at Sunshine PHP in Miami.

Technology
1 of 64
Download to read offline
Cryptography In PHP For The Average Developer
Cryptography ● Keeping Data Secure ○ Safe From Viewing ○ Safe From Tampering ○ Safe From Forgery ● Not A Silver Bullet ○ XSS ○ SQLI ○ Social Engineering ● Very Hard To Do ○ Any bug will cause problems
The First Rule of Cryptography
Don't Do It!
Leave It For Experts
Random! The Foundation of Cryptography ● Classified Under Three Types: ○ Weak ■ For non-cryptographic usages ○ Strong ■ For cryptographic usages where security does not depend on the strength of randomness ○ Cryptographically Secure ■ For cryptographic usage when security does depend on the strength of randomness
Vulnerabilities of Randomness ● Bias ○ Certain values tend to occur more often making it easier to predict future numbers ● Predictability ○ Knowing past numbers helps predict future numbers ● Poisoning ○ Ability to alter future random number generation
Weak Random in PHP Not to be used for cryptographic usages!!! ● rand() ● mt_rand() ● uniqid() ● lcg_value()
Strong Random in PHP ● mcrypt_create_iv() ○ MCRYPT_DEV_URANDOM ● openssl_random_pseudo_bytes() ● /dev/urandom ○ For *nix systems only
Cryptographically Secure ● mcrypt_create_iv() ○ MCRYPT_DEV_RANDOM ● openssl_random_pseudo_bytes() ○ Maybe ● /dev/random ○ For *nix systems only
NEVER Use Weak For Security
NEVER Use CS When Not Needed
If In Doubt Use Strong Randomness
Encryption vs Hashing ● Encryption ○ Encoding ○ 2 Way / Reversible ○ Putting a lock on a box
Encryption vs Hashing ● Encryption ○ Encoding ○ 2 Way / Reversible ○ Putting a lock on a box ● Hashing ○ Signing ○ 1 Way / Non-Reversible ○ Taking a person's finger-print
Encryption
Seriously, Don't Do It!
Terms ● Key ○ Secure string of data ● Plain-Text ○ The text you want to keep secret ● Cipher-Text ○ The encrypted output
Two Basic Types ● Symmetric Encryption ○ Like a Pad-Lock with a shared key ○ The only secret is the key ○ Both sides must have the same key
Two Basic Types ● Symmetric Encryption ○ Like a Pad-Lock with a shared key ○ The only secret is the key ○ Both sides must have the same key ● Asymmetric Encryption ○ Like a pair of Pad-Locks ■ The "lock" is the public key ○ The only secret is the private key ○ Both sides have their own key
Symmetric Encryption 101 ● Number: 01 Scratch That ● Numbers: 01 04 01 54 95 42 64 12
Symmetric Encryption 101 Let's Add A "Secret" Number! 01 04 01 54 95 42 64 12 +10 11 14 11 64 05 52 74 22
Secret Numbers ● We just invented the Caesar Cipher ○ Commonly known as "ROT13" ● But There Are Problems: ○ Vulnerable To Statistical Attacks ○ Vulnerable To Brute Forcing ■ Only 100 possible secret numbers!
Symmetric Encryption 101 I Know: Let's Add A Different Number! 01 04 01 54 95 42 64 12 +10 43 21 95 42 67 31 83 11 47 22 49 37 09 95 95
How It Works We can generate the pads in two ways ● Randomly ○ If we only use once, perfect security ■ Known as a one-time-pad ○ If we use multiple times, same as caesar cipher ● With A Function ○ Give one or two inputs ■ A key, and an "input" ○ Generates a "stream" of pseudo random numbers
Ciphers ● Take 2 inputs ○ A secret key ○ An "input" ● Produces Pseudo-Random Output ○ Looks random (statistically) ○ Is deterministic ■ Reproducible given same inputs
Modes ● Multiple ways to use the keystream ● Each way is known as a "Mode" ● Some are secure ○ Others are not
ECB Electronic Code Book ● Uses plain-text as "input" ● Uses output as cipher-text ● VERY BROKEN!!!
ECB
CBC Cipher Block Chaining ● Uses an "Initialization Vector" ○ Helps "randomize" the plain-text ○ Ensures no non-unique blocks ○ Does NOT need to be secret ● Chains each block together ○ Propagating the generated "randomness" ● Plain-Text Must Be Padded ○ To a multiple of block-size ● Secure!
CBC
CFB Cipher FeedBack ● Uses an "Initialization Vector" ● Plain-Text never enters cipher ○ Does not need to be padded ● "Decrypt" Is Never Used ● Secure!
CFB
Ciphers ● AES 128 & 256 ○ Standard ■ NIST Approved ○ Also Known As RIJNDAEL-128 ■ 128 here refers to "block size" ○ Very Strong ○ Note, the number after AES is *key size* ● Blowfish ● TwoFish ● Serpent
Authentication How do you know it wasn't tampered with / came from your friend? ● HMAC ○ Hash-based Message Authentication Code ● USE A SEPARATE KEY! ● Encrypt-Then-MAC ○ Always MAC after encryption
All Together Now!
Encrypt $key = 'xxxxxxxxxxxxxxxx'; $authKey = 'XXXXXXXXXXXXXX'; $plain = 'This is plain text that I am going to encrypt'; $size = mcrypt_get_iv_size( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CFB ); $iv = mcrypt_create_iv( $size, MCRYPT_DEV_URANDOM ); $cipherText = mcrypt_encrypt( MCRYPT_RIJNDAEL_128, $key, $plain, MCRYPT_MODE_CFB, $iv ); $auth = hash_hmac('sha512', $cipherText, $authKey, true); $encrypted = base64_encode($iv . $cipherText . $auth);
Decrypt $key = 'xxxxxxxxxxxxxxxx'; $authKey = 'XXXXXXXXXXXXXX'; $size = mcrypt_get_iv_size( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CFB ); $encrypted = base64_decode($encrypted); $iv = substr($encrypted, 0, $size); $auth = substr($encrypted, -64); $cipherText = substr($encrypted, $size, -64); if ($auth != hash_hmac('sha512', $cipherText, $authKey, true)) { // Auth Failed!!! return false; } $plainText = mcrypt_decrypt( MCRYPT_RIJNDAEL_128, $key, $cipherText, MCRYPT_MODE_CFB, $iv );
Please Don't Do It! ● Notice How Much Code It Took ○ Without error checking ● Notice How Complex It Is ○ Without flexibility ● Notice How Easy To Screw Up ○ Without Key Storage ● Notice How Many Decisions To Make
If you MUST, Use a Library
Common Encryption Needs ● Between Client / Server ○ Use SSL ○ Really, just use SSL ○ I'm not kidding, just use SSL ● Storage ○ Use disk encryption ○ Use database encryption
Really, Don't Do It!
Encryption Resources ● Zend Framework Encryption ○ Very good and complete lib ○ ZF2 ■ ZendCryptBlockCipher ● PHP Sec Lib ○ phpseclib.sourceforge.net ○ Pure PHP ● Not Many Others ○ Beware of online tutorials!!!
Learn More ● Coursera <-- FREE!!! ○ Cryptography 1 ○ Cryptography 2
Password Storage
Passwords Should Be HASHED! Not Encrypted!
Password Hashes ● Use A Salt ○ Defeats Rainbow Tables ○ Makes Each Hash a "Proof Of Work" ○ Should be random! ■ Strong Randomness ● Should Be SLOW! ○ Salt is not enough
Brute Forcing 25 GPU Cluster - md5: 180 Billion per second - < $50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: microseconds "LEET" Permutations: 0.7 seconds
Good Algorithms crypt($password, $salt); pbkdf2($password, $salt, $i); password_hash( $password, PASSWORD_BCRYPT ); $passLib->hash($password); $phpass->hashPassword($pass);
Cost Parameter ● Target: 0.25 - 0.5 Seconds ○ As slow as you can afford ● Depends on hardware ○ Test it! ● Good Defaults: ○ BCrypt: 10 ○ PBKDF2: 10,000
Simplified Password Hashing
New API for 5.5 ● string password_hash($pass, $algo, array $options = array() ) ○ Generates Salt, hashes password ● bool password_verify($pass, $hash) ○ Verifies Hash with Password ● bool password_needs_rehash($hash, $algo, array $options = array()) ○ Determines if the hash is the same as specified by algo and options ● array password_get_info($hash) ○ Returns information about the hash
Example function register($user, $password) { $hash = password_hash($password, PASSWORD_BCRYPT); $this->store($user, $hash); } function login($user, $password) { $hash = $this->fetchHash($user); if (password_verify($password, $hash)) { if (password_needs_rehahs($hash, PASSWORD_BCRYPT)) { $hash = password_hash($password, PASSWORD_BCRYPT); $this->store($user, $hash); } $this->startSession(); return true; } return false; }
Hashing Resources ● PHP 5.5 API ○ wiki.php.net/rfc/password_hash ○ php.net/password ● Password Compat ○ PHP 5.5 Compatibility ○ github/ircmaxell/password_compat ● PasswordLib ○ 5.3+, Multiple Algorithms, Portable ○ github/ircmaxell/PHP-PasswordLib ● PHPASS ○ PHP 4+ ○ openwall.com/phpass
Seriously, Hire an Expert!
You Have Been Warned
Anthony Ferrara joind.in/8027 @ircmaxell blog.ircmaxell.com me@ircmaxell.com youtube.com/ircmaxell

Recommended

Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average DeveloperAnthony Ferrara
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
9 password security
9 password security9 password security
9 password securitydrewz lin
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 

Recommended

Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average DeveloperAnthony Ferrara
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
9 password security
9 password security9 password security
9 password securitydrewz lin
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
How does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsHow does cryptography work? by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
Cryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesCryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesZend by Rogue Wave Software
 
Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVMEncryption Boot Camp on the JVM
Encryption Boot Camp on the JVMMatthew McCullough
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersFelipe Prado
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Svetlin Nakov
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Svetlin Nakov
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
Cryptography with PHP (Workshop)
Cryptography with PHP (Workshop)Cryptography with PHP (Workshop)
Cryptography with PHP (Workshop)Mark Niebergall
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 
Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Derrick Isaacson
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Applying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto libraryApplying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto libraryPriyank Kapadia
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden TicketGiuseppe Trotta
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus groupAREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus groupSeongsuPark8
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
Concept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationConcept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationSeiji Takahashi
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101Aditya Kamat
 
Securing your Bitcoin wallet
Securing your Bitcoin walletSecuring your Bitcoin wallet
Securing your Bitcoin walletRon Reiter
 

More Related Content

What's hot

Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVMEncryption Boot Camp on the JVM
Encryption Boot Camp on the JVMMatthew McCullough
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersFelipe Prado
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Svetlin Nakov
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Svetlin Nakov
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
Cryptography with PHP (Workshop)
Cryptography with PHP (Workshop)Cryptography with PHP (Workshop)
Cryptography with PHP (Workshop)Mark Niebergall
 
Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Derrick Isaacson
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Applying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto libraryApplying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto libraryPriyank Kapadia
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus groupAREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus groupSeongsuPark8
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
Concept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationConcept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationSeiji Takahashi
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 

What's hot (20)

Cryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesCryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use Cases
 
Encryption Boot Camp on the JVM
Encryption Boot Camp on the JVMEncryption Boot Camp on the JVM
Encryption Boot Camp on the JVM
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackers
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
Cryptography with PHP (Workshop)
Cryptography with PHP (Workshop)Cryptography with PHP (Workshop)
Cryptography with PHP (Workshop)
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
 
Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
Applying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto libraryApplying Security Algorithms Using openSSL crypto library
Applying Security Algorithms Using openSSL crypto library
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012
 
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus groupAREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group
AREA41 - Anatomy of attacks aimed at financial sector by the Lazarus group
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
 
Concept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationConcept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized Application
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
 

Similar to Cryptography For The Average Developer - Sunshine PHP

Securing your Bitcoin wallet
Securing your Bitcoin walletSecuring your Bitcoin wallet
Securing your Bitcoin walletRon Reiter
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Martin Vigo
 
AES-GCM common pitfalls and how to work around them.pptx
AES-GCM common pitfalls and how to work around them.pptxAES-GCM common pitfalls and how to work around them.pptx
AES-GCM common pitfalls and how to work around them.pptxskantos
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsChristopher Allen
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend FrameworkEnrico Zimuel
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroTal Shmueli
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWestDerrick Isaacson
 
Airbitz crypto
Airbitz cryptoAirbitz crypto
Airbitz cryptoswansontec
 
Cool Crypto Concepts CodeOne SFO
Cool Crypto Concepts CodeOne SFOCool Crypto Concepts CodeOne SFO
Cool Crypto Concepts CodeOne SFORoy Wasse
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep DiveDiego Pacheco
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To UsCharles Southerland
 
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto AssetsCrypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto AssetsThatCrypto
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 

Similar to Cryptography For The Average Developer - Sunshine PHP (20)

Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
 
Securing your Bitcoin wallet
Securing your Bitcoin walletSecuring your Bitcoin wallet
Securing your Bitcoin wallet
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
AES-GCM common pitfalls and how to work around them.pptx
AES-GCM common pitfalls and how to work around them.pptxAES-GCM common pitfalls and how to work around them.pptx
AES-GCM common pitfalls and how to work around them.pptx
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Cryptography 202
Cryptography 202Cryptography 202
Cryptography 202
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 
Passwords
PasswordsPasswords
Passwords
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend Framework
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies Intro
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWest
 
Airbitz crypto
Airbitz cryptoAirbitz crypto
Airbitz crypto
 
Cool Crypto Concepts CodeOne SFO
Cool Crypto Concepts CodeOne SFOCool Crypto Concepts CodeOne SFO
Cool Crypto Concepts CodeOne SFO
 
Passwords
PasswordsPasswords
Passwords
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep Dive
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto AssetsCrypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
Crypto OpSec - How to Securely Store Bitcoin and Other Crypto Assets
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 

More from Anthony Ferrara

Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
Beyond design patterns phpnw14
Beyond design patterns phpnw14Beyond design patterns phpnw14
Beyond design patterns phpnw14Anthony Ferrara
 
Don't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo EditionDon't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo EditionAnthony Ferrara
 
Development By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo EditionDevelopment By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo EditionAnthony Ferrara
 
Don't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon PragueDon't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon PragueAnthony Ferrara
 
Don't be STUPID, Grasp SOLID - North East PHP
Don't be STUPID, Grasp SOLID - North East PHPDon't be STUPID, Grasp SOLID - North East PHP
Don't be STUPID, Grasp SOLID - North East PHPAnthony Ferrara
 
PHP, Under The Hood - DPC
PHP, Under The Hood - DPCPHP, Under The Hood - DPC
PHP, Under The Hood - DPCAnthony Ferrara
 
Development by the numbers
Development by the numbersDevelopment by the numbers
Development by the numbersAnthony Ferrara
 
Don't Be Stupid, Grasp Solid - MidWestPHP
Don't Be Stupid, Grasp Solid - MidWestPHPDon't Be Stupid, Grasp Solid - MidWestPHP
Don't Be Stupid, Grasp Solid - MidWestPHPAnthony Ferrara
 
Password Storage and Attacking in PHP
Password Storage and Attacking in PHPPassword Storage and Attacking in PHP
Password Storage and Attacking in PHPAnthony Ferrara
 

More from Anthony Ferrara (10)

Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
 
Beyond design patterns phpnw14
Beyond design patterns phpnw14Beyond design patterns phpnw14
Beyond design patterns phpnw14
 
Don't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo EditionDon't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo Edition
 
Development By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo EditionDevelopment By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo Edition
 
Don't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon PragueDon't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon Prague
 
Don't be STUPID, Grasp SOLID - North East PHP
Don't be STUPID, Grasp SOLID - North East PHPDon't be STUPID, Grasp SOLID - North East PHP
Don't be STUPID, Grasp SOLID - North East PHP
 
PHP, Under The Hood - DPC
PHP, Under The Hood - DPCPHP, Under The Hood - DPC
PHP, Under The Hood - DPC
 
Development by the numbers
Development by the numbersDevelopment by the numbers
Development by the numbers
 
Don't Be Stupid, Grasp Solid - MidWestPHP
Don't Be Stupid, Grasp Solid - MidWestPHPDon't Be Stupid, Grasp Solid - MidWestPHP
Don't Be Stupid, Grasp Solid - MidWestPHP
 
Password Storage and Attacking in PHP
Password Storage and Attacking in PHPPassword Storage and Attacking in PHP
Password Storage and Attacking in PHP
 

Recently uploaded

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Recently uploaded (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Cryptography For The Average Developer - Sunshine PHP

  • 1. Cryptography In PHP For The Average Developer
  • 2. Cryptography ● Keeping Data Secure ○ Safe From Viewing ○ Safe From Tampering ○ Safe From Forgery ● Not A Silver Bullet ○ XSS ○ SQLI ○ Social Engineering ● Very Hard To Do ○ Any bug will cause problems
  • 3. The First Rule of Cryptography
  • 5. Leave It For Experts
  • 6. Random! The Foundation of Cryptography ● Classified Under Three Types: ○ Weak ■ For non-cryptographic usages ○ Strong ■ For cryptographic usages where security does not depend on the strength of randomness ○ Cryptographically Secure ■ For cryptographic usage when security does depend on the strength of randomness
  • 7. Vulnerabilities of Randomness ● Bias ○ Certain values tend to occur more often making it easier to predict future numbers ● Predictability ○ Knowing past numbers helps predict future numbers ● Poisoning ○ Ability to alter future random number generation
  • 8. Weak Random in PHP Not to be used for cryptographic usages!!! ● rand() ● mt_rand() ● uniqid() ● lcg_value()
  • 9. Strong Random in PHP ● mcrypt_create_iv() ○ MCRYPT_DEV_URANDOM ● openssl_random_pseudo_bytes() ● /dev/urandom ○ For *nix systems only
  • 10. Cryptographically Secure ● mcrypt_create_iv() ○ MCRYPT_DEV_RANDOM ● openssl_random_pseudo_bytes() ○ Maybe ● /dev/random ○ For *nix systems only
  • 11. NEVER Use Weak For Security
  • 12. NEVER Use CS When Not Needed
  • 13. If In Doubt Use Strong Randomness
  • 14. Encryption vs Hashing ● Encryption ○ Encoding ○ 2 Way / Reversible ○ Putting a lock on a box
  • 15.
  • 16. Encryption vs Hashing ● Encryption ○ Encoding ○ 2 Way / Reversible ○ Putting a lock on a box ● Hashing ○ Signing ○ 1 Way / Non-Reversible ○ Taking a person's finger-print
  • 17.
  • 20. Terms ● Key ○ Secure string of data ● Plain-Text ○ The text you want to keep secret ● Cipher-Text ○ The encrypted output
  • 21. Two Basic Types ● Symmetric Encryption ○ Like a Pad-Lock with a shared key ○ The only secret is the key ○ Both sides must have the same key
  • 22.
  • 23. Two Basic Types ● Symmetric Encryption ○ Like a Pad-Lock with a shared key ○ The only secret is the key ○ Both sides must have the same key ● Asymmetric Encryption ○ Like a pair of Pad-Locks ■ The "lock" is the public key ○ The only secret is the private key ○ Both sides have their own key
  • 24.
  • 25. Symmetric Encryption 101 ● Number: 01 Scratch That ● Numbers: 01 04 01 54 95 42 64 12
  • 26. Symmetric Encryption 101 Let's Add A "Secret" Number! 01 04 01 54 95 42 64 12 +10 11 14 11 64 05 52 74 22
  • 27.
  • 28. Secret Numbers ● We just invented the Caesar Cipher ○ Commonly known as "ROT13" ● But There Are Problems: ○ Vulnerable To Statistical Attacks ○ Vulnerable To Brute Forcing ■ Only 100 possible secret numbers!
  • 29. Symmetric Encryption 101 I Know: Let's Add A Different Number! 01 04 01 54 95 42 64 12 +10 43 21 95 42 67 31 83 11 47 22 49 37 09 95 95
  • 30. How It Works We can generate the pads in two ways ● Randomly ○ If we only use once, perfect security ■ Known as a one-time-pad ○ If we use multiple times, same as caesar cipher ● With A Function ○ Give one or two inputs ■ A key, and an "input" ○ Generates a "stream" of pseudo random numbers
  • 31. Ciphers ● Take 2 inputs ○ A secret key ○ An "input" ● Produces Pseudo-Random Output ○ Looks random (statistically) ○ Is deterministic ■ Reproducible given same inputs
  • 32. Modes ● Multiple ways to use the keystream ● Each way is known as a "Mode" ● Some are secure ○ Others are not
  • 33. ECB Electronic Code Book ● Uses plain-text as "input" ● Uses output as cipher-text ● VERY BROKEN!!!
  • 34. ECB
  • 35. CBC Cipher Block Chaining ● Uses an "Initialization Vector" ○ Helps "randomize" the plain-text ○ Ensures no non-unique blocks ○ Does NOT need to be secret ● Chains each block together ○ Propagating the generated "randomness" ● Plain-Text Must Be Padded ○ To a multiple of block-size ● Secure!
  • 36. CBC
  • 37. CFB Cipher FeedBack ● Uses an "Initialization Vector" ● Plain-Text never enters cipher ○ Does not need to be padded ● "Decrypt" Is Never Used ● Secure!
  • 38. CFB
  • 39. Ciphers ● AES 128 & 256 ○ Standard ■ NIST Approved ○ Also Known As RIJNDAEL-128 ■ 128 here refers to "block size" ○ Very Strong ○ Note, the number after AES is *key size* ● Blowfish ● TwoFish ● Serpent
  • 40. Authentication How do you know it wasn't tampered with / came from your friend? ● HMAC ○ Hash-based Message Authentication Code ● USE A SEPARATE KEY! ● Encrypt-Then-MAC ○ Always MAC after encryption
  • 41. All Together Now!
  • 42. Encrypt $key = 'xxxxxxxxxxxxxxxx'; $authKey = 'XXXXXXXXXXXXXX'; $plain = 'This is plain text that I am going to encrypt'; $size = mcrypt_get_iv_size( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CFB ); $iv = mcrypt_create_iv( $size, MCRYPT_DEV_URANDOM ); $cipherText = mcrypt_encrypt( MCRYPT_RIJNDAEL_128, $key, $plain, MCRYPT_MODE_CFB, $iv ); $auth = hash_hmac('sha512', $cipherText, $authKey, true); $encrypted = base64_encode($iv . $cipherText . $auth);
  • 43. Decrypt $key = 'xxxxxxxxxxxxxxxx'; $authKey = 'XXXXXXXXXXXXXX'; $size = mcrypt_get_iv_size( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CFB ); $encrypted = base64_decode($encrypted); $iv = substr($encrypted, 0, $size); $auth = substr($encrypted, -64); $cipherText = substr($encrypted, $size, -64); if ($auth != hash_hmac('sha512', $cipherText, $authKey, true)) { // Auth Failed!!! return false; } $plainText = mcrypt_decrypt( MCRYPT_RIJNDAEL_128, $key, $cipherText, MCRYPT_MODE_CFB, $iv );
  • 44. Please Don't Do It! ● Notice How Much Code It Took ○ Without error checking ● Notice How Complex It Is ○ Without flexibility ● Notice How Easy To Screw Up ○ Without Key Storage ● Notice How Many Decisions To Make
  • 45. If you MUST, Use a Library
  • 46. Common Encryption Needs ● Between Client / Server ○ Use SSL ○ Really, just use SSL ○ I'm not kidding, just use SSL ● Storage ○ Use disk encryption ○ Use database encryption
  • 48. Encryption Resources ● Zend Framework Encryption ○ Very good and complete lib ○ ZF2 ■ ZendCryptBlockCipher ● PHP Sec Lib ○ phpseclib.sourceforge.net ○ Pure PHP ● Not Many Others ○ Beware of online tutorials!!!
  • 49. Learn More ● Coursera <-- FREE!!! ○ Cryptography 1 ○ Cryptography 2
  • 51. Passwords Should Be HASHED! Not Encrypted!
  • 52. Password Hashes ● Use A Salt ○ Defeats Rainbow Tables ○ Makes Each Hash a "Proof Of Work" ○ Should be random! ■ Strong Randomness ● Should Be SLOW! ○ Salt is not enough
  • 53.
  • 54.
  • 55. Brute Forcing 25 GPU Cluster - md5: 180 Billion per second - < $50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: microseconds "LEET" Permutations: 0.7 seconds
  • 56. Good Algorithms crypt($password, $salt); pbkdf2($password, $salt, $i); password_hash( $password, PASSWORD_BCRYPT ); $passLib->hash($password); $phpass->hashPassword($pass);
  • 57. Cost Parameter ● Target: 0.25 - 0.5 Seconds ○ As slow as you can afford ● Depends on hardware ○ Test it! ● Good Defaults: ○ BCrypt: 10 ○ PBKDF2: 10,000
  • 59. New API for 5.5 ● string password_hash($pass, $algo, array $options = array() ) ○ Generates Salt, hashes password ● bool password_verify($pass, $hash) ○ Verifies Hash with Password ● bool password_needs_rehash($hash, $algo, array $options = array()) ○ Determines if the hash is the same as specified by algo and options ● array password_get_info($hash) ○ Returns information about the hash
  • 60. Example function register($user, $password) { $hash = password_hash($password, PASSWORD_BCRYPT); $this->store($user, $hash); } function login($user, $password) { $hash = $this->fetchHash($user); if (password_verify($password, $hash)) { if (password_needs_rehahs($hash, PASSWORD_BCRYPT)) { $hash = password_hash($password, PASSWORD_BCRYPT); $this->store($user, $hash); } $this->startSession(); return true; } return false; }
  • 61. Hashing Resources ● PHP 5.5 API ○ wiki.php.net/rfc/password_hash ○ php.net/password ● Password Compat ○ PHP 5.5 Compatibility ○ github/ircmaxell/password_compat ● PasswordLib ○ 5.3+, Multiple Algorithms, Portable ○ github/ircmaxell/PHP-PasswordLib ● PHPASS ○ PHP 4+ ○ openwall.com/phpass
  • 63. You Have Been Warned
  • 64. Anthony Ferrara joind.in/8027 @ircmaxell blog.ircmaxell.com me@ircmaxell.com youtube.com/ircmaxell