cryptography with php
TRANSCRIPT
![Page 2: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/2.jpg)
CRYPTOGRAPHY WITH PHP
ABOUT MARK NIEBERGALL
▸ PHP since 2005 ▸ Masters degree in MIS ▸ Senior Software Engineer ▸ Team Lead ▸ Drug screening project ▸ President of Utah PHP User Group (UPHPU) ▸ SSCP, CSSLP Certified and SME for (ISC)2 ▸ PHP, databases, JavaScript ▸ Drones, fishing, skiing, father, husband
![Page 3: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/3.jpg)
CRYPTOGRAPHY WITH PHP
ABOUT MARK NIEBERGALL
![Page 4: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/4.jpg)
CRYPTOGRAPHY WITH PHP
UPHPU
▸ Third Thursday of each month at 7pm ▸ Venue is Vivint in Lehi (3401 Ashton Blvd) ▸ Variety of PHP related topics ▸ Mostly local speakers, occasional traveling speaker ▸ Networking with other developers, companies ▸ Professional development ▸ uphpu.org
![Page 5: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/5.jpg)
CRYPTOGRAPHY WITH PHP
OVERVIEW
▸ Why Cryptography
▸ Definitions
▸ Role of Cryptography
▸ Algorithms
▸ Encryption with PHP
▸ Considerations
![Page 6: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/6.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
![Page 7: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/7.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
▸ Over 100,000 security incidents in 2015
▸ Attacks largely for financial gain
▸ Many going after sensitive data
![Page 8: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/8.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
▸ Review Verizon 2016 Data Breach Investigations Report
▸ Yearly report
▸ Cybersecurity investigations report
▸ Pulls from many sources
▸ Lots of informative charts
![Page 9: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/9.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
Countries represented in report
![Page 10: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/10.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
Incidents by industry
![Page 11: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/11.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
Incidents with data loss
![Page 12: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/12.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
![Page 13: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/13.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
![Page 14: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/14.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
![Page 15: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/15.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
![Page 16: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/16.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
▸ No organization is immune
▸ Cryptography significantly reduces breach cost
▸ Cryptography can prevent leak of actual sensitive data
![Page 17: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/17.jpg)
CRYPTOGRAPHY WITH PHP
WHY CRYPTOGRAPHY
▸ Attack Countermeasures
▸ Good password policy
▸ Encrypt sensitive data
▸ Encrypt computer disks and devices
![Page 18: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/18.jpg)
CRYPTOGRAPHY WITH PHP
DEFINITIONS
![Page 19: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/19.jpg)
CRYPTOGRAPHY WITH PHP
DEFINITIONS
▸ Cryptography
▸ The process of writing or reading secret messages or codes
▸ Classical cryptography started thousands of years ago
▸ Advanced during wars of 20th century
▸ The science or study of secret communications
![Page 20: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/20.jpg)
CRYPTOGRAPHY WITH PHP
DEFINITIONS
▸ Encryption
▸ To change information from one form to another especially to hide its meaning
▸ En: to make
▸ Crypto: secret or hidden
▸ The actual changing of a communication
![Page 21: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/21.jpg)
CRYPTOGRAPHY WITH PHP
DEFINITIONS
▸ Algorithm
▸ A set of steps that are followed in order to solve a mathematical problem or to complete a computer process
![Page 22: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/22.jpg)
CRYPTOGRAPHY WITH PHP
DEFINITIONS
▸ Cipher
▸ A way of changing a message to keep it secret
▸ An algorithm used to encrypt or decrypt
▸ Classically included substitution and transposition
![Page 23: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/23.jpg)
CRYPTOGRAPHY WITH PHP
DEFINITIONS
▸ Hash
▸ To chop into small pieces
▸ Maps data to a string
▸ One-way hash functions
▸ Schneier “workhorses of modern cryptography”
▸ Input is the message, output is the digest
![Page 24: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/24.jpg)
CRYPTOGRAPHY WITH PHP
ROLE OF CRYPTOGRAPHY
![Page 25: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/25.jpg)
CRYPTOGRAPHY WITH PHP
ROLE OF CRYPTOGRAPHY
▸ World War II
▸ Enigma Machine used by Nazi Germany
▸ Code breaking by Allies, including Alan Turing
![Page 26: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/26.jpg)
CRYPTOGRAPHY WITH PHP
ROLE OF CRYPTOGRAPHY
▸ Secure communications from third parties
▸ Confidentiality of communications
![Page 27: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/27.jpg)
CRYPTOGRAPHY WITH PHP
ROLE OF CRYPTOGRAPHY
▸ Secure data at rest
▸ Secure data in transit
![Page 28: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/28.jpg)
CRYPTOGRAPHY WITH PHP
ROLE OF CRYPTOGRAPHY
▸ First 2 A’s in the AAA Framework
▸ Authentication: credentials
▸ Authorization: encrypt and decrypt data
▸ Accounting
![Page 29: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/29.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
![Page 30: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/30.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ One Way Hash
![Page 31: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/31.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ One Way Hash
▸ Data is hashed
▸ Cannot go backwards
▸ Integrity checks
▸ Password checks
▸ Identifiers; ex: Git and Mercurial
![Page 32: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/32.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ One Way Hash
▸ MD5
▸ SHA-1, SHA-2, SHA-3
![Page 33: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/33.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Symmetric-Key
![Page 34: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/34.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Symmetric-Key
▸ Same key to encrypt and decrypt
▸ Shared secret key
▸ Stream 1 character at a time
▸ Blocks of X bits
▸ Susceptible to plaintext attacks (known and chosen) and cryptanalysis (differential and linear)
![Page 35: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/35.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Symmetric-Key
▸ DES
▸ Triple DES
▸ AES
![Page 36: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/36.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Symmetric-Key
▸ Blowfish
▸ Twofish
▸ Threefish
![Page 37: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/37.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Asymmetric-Key
![Page 38: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/38.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Asymmetric-Key
▸ Heavily used in cryptography
▸ Public and private keys
▸ Public key is publicly available
▸ Private key is kept secret
![Page 39: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/39.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Asymmetric-Key
![Page 40: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/40.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Asymmetric-Key
▸ Public key used to authenticate messages from owner of the private key
▸ Public key used to encrypt message to send to owner of the private key
▸ Private key used to decrypt inbound messages
▸ Private key used to encrypt outbound messages
![Page 41: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/41.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Asymmetric-Key (Public-Key)
▸ RSA
▸ DSA
![Page 42: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/42.jpg)
CRYPTOGRAPHY WITH PHP
ALGORITHMS
▸ Broken
▸ DES
▸ MD2, MD4, MD5
▸ SHA-1
▸ GOST
▸ Panama
▸ RC4
![Page 43: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/43.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 44: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/44.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ Hash
▸ Password hashing
▸ mcrypt
▸ openssl
▸ cracklib
▸ CSPRNG
![Page 45: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/45.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ Hash
▸ hash($algorithm, $message, $raw = false);
▸ hash_algos for array of options
▸ hash_file for file contents hash
▸ hash_update for larger data sets
![Page 46: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/46.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 47: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/47.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 48: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/48.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 49: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/49.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ Password hashing
![Page 50: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/50.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ Password hashing
▸ $insecure = md5($password);
▸ Too fast
▸ Brute force
▸ 5f4dcc3b5aa765d61d8327deb882cf99
![Page 51: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/51.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ Password hashing
▸ Use password_hash and password_verfiy
▸ $current = password_hash($password, PASSWORD_DEFAULT);
▸ PASSWORD_DEFAULT can change over time, currently is blowfish, max password length of 72
▸ $verify = password_verify($password, $current);
![Page 52: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/52.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ Password hashing
▸ Salt generated automatically
▸ Deprecated as option in PHP 7
▸ Option ‘cost’
▸ password_hash($password, PASSWORD_DEFAULT, [‘cost’ => 10]);
![Page 53: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/53.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 54: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/54.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 55: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/55.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 56: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/56.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ mcrypt
![Page 57: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/57.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ mcrypt
▸ Generally use openssl instead
▸ Supports many ciphers
▸ Encrypt and decrypt
▸ Uses libmcrypt, which hasn’t been updated since 2007
▸ Bug fixes and patches
![Page 58: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/58.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ mcrypt
▸ $digest = hash($algorithm, $data, $raw = false);
▸ Ex: hash(‘sha256’, ‘Some data!’, true);
▸ mcrypt_encrypt($cipher, $key, $data, $mode, $iv = null);
▸ Ex: mcrypt_encrypt(MCRYPT_TRIPLEDES,
![Page 59: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/59.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ mcrypt
▸ mcrypt_generic
▸ mcrypt_decrypt
▸ mcrypt_create_iv
▸ Initialization vector
▸ Alternative seed to encryption routines
![Page 60: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/60.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ openssl
![Page 61: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/61.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ openssl
▸ Generate and verify signatures
▸ Certificate Signing Requests (CSR)
▸ Encrypt and decrypt data
▸ Actively supported
![Page 62: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/62.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ openssl
▸ Private key generation
▸ openssl_pkey_new([$configs]);
▸ openssl_pkey_export_to_file($privateKey, $fileName);
▸ openssl_free_key($privateKey);
![Page 63: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/63.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ openssl
▸ Configuration defaults to openssl.conf
▸ digest_alg: Digest method to use
▸ x509_extensions: Extensions to use for x509 cert
▸ req_extensions: Extensions to use for CSR
▸ private_key_bits: Bits for private key generation
▸ private_key_type: Type of key
▸ encrypt_key: Export key with passphrase
▸ encrypt_key_cipher: Cipher for key
![Page 64: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/64.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 65: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/65.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 66: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/66.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ openssl
▸ Public key generation
▸ openssl_pkey_get_details($privateKey)
▸ Array with keys bits, key (public key), rsa, type
![Page 67: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/67.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 68: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/68.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 69: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/69.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ openssl
▸ Encrypting data
▸ Encrypt in chunks smaller than key bit size
▸ openssl_public_encrypt
![Page 70: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/70.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 71: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/71.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ openssl
▸ Decrypting data
▸ openssl_pkey_get_private($privateKey)
▸ openssl_private_decrypt($chunk, $decrypted, $privateKey)
![Page 72: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/72.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 73: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/73.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ openssl
▸ openssl_encrypt($data, $cipher, $password, $options, $iv)
▸ openssl_encrypt(‘Password123!@#’, ‘AES256’, $publicKeyString, 0, $largeRandomNumber)
![Page 74: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/74.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 75: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/75.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ cracklib
![Page 76: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/76.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ cracklib
▸ PECL extension, must be installed
▸ Checks complexity of passwords
▸ Still experimental
![Page 77: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/77.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ cracklib
▸ crack_opendict(‘/ptah/to/dictionary’)
▸ crack_check($dictionary, $password)
▸ crack_getlastmessage()
▸ crack_closedict($dictionary)
![Page 78: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/78.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ cracklib
▸ it's WAY too short
▸ it is too short
▸ it does not contain enough DIFFERENT characters
▸ it is all whitespace
▸ it is too simplistic/systematic
▸ it looks like a National Insurance number.
▸ it is based on a dictionary word
▸ it is based on a (reversed) dictionary word
▸ strong password
![Page 79: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/79.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ CSPRNG
![Page 80: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/80.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ CSPRNG
▸ Part of PHP 7 core
▸ Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)
![Page 81: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/81.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
▸ CSPRNG
▸ random_bytes($length)
▸ random_int($min, $max)
![Page 82: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/82.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 83: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/83.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 84: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/84.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 85: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/85.jpg)
CRYPTOGRAPHY WITH PHP
ENCRYPTION WITH PHP
![Page 86: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/86.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
![Page 87: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/87.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Salts
▸ Algorithm costs
▸ Timing attacks
▸ Brute force attacks
▸ Rainbow tables
▸ Max message length
![Page 88: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/88.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Salts
▸ Increased security for digest if done correctly
▸ Ex: $salt . $password
▸ Pepper debate
▸ Let password_hash generate the salt for you
▸ Different salt per password or message
![Page 89: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/89.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Algorithm Costs
▸ Default cost for password_hash is 10
▸ Higher cost leads to more processing time
▸ 8-12 is generally a good baseline
▸ Might change depending on hardware available
![Page 90: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/90.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Timing Attacks
▸ Analyzing timing for algorithms
▸ Time variation for hashing, encrypting, decrypting
▸ Ex: Username not found, no password check attempted
▸ Ex: String comparisons stop after first mismatch
▸ Timing safety built into functions, take same time for positive or negative match
![Page 91: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/91.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Brute Force Attacks
▸ Timing attack used to brute force list of usernames
▸ Dictionary attack using dictionary and common passwords
▸ Take time
▸ Advanced Persistent Threat (APT)
![Page 92: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/92.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Brute Force Attacks
▸ Countermeasures
▸ Lock accounts, but causes Denial of Service
▸ Add time to each login
▸ Lock by IP address
▸ Vary failed login attempt behavior (Ex: HTTP status, redirect)
![Page 93: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/93.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Brute Force Attacks
▸ Countermeasures
▸ Key words in HTML comments (invalid login, bad username or password)
▸ Security questions
▸ CAPTCHA
▸ Add another factor (multi-factor authentication)
![Page 94: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/94.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Rainbow Tables
▸ Table with hashes already figured out
▸ Used for hashing that always generates same hash for an input
▸ Counter with modern algorithms, salts
▸ Common for MD5, SHA1, LM
![Page 95: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/95.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Rainbow Tables
▸ Internet search for the hash
▸ Online hash cracking sites
![Page 96: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/96.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Max Message Length
▸ Only X characters considered when generating hash
▸ Ex: MD5 max is 128 characters in, 32 hex out
![Page 97: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/97.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Identify sensitive data
▸ Determine appropriate encryption
▸ Use cryptography to keep data safe
![Page 98: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/98.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Cryptography can help minimize damage
▸ Electronic data breaches
▸ Stolen electronic devices
▸ Data transmission
![Page 99: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/99.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Cryptography cannot help minimize damage
▸ Phishing attacks
▸ Credential theft
▸ Escalation of privileges
▸ DoS/DDoS
▸ Social engineering
![Page 100: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/100.jpg)
CRYPTOGRAPHY WITH PHP
CONSIDERATIONS
▸ Security education
▸ Verizon Data Breach Investigation Report
▸ SANS Institution, email digest
▸ Krebs on Security blog
▸ OWASP
▸ BrightTALK
![Page 102: Cryptography With PHP](https://reader031.vdocument.in/reader031/viewer/2022021813/587fd38b1a28ab58248b51f5/html5/thumbnails/102.jpg)
CRYPTOGRAPHY WITH PHP
SOURCES
▸ Merriam-Webster Dictionary online
▸ PHP.net documentation
▸ Virendra Chandak https://www.virendrachandak.com
▸ OWASP
▸ Verizon 2016 Data Breach Investigations Report