PHP Identity and Data Security !

Jonathan LeBlanc !Twitter: @jcleblanc !Book: http://bit.ly/iddatasecurity!

Release Date: !July 2016 !!Book Details: !http://bit.ly/iddatasecurity!

Identity & Data Security Book!

Security is Hard !

1: 123456 !2: password !3: 12345678 !4: qwerty !5: 12345 !6: 123456789 !7: football!8: 1234 !9: 1234567 !

Top Passwords of 2015!

10: baseball!11: welcome!12: 1234567890 !13: abc123 !14: 111111 !15: 1qaz2wsx !16: dragon!17: master!

18: monkey!19: letmein!20: login!21: princess!22: qwertyuiop!23: solo !24: passw0rd !25: starwars!

Protecting Identity !

Password Attack Vectors !

Brute Force Attacks!Calculate all key variations within a given length, then trying each one until the password is guessed. !Protect via: Key stretching, CAPTCHA, 2FA !!Dictionary Attacks!Use a list of predetermined words/phrase to guess password. !Protect via: Salting!!Rainbow Tables!Use precalculated password hashes to break encryption. !Protect via: Salting !

Protecting Against Password Attacks!

Salting and Peppering !

//hashing identical messages with no salt !hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227 !hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227 !!//hashing identical messages with random salt !hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6 !hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866 !hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e!

Hashing with and without salts!

Storing Salts!Store alongside the hash!

!Salt Reuse!Salts should be be unique per password!

!Salt Length!Same size as hash? 64 bits? 128 bits? !

Considerations when using Salts!

bcrypt!Designed for password security, based on the blowfish cipher, CPU & RAM intensive. !!PBKDF2 !Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations. !!scrypt!Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory!

Password Encryption Algorithms!

!//fetch password from user creation request!$password = $_POST['password']; !!//salt option deprecated in PHP 7.0.0+ !$options = [ ! 'cost' => 12 !]; !!//create 60 character hash, with default unique salt, and options !$hash = password_hash($password, PASSWORD_BCRYPT, $options); !!//STORE HASH IN USER DATABASE RECORD !//SALT IS BUILT INTO HASH!

Hashing with bcrypt!

//fetch login request information!$username = $_POST['username']; !$password = $_POST['password']; !!//fetch user record from database!$user = fetchDBRecord($username); !!//verify if login attempt password matches stored user hash!if (password_verify($password, $user->hash)){ ! echo "password matches"; !} else { ! echo "password doesn't match"; !} !

Login Hash Comparison with bcrypt!

!!//fetch password from user creation request!$password = $_POST['password']; !!//set iterations and random initialization vector!$iterations = 1000; !$salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); !!//hash password using sha256 !$hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20); !!//STORE HASH AND SALT IN USER DATABASE RECORD !

Hashing with PBKDF2!

!//fetch login request info and set iterations!$username = $_POST['username']; !$password = $_POST['password']; !$iterations = 1000; !!//fetch user record from database!$user = fetchDBRecord($username); !!//manually hash the login attempt password!$loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20); !!//validate if hashes match!if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match'; !} else { ! echo 'password mismatch'; !} !!

Login Hash Comparison with PBKDF2!

Protecting Data !

Ideal Scenario: SSL/TLS !

Domain Validation (DV) !Certificate authority (CA) validates domain access only!

Certificate Types!

Organization Validation (OV) !!CA validates DV and basic organization information!

Certificate Types!

Extended Validation (EV) !CA validates DV, OV, and legal existance of the organization!

Certificate Types!

//generate private key and self-signed certificate valid for 1 year !openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt!

Generate your self-signed certificate and private key!

//update httpd.conf file to enable SSL (uncomment the following) !#LoadModule ssl_module libexec/apache2/mod_ssl.so!#Include /private/etc/apache2/extra/httpd-ssl.conf!!//update httpd-ssl.conf file for CRT location !SSLCertificateFile "/private/etc/apache2/server.crt" !!//copy crt and private key files to above location !cp server.crt server.key /private/etc/apache2/ !

Configuring SSL capabilities and setting certificates on Apache server!

<VirtualHost *:443> ! #general virtual hosts information ! DocumentRoot "/Users/jleblanc/localhost/ssltest" ! ServerName ssltest! ErrorLog "/private/var/log/apache2/local.example.com-error_log" ! CustomLog "/private/var/log/apache2/local.example.com-access_log" common !! #SSL details ! SSLEngine on ! SSLCertificateFile "/private/etc/apache2/server.crt” ! SSLCertificateKeyFile "/private/etc/apache2/server.key" !! #SSL engine options ! <FilesMatch "\.(cgi|shtml|phtml|php)$"> ! SSLOptions +StdEnvVars! </FilesMatch> ! <Directory "/Library/WebServer/CGI-Executables"> ! SSLOptions +StdEnvVars! </Directory> !</VirtualHost> !

Update httpd-vhosts.conf!

Synchronous Cryptography !

Single User Environment !

Encryption (ECB, CBC, OFB, CFB, CTR) !Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data. !!Authentication(CMAC) !Data authenticity mode. Receiver can validate whether cleartext came from intended sender. !!Authenticated Encryption (CCM, GCM, KW/KWP/TKW) !Includes both data privacy and authenticity. !

Modes of Operation!

//set initialization data !$numbytes = 16; !$strongcrypto = true; !$mode = 'aes-256-cbc'; !$message = 'my secure message'; !!//creation initialization vector and shared private key !$iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto); !$key = openssl_random_pseudo_bytes($numbytes, $strongcrypto); !!//create ciphertext with no options !$ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv); !

Configuring and encrypting message!

//---- !// data sent to server: iv, ciphertext!// data known by server: key !//---- !!//set algorithm and mode !$mode = 'aes-256-cbc’;!!//decrypt provided cipher !$decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);!

Decrypting ciphertext!

//display block ciphers and modes !print_r(openssl_get_cipher_methods());!

Getting all available ciphers and modes !

Asynchronous Cryptography !

Multi-User Environment !

//create private key in private.key!openssl genrsa -out private.key 2048 !!//create public key in public.pem!openssl rsa -in private.key -outform PEM -pubout -out public.pem!

Generating Public / Private Keys!

//set public key data from files and object to send !$public_key = openssl_get_publickey(file_get_contents('public.pem')); !$data = '{"message": "my super secure message"}'; !!//encrypt object and public keys!openssl_seal($data, $encrypted, $encpub, array($public_key)); !!//encrypted data and encrypted public key !$sealed_data = base64_encode($encrypted); !$envelope = base64_encode($encpub[0]); !!//SEND SEALED DATA AND ENVELOPE TO RECIPIENT !

Preparing Message, Encrypting, and Signing!

//OBTAIN SEALED DATA AND ENVELOPE FROM SENDER !!//set private key data !$private_key = openssl_get_privatekey(file_get_contents('private.key'));!!//decode data !$sealed_data = base64_decode($sealed_data); !$envelope = base64_decode($envelope); !!//rypt data using private key !openssl_open($sealed_data, $plaintext, $envelope, $private_key); !!//decrypted message available in $plaintext!

Decrypting and Verifying Message!

Security Fundamentals Wrapup!

Thank You! !

Jonathan LeBlanc !Twitter: @jcleblanc !Book: http://bit.ly/iddatasecurity!