encryption: it's for more than just passwords
TRANSCRIPT
![Page 1: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/1.jpg)
ENCRYPTIONIt's For More Than Just Password
![Page 2: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/2.jpg)
JOHN CONGDON
![Page 4: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/4.jpg)
JOHN CONGDON• PHP Since 2003• SDPHP Organizer
![Page 5: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/5.jpg)
JOHN CONGDON• PHP Since 2003• SDPHP Organizer• Developer for
Networx Online
![Page 6: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/6.jpg)
JOHN CONGDON• PHP Since 2003• SDPHP Organizer• Developer for
Networx Online• PhoneBurner.com
![Page 7: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/7.jpg)
JOHN CONGDON• PHP Since 2003• SDPHP Organizer• Developer for
Networx Online• PhoneBurner.com• MeetingBurner.com
![Page 8: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/8.jpg)
JOHN CONGDON• PHP Since 2003• SDPHP Organizer• Developer for
Networx Online• PhoneBurner.com• MeetingBurner.com• FaxBurner.com
![Page 9: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/9.jpg)
JOHN CONGDON• PHP Since 2003• SDPHP Organizer• Developer for
Networx Online• PhoneBurner.com• MeetingBurner.com• FaxBurner.com
• I am not a cryptographer
![Page 10: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/10.jpg)
TODAY'S TOPICS
Hashing &
Encryption
![Page 11: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/11.jpg)
The Evolution Of Password Maintenance
![Page 12: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/12.jpg)
CLEAR TEXT
$username = $_POST['username'];$password = $_POST['password'];$user = getUserByUsername($username);$authenticated = false;if ($user->password == $password) { $authenticated = true;}
*example only: not meant to be used
![Page 13: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/13.jpg)
MAJOR VULNERABILITY
• Server compromise give complete username and password list
• SQL-Injection does too
![Page 14: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/14.jpg)
HASHING
![Page 15: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/15.jpg)
CRYPTOGRAPHIC HASHING
![Page 16: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/16.jpg)
CRYPTOGRAPHIC HASHINGWikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
![Page 17: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/17.jpg)
CRYPTOGRAPHIC HASHINGWikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASH
![Page 18: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/18.jpg)
CRYPTOGRAPHIC HASHINGWikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASHMessage
![Page 19: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/19.jpg)
CRYPTOGRAPHIC HASHINGWikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASH DigestMessage
![Page 20: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/20.jpg)
CRYPTOGRAPHIC HASHINGWikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASHDigestMessage
![Page 21: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/21.jpg)
CRYPTOGRAPHIC HASHINGWikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASHDigestMessage
1abcb33beeb811dca15f0ac3e47b88d9 unicorn
![Page 22: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/22.jpg)
CRYPTOGRAPHIC HASHINGWikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message,"
and the hash value is sometimes called the message digest or simply the digest.
HASHDigestMessage
1abcb33beeb811dca15f0ac3e47b88d9 unicorn
![Page 23: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/23.jpg)
MD5 EXAMPLE
$username = $_POST['username'];$password = $_POST['password'];$user = getUserByUsername($username);$authenticated = false;if ($user->password == md5($password)) { $authenticated = true;}
*example only: not meant to be used
![Page 24: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/24.jpg)
MD5 EXAMPLE
$username = $_POST['username'];$password = $_POST['password'];$user = getUserByUsername($username);$authenticated = false;if ($user->password == md5($password)) { $authenticated = true;}
*example only: not meant to be used
![Page 25: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/25.jpg)
AVAILABLE ALGORITHMS<?php print_r(hash_algos());Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512 [8] => ripemd128 [9] => ripemd160 [10] => ripemd256 [11] => ripemd320 [12] => whirlpool [13] => tiger128,3 [14] => tiger160,3 [15] => tiger192,3 [16] => tiger128,4 [17] => tiger160,4 [18] => tiger192,4
[19] => snefru [20] => snefru256 [21] => gost [22] => gost-crypto [23] => adler32 [24] => crc32 [25] => crc32b [26] => fnv132 [27] => fnv1a32 [28] => fnv164 [29] => fnv1a64 [30] => joaat [31] => haval128,3 [32] => haval160,3 [33] => haval192,3 [34] => haval224,3 [35] => haval256,3
[36] => haval128,4 [37] => haval160,4 [38] => haval192,4 [39] => haval224,4 [40] => haval256,4 [41] => haval128,5 [42] => haval160,5 [43] => haval192,5 [44] => haval224,5 [45] => haval256,5 )
![Page 26: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/26.jpg)
VULNERABILITIES
• SQL-Injection gives you hashed passwords
![Page 27: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/27.jpg)
![Page 28: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/28.jpg)
![Page 29: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/29.jpg)
![Page 30: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/30.jpg)
![Page 31: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/31.jpg)
ADDING SALT
![Page 32: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/32.jpg)
ADDING SALTIn cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1] The primary function of salts is to defend against dictionary attacks versus a list of password hashes and
against pre-computed rainbow table attacks.
![Page 33: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/33.jpg)
ADDING SALTIn cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1] The primary function of salts is to defend against dictionary attacks versus a list of password hashes and
against pre-computed rainbow table attacks.
$hash = md5('RAND_SALT' . $password);
![Page 34: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/34.jpg)
ADDING SALTIn cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase.[1] The primary function of salts is to defend against dictionary attacks versus a list of password hashes and
against pre-computed rainbow table attacks.
$hash = md5('RAND_SALT' . $password);
RAND_SALT must come from a cryptographically secure source.
Do not use (rand, mt_rand, uniqid)Do use (/dev/urandom, mcrypt, openssl)
![Page 35: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/35.jpg)
$username = $_POST['username'];$password = $_POST['password'];$user = getUserByUsername($username);$authenticated = false;if ($user->password == md5($user->salt . $password)) { $authenticated = true;}
*example only: not meant to be used
MD5+SALT EXAMPLE
![Page 36: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/36.jpg)
![Page 37: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/37.jpg)
function generateUserPassword ($salt_string, $password) { $str1 = substr($salt_string, 0, 8); $str2 = substr($salt_string, 8); return md5($str1 . $password . $str2);}
![Page 38: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/38.jpg)
function hashPassword($password){ return sha1( $this->Salt1 . $password . $this->Salt2 );}
![Page 39: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/39.jpg)
![Page 40: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/40.jpg)
USE TODAY'S STANDARDSCurrently: BCrypt
• Slower by design
• Configurable to help withstand the test of time
• Should be configured to take 0.25 to 0.50 seconds
• Start with a cost of 10, use higher if possible
https://github.com/johncongdon/bcrypt-cost-finder
![Page 41: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/41.jpg)
PHP 5.5 Password Hashing APIhttp://www.php.net/manual/en/ref.password.php
![Page 42: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/42.jpg)
PHP 5.5 Password Hashing API
![Page 43: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/43.jpg)
PHP 5.5 Password Hashing API
![Page 44: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/44.jpg)
PHP 5.5 Password Hashing API
$authenticated = false;if ($user->password == md5($password)) { $authenticated = true;}
![Page 45: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/45.jpg)
PHP 5.5 Password Hashing API
function authenticate($user, $password) { $authenticated = false;
if ($user->password == md5($password)) { $authenticated = true; } return $authenticated }
![Page 46: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/46.jpg)
PHP 5.5 Password Hashing API
function authenticate($user, $password) { $authenticated = false; $hash = $user->password; if (password_verify($password, $hash)) { $authenticated = true; } if ($user->password == md5($password)) { $authenticated = true; } return $authenticated }
![Page 47: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/47.jpg)
PHP 5.5 Password Hashing API
$username = $_POST['username'];$password = $_POST['password'];$user = getUserByUsername($username);if (authenticate($user, $password)) { if (password_needs_rehash ($user->password, PASSWORD_DEFAULT)) { $user->password = password_hash($password, PASSWORD_DEFAULT); $user->save(); }}
![Page 48: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/48.jpg)
I Lied: Available in PHP >= 5.3.7https://github.com/ircmaxell/password_compat
A forward compatible password API implementation that will work until you are ready to upgrade to 5.5. This will work for all versions of PHP that has the $2y fix.
Upgrading to 5.5 will not break your current code if you use this library.
![Page 49: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/49.jpg)
Want More? Get Statistics Herehttp://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.html
![Page 50: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/50.jpg)
Passwords Are Easy
We don't need to know it, except for user login
![Page 51: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/51.jpg)
ENCRYPTION
![Page 52: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/52.jpg)
![Page 53: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/53.jpg)
AVOID ENCRYPTION AT ALL COSTS!
![Page 54: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/54.jpg)
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid storing any data that you need to encrypt.
![Page 55: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/55.jpg)
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid storing any data that you need to encrypt.
Before deciding to collect and store this information, ask yourself why you need it.
![Page 56: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/56.jpg)
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid storing any data that you need to encrypt.
Before deciding to collect and store this information, ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
![Page 57: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/57.jpg)
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid storing any data that you need to encrypt.
Before deciding to collect and store this information, ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
Are there any alternative solutions available to you?
![Page 58: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/58.jpg)
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid storing any data that you need to encrypt.
Before deciding to collect and store this information, ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
Are there any alternative solutions available to you?Example: Credit card companies usually offer a token solution
![Page 59: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/59.jpg)
SYMMETRIC VS ASYMMETRIC
![Page 60: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/60.jpg)
SYMMETRIC VS ASYMMETRICSymmetric
Only one shared key Same key encrypts and decrypts Easiest to understand
![Page 61: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/61.jpg)
SYMMETRIC VS ASYMMETRICSymmetric
Only one shared key Same key encrypts and decrypts Easiest to understand
Asymmetric
Two keys (Public and Private) Encryption/Decryption Public key encrypts Private key decrypts Signing/Verifying Private key signs Public key verifies
![Page 62: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/62.jpg)
SYMMETRIC ENCRYPTIONa.k.a. Shared-Key Encryption
![Page 63: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/63.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
![Page 64: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/64.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
![Page 65: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/65.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers
![Page 66: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/66.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
![Page 67: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/67.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes
![Page 68: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/68.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes Determines how the key stream is used (never cross them)
![Page 69: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/69.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book)
![Page 70: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/70.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
![Page 71: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/71.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
Initialization Vectors
![Page 72: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/72.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
Initialization Vectors Similar to SALT in hashing (It's not a secret)
![Page 73: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/73.jpg)
KEYS, CIPHERS, MODES, AND IV OH MY!
Keys should be easy enough (Keep it secret)
Ciphers Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
Modes Determines how the key stream is used (never cross them) Avoid ECB (Electronic Code Book) Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
Initialization Vectors Similar to SALT in hashing (It's not a secret) Must be random per encrypted text
![Page 74: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/74.jpg)
EXAMPLE: ENCRYPT USING CRYPT
$crypt_key = 'MySecretKey';$message = "Do not tell my boss, but I did xyz";$iv_size = mcrypt_get_iv_size( MCRYPT_BLOWFISH, MCRYPT_MODE_CBC );$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);
$cipher = mcrypt_encrypt( MCRYPT_BLOWFISH, $crypt_key, $message, MCRYPT_MODE_CBC, $iv);
![Page 75: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/75.jpg)
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
![Page 76: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/76.jpg)
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with.
![Page 77: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/77.jpg)
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with.
When encrypting:
![Page 78: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/78.jpg)
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with.
When encrypting:
Always encrypt first, and then get the signature of the Cipher Text.
![Page 79: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/79.jpg)
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with.
When encrypting:
Always encrypt first, and then get the signature of the Cipher Text.
Store the signature with your IV and Cipher Text.
![Page 80: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/80.jpg)
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with.
When encrypting:
Always encrypt first, and then get the signature of the Cipher Text.
Store the signature with your IV and Cipher Text.
When Decrypting:
![Page 81: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/81.jpg)
HMAC: HASH-BASED MESSAGE AUTHENTICATION CODE
Using a separate key, this will give us a signature of the encryption. We can use this to ensure that the data has not been tampered with.
When encrypting:
Always encrypt first, and then get the signature of the Cipher Text.
Store the signature with your IV and Cipher Text.
When Decrypting:
Always verify the signature first, and then decrypt if successful.
![Page 82: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/82.jpg)
EXAMPLE: USING HMAC
$crypt_key = 'MySecretKey';$hmac_key = 'HashingKey';$hmac = hash_hmac('sha512', $cipher, $hmac_key);//Store it with your encrypted data $encoded_data = base64_encode($iv . $cipher . $hmac);
![Page 83: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/83.jpg)
$decoded_data = base64_decode($encoded_data);$iv = substr($decoded_data, 0, $iv_size);$hmac = substr($decoded_data, -128);$cipher = substr($decoded_data, $iv_size, -128);if ($hmac != hash_hmac('sha512', $cipher, $hmac_key)){ throw new Exception('HMAC does not match');}$message = mcrypt_decrypt( MCRYPT_BLOWFISH, $crypt_key, $cipher, MCRYPT_MODE_CBC, $iv);
EXAMPLE: DECRYPTING USING HMAC
![Page 84: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/84.jpg)
USE A LIBRARY
http://phpseclib.sourceforge.net
They've done the hard parts, save yourself the headache and just use it.
It's even PHP4+ compatible, so no excuses.
![Page 85: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/85.jpg)
EXAMPLE: USING PHPSECLIB
$crypt_key = 'MySecretKey';$hmac_key = 'HashingKey';$message = "Do not tell my boss, but I did xyz";require 'Crypt/DES.php';require 'Crypt/Hash.php';$des = new Crypt_DES();$des->setKey($crypt_key);$cipher = $des->encrypt($message);$hash = new Crypt_Hash('sha512');$hash->setKey($hmac_key);$hmac = bin2hex($hash->hash($cipher));
![Page 86: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/86.jpg)
EXAMPLE: USING PHPSECLIB
require 'Crypt/DES.php';require 'Crypt/Hash.php';$hash = new Crypt_Hash('sha512');$hash->setKey($hmac_key);$verify_hmac = bin2hex($hash->hash($cipher));if ($verify_hmac == $hmac) { $des = new Crypt_DES(); $des->setKey($crypt_key); $message = $des->decrypt($cipher);}
![Page 87: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/87.jpg)
ASYMMETRIC ENCRYPTIONa.k.a. Public-Key Encryption
![Page 88: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/88.jpg)
COMMON ASYMMETRIC USES
SSH Keys HTTPS / SSL PGP: Pretty Good Privacy Email Files Really any message
![Page 89: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/89.jpg)
EXAMPLE: ASYMMETRIC CODE
http://codereaper.com/blog/2014/asymmetric-encryption-in-php/
![Page 90: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/90.jpg)
EXAMPLE: ASYMMETRIC CODE
http://codereaper.com/blog/2014/asymmetric-encryption-in-php/
openssl req -x509 -newkey rsa:2048 -keyout private.pem -out public.pem -days 365
![Page 91: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/91.jpg)
EXAMPLE: ASYMMETRIC CODE
http://codereaper.com/blog/2014/asymmetric-encryption-in-php/
$key = file_get_contents('public.pem');$public_key = openssl_get_publickey($key);$message = "Do not tell my boss, but I did xyz";$cipher = $e = null;openssl_seal($message, $cipher, $e, array($public_key));$sealed_data = base64_encode($cipher);$envelope = base64_encode($e[0]);
openssl req -x509 -newkey rsa:2048 -keyout private.pem -out public.pem -days 365
![Page 92: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/92.jpg)
EXAMPLE: ASYMMETRIC CODE
http://codereaper.com/blog/2014/asymmetric-encryption-in-php/
$key = file_get_contents('private.pem');$priv_key = openssl_get_privatekey($key, $passphrase);
$input = base64_decode($sealed_data);$einput = base64_decode($envelope);$message = null;openssl_open($input, $message, $einput, $priv_key);
![Page 93: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/93.jpg)
ENCRYPTION !== PROTECTION
![Page 94: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/94.jpg)
ENCRYPTION !== PROTECTION
Data obtained through SQL Injection attacks should be relatively secure.
![Page 95: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/95.jpg)
ENCRYPTION !== PROTECTION
Data obtained through SQL Injection attacks should be relatively secure.
For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of the system will disclose the key to the attacker, leaving ALL encryption useless.
![Page 96: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/96.jpg)
ENCRYPTION !== PROTECTION
Data obtained through SQL Injection attacks should be relatively secure.
For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of the system will disclose the key to the attacker, leaving ALL encryption useless.
Apache environment variable, memory, config files, password entered during system start, etc... do not keep the key private.
![Page 97: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/97.jpg)
AVOID ENCRYPTION AT ALL COSTS!
There is no such thing as 100% secure.
![Page 98: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/98.jpg)
OTHER THINGS TO CONSIDER
![Page 99: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/99.jpg)
OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server
![Page 100: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/100.jpg)
OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server• More overhead and complexity
![Page 101: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/101.jpg)
OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server• More overhead and complexity• Any server breach can still decrypt
data
![Page 102: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/102.jpg)
OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server• More overhead and complexity• Any server breach can still decrypt
data• With enough thought and monitoring,
you can kill the decryption server to limit the damage done
![Page 103: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/103.jpg)
OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server• More overhead and complexity• Any server breach can still decrypt
data• With enough thought and monitoring,
you can kill the decryption server to limit the damage done
• Think about restricting requests per second
![Page 104: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/104.jpg)
OTHER THINGS TO CONSIDER
• Encrypt / decrypt on a separate server• More overhead and complexity• Any server breach can still decrypt
data• With enough thought and monitoring,
you can kill the decryption server to limit the damage done
• Think about restricting requests per second
Paranoid about password safety? Consider encrypting the hash. Renders SQL Injection and rainbow tables/brute force mostly useless without the key.
![Page 105: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/105.jpg)
OTHER THINGS TO CONSIDER
![Page 106: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/106.jpg)
OTHER THINGS TO CONSIDER
Do you need access to the user's information without them on the system?
![Page 107: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/107.jpg)
OTHER THINGS TO CONSIDER
Do you need access to the user's information without them on the system?
If your user must be present, then consider making them partially responsible for the security. Have them use a second password or passphrase that you can add to your key to use in the encryption.
![Page 108: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/108.jpg)
FINAL WORDS...
I've learned a ton while preparing this presentation.
Thanks especially to Anthony Ferrara (@ircmaxell)
http://blog.ircmaxell.com
![Page 109: Encryption: It's For More Than Just Passwords](https://reader034.vdocuments.net/reader034/viewer/2022042716/55aa709f1a28ab512e8b459d/html5/thumbnails/109.jpg)
THANK YOU!