cryptography in php: some use cases

© All rights reserved. Zend Technologies, Inc.

Cryptography in PHP:some use cases

by Enrico Zimuel ([email protected])

Senior Software EngineerZend Framework Core TeamZend Technologies Ltd

PHPTour Lille 2011 – 25 Novemberhttp://afup.org/pages/phptourlille2011/

mailto:[email protected]

http://afup.org/pages/phptourlille2011/


• Software Engineer since 1996– Assembly x86, C/C++, Java, Perl, PHP

• Enjoying PHP since 1999

• PHP Engineer at Zend since 2008

• ZF Core Team from April 2011

• Author of two italian books about

applied cryptography

• B.Sc. Computer Science and Economics

from University of Pescara (Italy)

About me

Email: [email protected]: @ezimuel



Summary

● Cryptography in PHP● Some use cases:

▶ Safe way to store passwords▶ Generate pseudo-random numbers▶ Encrypt/decrypt sensitive data

● Demo: encrypt PHP session data


Cryptography in PHP

● crypt()● Mcrypt● Hash● OpenSSL


crypt()

● One-way string hashing● Support strong cryptography

▶ bcrypt, sha-256, sha-512● PHP 5.3.0 – bcrypt support● PHP 5.3.2 – sha-256/512● Note: don't use PHP 5.3.7 (bug #55439)

https://bugs.php.net/bug.php?id=55439


Mcrypt extension

● Mcrypt is an interface to the mcrypt library● Supports the following encryption algorithms:

▶ 3DES, ARCFOUR, BLOWFISH, CAST, DES, ENIGMA, GOST, IDEA (non-free), LOKI97, MARS, PANAMA, RIJNDAEL, RC2, RC4, RC6, SAFER, SERPENT, SKIPJACK, TEAN, TWOFISH, WAKE, XTEA

http://mcrypt.sourceforge.net/


Hash extension

● Enabled by default from PHP 5.1.2● Hash or HMAC (Hash-based Message

Authentication Code)● Supported hash algorithms: MD4, MD5,

SHA1, SHA256, SHA384, SHA512, RIPEMD, RIPEMD, WHIRLPOOL, GOST, TIGER, HAVAL, etc


OpenSSL extension

● The OpenSSL extension uses the functions of the OpenSSL project for generation and verification of signatures and for sealing (encrypting) and opening (decrypting) data

● Public key cryptography (RSA algorithm)

http://www.openssl.org/


Which algorithm to use?

● Some suggestions:▶ Symmetric encryption:

● Blowfish / Twofish● Rijndael (AES, FIST 197 standard

since 2001)▶ Hash: SHA-256, 384, 512▶ Public key: RSA


Cryptography vs. Security

● Cryptography doesn't mean security● Encryption is not enough● Bruce Schneier quotes:

▶ “Security is only as strong as the weakest link”

▶ “Security is a process, not a product”


When cryptography fails...


Use cases


Use case 1: store a password

● Scenario:▶ Web applications with a protect area▶ Username and password to login

● Problem: ▶ How to safely store a password?


Hash a password

● md5($password) – not secure

▶ Dictionary attack (pre-built)

● md5($salt . $password) – better but still insecure

▶ Dictionary attacks:● 700'000'000 passwords a second using CUDA

(budget of 2000 $, a week)● Cloud computing, 500'000'000 passwords a

second (about $300/hour)


bcrypt

● Better idea, use of bcrypt algorithm:▶ bcrypt prevent the dictionary attacks because

is slow as hell▶ Based on a variant of Blowfish▶ Introduce a work factor, which allows you to

determine how expensive the hash function will be


bcrypt in PHP

● Hash the password using bcrypt (PHP 5.3+)

$salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22);

$hash = crypt($password,'$2a$'.$workload.'$'.$salt);

$salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22);

$hash = crypt($password,'$2a$'.$workload.'$'.$salt);

● $salt is a random string (it is not a secret!)

● $workload is the bcrypt's workload (from 10 to 31)


$workload time in sec

10 0.1

11 0.2

12 0.4

13 0.7

14 1.5

15 3

16 6

17 12

18 24.3

19 48.7

20 97.3

21 194.3

bcrypt workload benchmark

OS: Linux kernel 2.6.38CPU: Intel Core2, 2.1GhzRAM: 2 GB - PHP: 5.3.6

Suggestion:Spend > 1 sec


bcrypt output

● Example of bcrypt's output:

● $2a$14$, bcrypt with workload 14● c2Rmc2Fka2hmamhzYWRmau is the salt● BpwLLDFKNPTfmCeuMHVnMVaLatNlFZO, is the hash

output (60 btyes)

$2a$14$c2Rmc2Fka2hmamhzYWRmauBpwLLDFKNPTfmCeuMHVnMVaLatNlFZO


bcrypt authentication

● How to check if a $userpassword is valid for a $hash value?

if ($hash==crypt($userpassword,$hash)) { echo 'The password is correct';} else { echo 'The password is not correct!';}

if ($hash==crypt($userpassword,$hash)) { echo 'The password is correct';} else { echo 'The password is not correct!';}


Use case 2: generate random data in PHP

● Scenario:▶ Generate random passwords for

● Login systems● API systems

● Problem:▶ How to generate random data in PHP?


Random number generators


PHP vs. randomness

● How generate a pseudo-random value in PHP?● Not good for cryptography purpose:

▶ rand()▶ mt_rand()

● Good for cryptography (PHP 5.3+):

▶ openssl_random_pseudo_bytes()▶


rand() is real random?

rand() in PHP on Windows Pseudo-random bits

From random.org website


Use case 3: encrypt data

● Scenario:▶ We want to store some sensitive data

(e.g. credit card numbers)● Problem:

▶ How to encrypt this data in PHP?


Symmetric encryption

● Using Mcrypt extension:▶ mcrypt_encrypt(string $cipher,string $key,

string $data,string $mode[,string $iv])▶ mcrypt_decrypt(string $cipher,string $key,

string $data,string $mode[,string $iv])● What are the $mode and $iv parameters?


Encryption mode

● Symmetric encryption mode:

▶ ECB, CBC, CFB, OFB, NOFB or STREAM● We are going to use the CBC that is the most used and

secure (as suggested by Schneier in [1])● Cipher-Block Chaining (CBC) mode of operation was

invented in 1976 by IBM


CBC

...

The Plaintext (input) is divided into blocks

Block 1 Block 2 Block 3

Block 1 Block 2 Block 3

The Ciphertext (output) is the concatenation of the cipher-blocks


IV

● Initialization Vector (IV) is a fixed-size input that is typically required to be random or pseudo

● The IV is not a secret, you can send it in plaintext● Usually IV is stored before the encrypted message● Must be unique for each encrypted message


Encryption is not enough

● We cannot use only encryption to store sensitive data, we need also authentication!

● Encryption doesn't prevent alteration of data

▶ Padding Oracle Attack (Vaudenay, EuroCrypt 2002)

● We need to authenticate:

▶ MAC (Message Authentication Code)▶ HMAC (Hash-based Message Authentication

Code)


HMAC

● In PHP we can generate an HMAC using the hash_hmac() function:

hash_hmac ($algo, $msg, $key)

$algo is the hash algorithm to use (e.g. sha256)$msg is the message$key is the key for the HMAC


Encryption + authentication

● Three possible ways:▶ Encrypt-then-authenticate▶ Authenticate-then-encrypt▶ Encrypt-and-authenticate

● We use encrypt-then-authenticate, as suggested by Schneier in [1]


Demo: encrypt session data

● Specific PHP session handler to encrypt session data using files

● Use of AES (Rijndael 128) + HMAC (SHA-256)● Pseudo-random session key● The encryption and authentication keys are stored

in a cookie variable● Source code:

https://github.com/ezimuel/PHP-Secure-Session

https://github.com/ezimuel/PHP-Secure-Session


Conclusion (1)

● Use standard algorithms for cryptography:

▶ AES (Rijndael 128), SHA-* hash family, RSA● Generate random data using the function:

▶ openssl_random_pseudo_bytes()● Store passwords using bcrypt:

▶ crypt($password, '$2a$'.$workload.'$'.$salt)


Conclusion (2)

● For symmetric encryption:

▶ Use CBC mode with a different random IV for each encryption

▶ Always authenticate the encryption data (using HMAC): encrypt-then-authenticate

● Use HTTPS (SSL/TLS) to protect the communication client/server


(1) N. Ferguson, B. Schneier, T. Kohno, “Cryptography Engineering”, Wiley Publishing, 2010

(2) Serge Vaudenay, “Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS”, EuroCrypt 2002

● Web:▶ PHP cryptography extensions▶ How to safely store a password▶ bcrypt algorithm▶ SHA-1 challenge▶ Nvidia CUDA▶ Random.org

References

http://codahale.com/how-to-safely-store-a-password/

http://bcrypt.sourceforge.net/

http://www.win.tue.nl/cccc/sha-1-challenge.html

http://www.random.org/


● Comments and feedbacks:▶ [email protected]

Thank you!


cryptography in php: some use cases

Technology