encryption: it's for more than just password - tek13
DESCRIPTION
This presentation was given at php|tek13. It covers today's best practices for password hashing, and encryption techniques.TRANSCRIPT
ENCRYPTIONIt’s For More Than Just Passwords
1Thursday, May 16, 13
JOHN CONGDON
2Thursday, May 16, 13
JOHN CONGDON
•PHP Developer Since 2003
2Thursday, May 16, 13
JOHN CONGDON
•PHP Developer Since 2003• SDPHP User Group Organizer
2Thursday, May 16, 13
JOHN CONGDON
•PHP Developer Since 2003• SDPHP User Group Organizer• Sr PHP Developer for Networx Online
2Thursday, May 16, 13
JOHN CONGDON
•PHP Developer Since 2003• SDPHP User Group Organizer• Sr PHP Developer for Networx Online•PhoneBurner.com
2Thursday, May 16, 13
JOHN CONGDON
•PHP Developer Since 2003• SDPHP User Group Organizer• Sr PHP Developer for Networx Online•PhoneBurner.com•MeetingBurner.com
2Thursday, May 16, 13
JOHN CONGDON
•PHP Developer Since 2003• SDPHP User Group Organizer• Sr PHP Developer for Networx Online•PhoneBurner.com•MeetingBurner.com• FaxBurner.com
2Thursday, May 16, 13
JOHN CONGDON
•PHP Developer Since 2003• SDPHP User Group Organizer• Sr PHP Developer for Networx Online•PhoneBurner.com•MeetingBurner.com• FaxBurner.com• I Am Not A Cryptographer
2Thursday, May 16, 13
Hashing
Encryption
Today’s Discussion Points
3Thursday, May 16, 13
Plain Text
$username = $_POST[‘username’];$password = $_POST[‘password’];
$user = getUserByUserName($username);
if ($user->password == $password) { $valid = true;} else { $valid = false;}
4Thursday, May 16, 13
Plain Text: Vulnerabilities
SQL-Injection gives you every users password
5Thursday, May 16, 13
Cryptographic Hashing
6Thursday, May 16, 13
Cryptographic Hashing
Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest.
6Thursday, May 16, 13
Cryptographic Hashing
Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest.
HASH
“message” “digest”
6Thursday, May 16, 13
Cryptographic Hashing
Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest.
HASH
“message” “digest”
“unicorn” “1abcb33beeb811dca15f0ac3e47b88d9”
6Thursday, May 16, 13
Cryptographic Hashing: One Way
7Thursday, May 16, 13
Cryptographic Hashing: One Way
HASH
“message” “digest”
“unicorn” “1abcb33beeb811dca15f0ac3e47b88d9”
7Thursday, May 16, 13
Cryptographic Hashing: One Way
HASH
“message” “digest”
“unicorn” “1abcb33beeb811dca15f0ac3e47b88d9”
7Thursday, May 16, 13
Cryptographic Hashing: Algorithms
<?phpprint_r(hash_algos());?>Array( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512 [8] => ripemd128 [9] => ripemd160 [10] => ripemd256 [11] => ripemd320 [12] => whirlpool [13] => tiger128,3
[14] => tiger160,3 [15] => tiger192,3 [16] => tiger128,4 [17] => tiger160,4 [18] => tiger192,4 [19] => snefru [20] => snefru256 [21] => gost [22] => adler32 [23] => crc32 [24] => crc32b [25] => salsa10 [26] => salsa20 [27] => haval128,3 [28] => haval160,3 [29] => haval192,3 [30] => haval224,3 [31] => haval256,3 [32] => haval128,4
[33] => haval160,4 [34] => haval192,4 [35] => haval224,4 [36] => haval256,4 [37] => haval128,5 [38] => haval160,5 [39] => haval192,5 [40] => haval224,5 [41] => haval256,5)
8Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities
SQL-Injection gives you every users hashed password
9Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities
10Thursday, May 16, 13
Rainbow Table Example: Searched for a Hash
11Thursday, May 16, 13
Rainbow Table Example: Searched for a Hash
11Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities
12Thursday, May 16, 13
Salting Cryptographic Hashes
13Thursday, May 16, 13
Salting Cryptographic Hashes
Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase.
A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.
13Thursday, May 16, 13
Salting Cryptographic Hashes
Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase.
A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.
$hash = md5(‘RAND_SALT’ . $_POST[‘password’]);
13Thursday, May 16, 13
Salting Cryptographic Hashes
Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase.
A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.
$hash = md5(‘RAND_SALT’ . $_POST[‘password’]);
RAND_SALT must come from a cryptographically secure source.Not From (rand, mt_rand, or uniqid)Use (/dev/urandom, mcrypt, openssl)
13Thursday, May 16, 13
Today’s Best Practice: BCrypt
14Thursday, May 16, 13
Today’s Best Practice: BCrypt
•Slower by design
14Thursday, May 16, 13
Today’s Best Practice: BCrypt
•Slower by design•Configurable to help withstand the test of time (cost param)
14Thursday, May 16, 13
Today’s Best Practice: BCrypt
•Slower by design•Configurable to help withstand the test of time (cost param)•Should be configured to take 0.25 to 0.50 a second
14Thursday, May 16, 13
Today’s Best Practice: BCrypt
•Slower by design•Configurable to help withstand the test of time (cost param)•Should be configured to take 0.25 to 0.50 a second•Start with a cost of 10, use higher if possible
14Thursday, May 16, 13
PHP 5.5 Password Hashing APIhttp://www.php.net/manual/en/ref.password.php
15Thursday, May 16, 13
PHP 5.5 Password Hashing API
http://www.php.net/manual/en/ref.password.php
16Thursday, May 16, 13
PHP 5.5 Password Hashing API
http://www.php.net/manual/en/ref.password.php
array password_get_info(string $hash)Returns 3 elementsalgorithm: Constant valuealgoName: bcryptoptions: the options provided to password_hash
Array( [algo] => 1 [algoName] => bcrypt [options] => Array ( [cost] => 11 )
)
17Thursday, May 16, 13
PHP 5.5 Password Hashing API
http://www.php.net/manual/en/ref.password.php
boolean password_needs_rehash ( string $hash , string $algo [, string $options ] )
Assuming password_verify was successful above:
if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) { $user->password = password_hash($password....); $user->update();}
18Thursday, May 16, 13
I Lied: PHP >= 5.3.7 Password Hashing API
https://github.com/ircmaxell/password_compat
A forward compatible password API implementation that will work until you are ready to upgrade to 5.5. This will work for all versions of PHP that has the $2y fix.
Upgrading to 5.5 will not break your current code if you use this library.
19Thursday, May 16, 13
Example: Creating a user
<?phprequire 'password.php';
$hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT);if ($hash === false) { //handle this error case somehow...}
$user = Model_User::createNewUser($_POST[‘username’]);$user->setPassword($hash);$user->update();
20Thursday, May 16, 13
Example: Logging a user in
<?phprequire 'password.php';
$user = Model_User::getUserByUserName($_POST[‘username’]);if (password_verify($_POST[‘password’], $user->password)) { return true;} else { die(“Invalid credentials”);}
21Thursday, May 16, 13
Example: Logging a user in and checking for rehash
...$user = Model_User::getUserByUserName($_POST[‘username’]);if (password_verify($_POST[‘password’], $user->password)) { if (password_needs_rehash($user->password, $algo, $options)) { $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT, $options);
$user->setPassword($hash); $user->update(); }...
22Thursday, May 16, 13
http://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.htmlWant More? Get Statistics Here
One of my favorite data points from Anthony’s slides
23Thursday, May 16, 13
Questions on Password Hashing?
24Thursday, May 16, 13
More Than Just Passwords
25Thursday, May 16, 13
More Than Just Passwords
We may store more sensitive data than just passwords.
25Thursday, May 16, 13
More Than Just Passwords
We may store more sensitive data than just passwords.
Passwords are easy, we don’t care about the original value.
25Thursday, May 16, 13
More Than Just Passwords
We may store more sensitive data than just passwords.
Passwords are easy, we don’t care about the original value.
Decryption makes original value usable by us.
25Thursday, May 16, 13
More Than Just Passwords
We may store more sensitive data than just passwords.
Passwords are easy, we don’t care about the original value.
Decryption makes original value usable by us.
•Credit Card Info•Social Security Numbers•Date of Birth•Personally Identifiable Information
25Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS!
26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid keeping any data that you need to encrypt.
26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid keeping any data that you need to encrypt.
Before deciding to keep any of this information, ask yourself why you need it.
26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid keeping any data that you need to encrypt.
Before deciding to keep any of this information, ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid keeping any data that you need to encrypt.
Before deciding to keep any of this information, ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
Are there alternative solutions?
26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS!
Clarification: Avoid keeping any data that you need to encrypt.
Before deciding to keep any of this information, ask yourself why you need it.
Is the risk of potentially leaking this information worth the reward?
Are there alternative solutions?Example: Credit card companies usually offer a token solution.
26Thursday, May 16, 13
Symmetric vs Asymmetric
27Thursday, May 16, 13
Symmetric vs Asymmetric
Symmetric
Only one shared keySame key encrypts and decryptsEasiest to understand
27Thursday, May 16, 13
Symmetric vs Asymmetric
Symmetric
Only one shared keySame key encrypts and decryptsEasiest to understand
Asymmetric
Two keys (Public & Private)Encryption/DecryptionPublic key encryptsPrivate key decrypts
Signing/VerifyingPrivate key signsPublic key verifies
27Thursday, May 16, 13
Common Asymmetric Uses
SSH KeysHTTPS / SSLPGP: Pretty Good Privacy Email Files Really any message
28Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers• Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers• Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)• Modes
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers• Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)• Modes• Determines how the key stream is used (never cross them)
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers• Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)• Modes• Determines how the key stream is used (never cross them)
• Avoid ECB (Electronic Code Book)
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers• Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)• Modes• Determines how the key stream is used (never cross them)
• Avoid ECB (Electronic Code Book)• (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers• Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)• Modes• Determines how the key stream is used (never cross them)
• Avoid ECB (Electronic Code Book)• (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)• Initialization Vectors
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers• Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)• Modes• Determines how the key stream is used (never cross them)
• Avoid ECB (Electronic Code Book)• (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)• Initialization Vectors• Similar to SALT in hashing (It’s not a secret)
29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My!
• Keys, should be easy to understand (KEEP IT SECRET)• Ciphers• Deterministic algorithm (Ex: 3DES, Blowfish, TwoFish)• Modes• Determines how the key stream is used (never cross them)
• Avoid ECB (Electronic Code Book)• (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack)• Initialization Vectors• Similar to SALT in hashing (It’s not a secret)• Must be random per encrypted text
29Thursday, May 16, 13
Example: Encrypt using crypt
$crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’;$message = ‘My Credit Card Number is 4123123412341234’;$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);
$cipher = mcrypt_encrypt( MCRYPT_BLOWFISH, $crypt_key, $message, MCRYPT_MODE_CBC, $iv);
30Thursday, May 16, 13
HMAC: Hash-based Message Authentication Code
Using a separate key, this will give us a signature letting us know that the data has not been tampered with.
When Encrypting: Always encrypt first, and then get signature of the Cipher Text.
Store it with your Initialization Vector and Cipher Text.
When Decrypting: Always verify signature first, and then decrypt if matched.
31Thursday, May 16, 13
Example: Using HMAC
$crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’;$hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’;
$hmac = hash_hmac(‘sha512’, $cipher_text, $hmac_key);
//Store it with your encrypted data$encrypted = base64_encode($iv . $cipher . $hmac);
32Thursday, May 16, 13
Example: Decrypt using HMAC and crypt
$crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’;$hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’;$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);$encrypted = base64_decode($encrypted);$iv = substr($encrypted, 0, $iv_size);$hmac = substr($encrypted, -64);$cipher = substr($encrypted, $iv_size, -64);if ($hmac != hash_hmac(‘sha512’, $cipher, $hmac_key)) { return false; }$message = mcrypt_decrypt( MCRYPT_BLOWFISH, $crypt_key, $cipher, MCRYPT_MODE_CBC, $iv);
33Thursday, May 16, 13
Use a Library
http://phpseclib.sourceforge.net/
They’ve done the hard parts, save yourself the headache and just use it.It’s even PHP4+ compatible, so no excuses.
34Thursday, May 16, 13
Example: Using phpseclib
35Thursday, May 16, 13
Example: Using phpseclib
$crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’;$hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’;$message = ‘My Credit Card Number is 4123123412341234’;
require ‘Crypt/DES.php’;require ‘Crypt/Hash.php’;
$des = new Crypt_DES();$des->setKey($crypt_key);$cipher = $des->encrypt($message);
$hash = new Crypt_Hash(‘sha512’);$hash->setKey($hmac_key);$hmac = bin2hex($hash->hash($cipher));
35Thursday, May 16, 13
Example: Using phpseclib
$crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’;$hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’;$message = ‘My Credit Card Number is 4123123412341234’;
require ‘Crypt/DES.php’;require ‘Crypt/Hash.php’;
$des = new Crypt_DES();$des->setKey($crypt_key);$cipher = $des->encrypt($message);
$hash = new Crypt_Hash(‘sha512’);$hash->setKey($hmac_key);$hmac = bin2hex($hash->hash($cipher));
require ‘Crypt/DES.php’;require ‘Crypt/Hash.php’;
$hash = new Crypt_Hash(‘sha512’);$hash->setKey($hmac_key);$verify_hmac = bin2hex($hash->hash($cipher));
if ($verify_hmac == $hmac) { $des = new Crypt_DES(); $des->setKey($crypt_key); $message = $des->decrypt($cipher);}
35Thursday, May 16, 13
Encryption !== Protection
Data obtained through SQL Injection attacks or other non system penetration attacks should be relatively secure.
For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of system security, will disclose the key to the attacker, leaving ALL encryption useless.
Apache environment variable, memory, config files, password entered during system startup, do not keep the key private.
36Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS!
There is no such thing as 100% secure.
37Thursday, May 16, 13
Other Things To Consider
38Thursday, May 16, 13
Other Things To Consider
•Encrypt / decrypt on a separate server.
38Thursday, May 16, 13
Other Things To Consider
•Encrypt / decrypt on a separate server. •More overhead and complexity.
38Thursday, May 16, 13
Other Things To Consider
•Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data.
38Thursday, May 16, 13
Other Things To Consider
•Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done.
38Thursday, May 16, 13
Other Things To Consider
•Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done.•Think about restricting requests per second
38Thursday, May 16, 13
Other Things To Consider
Paranoid about password safety? Consider encrypting the hash. Renders SQL-Injection and rainbow tables/brute force useless.
•Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done.•Think about restricting requests per second
38Thursday, May 16, 13
Credits
I’ve learned a lot while preparing this presentation.
Thanks especially to Anthony Ferrara (@ircmaxell)http://blog.ircmaxell.com
39Thursday, May 16, 13
Questions?
40Thursday, May 16, 13
JOHN CONGDON
PLEASE RATE ON JOIND.IN
https://joind.in/8179
41Thursday, May 16, 13
JOHN CONGDON• twitter : @johncongdon
PLEASE RATE ON JOIND.IN
https://joind.in/8179
41Thursday, May 16, 13
JOHN CONGDON• twitter : @johncongdon • email: [email protected]
PLEASE RATE ON JOIND.IN
https://joind.in/8179
41Thursday, May 16, 13
JOHN CONGDON• twitter : @johncongdon • email: [email protected]• irc: freednode.net (#sdphp)
PLEASE RATE ON JOIND.IN
https://joind.in/8179
41Thursday, May 16, 13