Cryptography With PHP

CRYPTOGRAPHY WITH PHPMARK NIEBERGALL

https://joind.in/talk/53c3d


CRYPTOGRAPHY WITH PHP

ABOUT MARK NIEBERGALL

▸ PHP since 2005 ▸ Masters degree in MIS ▸ Senior Software Engineer ▸ Team Lead ▸ Drug screening project ▸ President of Utah PHP User Group (UPHPU) ▸ SSCP, CSSLP Certified and SME for (ISC)2 ▸ PHP, databases, JavaScript ▸ Drones, fishing, skiing, father, husband


ABOUT MARK NIEBERGALL


UPHPU

▸ Third Thursday of each month at 7pm ▸ Venue is Vivint in Lehi (3401 Ashton Blvd) ▸ Variety of PHP related topics ▸ Mostly local speakers, occasional traveling speaker ▸ Networking with other developers, companies ▸ Professional development ▸ uphpu.org

http://uphpu.org


OVERVIEW

▸ Why Cryptography

▸ Definitions

▸ Role of Cryptography

▸ Algorithms

▸ Encryption with PHP

▸ Considerations


WHY CRYPTOGRAPHY


WHY CRYPTOGRAPHY

▸ Over 100,000 security incidents in 2015

▸ Attacks largely for financial gain

▸ Many going after sensitive data


WHY CRYPTOGRAPHY

▸ Review Verizon 2016 Data Breach Investigations Report

▸ Yearly report

▸ Cybersecurity investigations report

▸ Pulls from many sources

▸ Lots of informative charts


WHY CRYPTOGRAPHY

Countries represented in report


WHY CRYPTOGRAPHY

Incidents by industry


WHY CRYPTOGRAPHY

Incidents with data loss


WHY CRYPTOGRAPHY


WHY CRYPTOGRAPHY


WHY CRYPTOGRAPHY


WHY CRYPTOGRAPHY


WHY CRYPTOGRAPHY

▸ No organization is immune

▸ Cryptography significantly reduces breach cost

▸ Cryptography can prevent leak of actual sensitive data


WHY CRYPTOGRAPHY

▸ Attack Countermeasures

▸ Good password policy

▸ Encrypt sensitive data

▸ Encrypt computer disks and devices


DEFINITIONS


DEFINITIONS

▸ Cryptography

▸ The process of writing or reading secret messages or codes

▸ Classical cryptography started thousands of years ago

▸ Advanced during wars of 20th century

▸ The science or study of secret communications


DEFINITIONS

▸ Encryption

▸ To change information from one form to another especially to hide its meaning

▸ En: to make

▸ Crypto: secret or hidden

▸ The actual changing of a communication


DEFINITIONS

▸ Algorithm

▸ A set of steps that are followed in order to solve a mathematical problem or to complete a computer process


DEFINITIONS

▸ Cipher

▸ A way of changing a message to keep it secret

▸ An algorithm used to encrypt or decrypt

▸ Classically included substitution and transposition


DEFINITIONS

▸ Hash

▸ To chop into small pieces

▸ Maps data to a string

▸ One-way hash functions

▸ Schneier “workhorses of modern cryptography”

▸ Input is the message, output is the digest


ROLE OF CRYPTOGRAPHY



▸ World War II

▸ Enigma Machine used by Nazi Germany

▸ Code breaking by Allies, including Alan Turing



▸ Secure communications from third parties

▸ Confidentiality of communications



▸ Secure data at rest

▸ Secure data in transit



▸ First 2 A’s in the AAA Framework

▸ Authentication: credentials

▸ Authorization: encrypt and decrypt data

▸ Accounting


ALGORITHMS


ALGORITHMS

▸ One Way Hash


ALGORITHMS

▸ One Way Hash

▸ Data is hashed

▸ Cannot go backwards

▸ Integrity checks

▸ Password checks

▸ Identifiers; ex: Git and Mercurial


ALGORITHMS

▸ One Way Hash

▸ MD5

▸ SHA-1, SHA-2, SHA-3


ALGORITHMS

▸ Symmetric-Key


ALGORITHMS

▸ Symmetric-Key

▸ Same key to encrypt and decrypt

▸ Shared secret key

▸ Stream 1 character at a time

▸ Blocks of X bits

▸ Susceptible to plaintext attacks (known and chosen) and cryptanalysis (differential and linear)


ALGORITHMS

▸ Symmetric-Key

▸ DES

▸ Triple DES

▸ AES


ALGORITHMS

▸ Symmetric-Key

▸ Blowfish

▸ Twofish

▸ Threefish


ALGORITHMS

▸ Asymmetric-Key


ALGORITHMS

▸ Asymmetric-Key

▸ Heavily used in cryptography

▸ Public and private keys

▸ Public key is publicly available

▸ Private key is kept secret


ALGORITHMS

▸ Asymmetric-Key


ALGORITHMS

▸ Asymmetric-Key

▸ Public key used to authenticate messages from owner of the private key

▸ Public key used to encrypt message to send to owner of the private key

▸ Private key used to decrypt inbound messages

▸ Private key used to encrypt outbound messages


ALGORITHMS

▸ Asymmetric-Key (Public-Key)

▸ RSA

▸ DSA


ALGORITHMS

▸ Broken

▸ DES

▸ MD2, MD4, MD5

▸ SHA-1

▸ GOST

▸ Panama

▸ RC4


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP

▸ Hash

▸ Password hashing

▸ mcrypt

▸ openssl

▸ cracklib

▸ CSPRNG


ENCRYPTION WITH PHP

▸ Hash

▸ hash($algorithm, $message, $raw = false);

▸ hash_algos for array of options

▸ hash_file for file contents hash

▸ hash_update for larger data sets


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP



ENCRYPTION WITH PHP


▸ $insecure = md5($password);

▸ Too fast

▸ Brute force

▸ 5f4dcc3b5aa765d61d8327deb882cf99


ENCRYPTION WITH PHP


▸ Use password_hash and password_verfiy

▸ $current = password_hash($password, PASSWORD_DEFAULT);

▸ PASSWORD_DEFAULT can change over time, currently is blowfish, max password length of 72

▸ $verify = password_verify($password, $current);


ENCRYPTION WITH PHP


▸ Salt generated automatically

▸ Deprecated as option in PHP 7

▸ Option ‘cost’

▸ password_hash($password, PASSWORD_DEFAULT, [‘cost’ => 10]);


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP

▸ mcrypt


ENCRYPTION WITH PHP

▸ mcrypt

▸ Generally use openssl instead

▸ Supports many ciphers

▸ Encrypt and decrypt

▸ Uses libmcrypt, which hasn’t been updated since 2007

▸ Bug fixes and patches


ENCRYPTION WITH PHP

▸ mcrypt

▸ $digest = hash($algorithm, $data, $raw = false);

▸ Ex: hash(‘sha256’, ‘Some data!’, true);

▸ mcrypt_encrypt($cipher, $key, $data, $mode, $iv = null);

▸ Ex: mcrypt_encrypt(MCRYPT_TRIPLEDES,


ENCRYPTION WITH PHP

▸ mcrypt

▸ mcrypt_generic

▸ mcrypt_decrypt

▸ mcrypt_create_iv

▸ Initialization vector

▸ Alternative seed to encryption routines


ENCRYPTION WITH PHP

▸ openssl


ENCRYPTION WITH PHP

▸ openssl

▸ Generate and verify signatures

▸ Certificate Signing Requests (CSR)

▸ Encrypt and decrypt data

▸ Actively supported


ENCRYPTION WITH PHP

▸ openssl

▸ Private key generation

▸ openssl_pkey_new([$configs]);

▸ openssl_pkey_export_to_file($privateKey, $fileName);

▸ openssl_free_key($privateKey);


ENCRYPTION WITH PHP

▸ openssl

▸ Configuration defaults to openssl.conf

▸ digest_alg: Digest method to use

▸ x509_extensions: Extensions to use for x509 cert

▸ req_extensions: Extensions to use for CSR

▸ private_key_bits: Bits for private key generation

▸ private_key_type: Type of key

▸ encrypt_key: Export key with passphrase

▸ encrypt_key_cipher: Cipher for key


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP

▸ openssl

▸ Public key generation

▸ openssl_pkey_get_details($privateKey)

▸ Array with keys bits, key (public key), rsa, type


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP

▸ openssl

▸ Encrypting data

▸ Encrypt in chunks smaller than key bit size

▸ openssl_public_encrypt


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP

▸ openssl

▸ Decrypting data

▸ openssl_pkey_get_private($privateKey)

▸ openssl_private_decrypt($chunk, $decrypted, $privateKey)


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP

▸ openssl

▸ openssl_encrypt($data, $cipher, $password, $options, $iv)

▸ openssl_encrypt(‘Password123!@#’, ‘AES256’, $publicKeyString, 0, $largeRandomNumber)


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP

▸ cracklib


ENCRYPTION WITH PHP

▸ cracklib

▸ PECL extension, must be installed

▸ Checks complexity of passwords

▸ Still experimental


ENCRYPTION WITH PHP

▸ cracklib

▸ crack_opendict(‘/ptah/to/dictionary’)

▸ crack_check($dictionary, $password)

▸ crack_getlastmessage()

▸ crack_closedict($dictionary)


ENCRYPTION WITH PHP

▸ cracklib

▸ it's WAY too short

▸ it is too short

▸ it does not contain enough DIFFERENT characters

▸ it is all whitespace

▸ it is too simplistic/systematic

▸ it looks like a National Insurance number.

▸ it is based on a dictionary word

▸ it is based on a (reversed) dictionary word

▸ strong password


ENCRYPTION WITH PHP

▸ CSPRNG


ENCRYPTION WITH PHP

▸ CSPRNG

▸ Part of PHP 7 core

▸ Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)


ENCRYPTION WITH PHP

▸ CSPRNG

▸ random_bytes($length)

▸ random_int($min, $max)


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


ENCRYPTION WITH PHP


CONSIDERATIONS


CONSIDERATIONS

▸ Salts

▸ Algorithm costs

▸ Timing attacks

▸ Brute force attacks

▸ Rainbow tables

▸ Max message length


CONSIDERATIONS

▸ Salts

▸ Increased security for digest if done correctly

▸ Ex: $salt . $password

▸ Pepper debate

▸ Let password_hash generate the salt for you

▸ Different salt per password or message


CONSIDERATIONS

▸ Algorithm Costs

▸ Default cost for password_hash is 10

▸ Higher cost leads to more processing time

▸ 8-12 is generally a good baseline

▸ Might change depending on hardware available


CONSIDERATIONS

▸ Timing Attacks

▸ Analyzing timing for algorithms

▸ Time variation for hashing, encrypting, decrypting

▸ Ex: Username not found, no password check attempted

▸ Ex: String comparisons stop after first mismatch

▸ Timing safety built into functions, take same time for positive or negative match


CONSIDERATIONS

▸ Brute Force Attacks

▸ Timing attack used to brute force list of usernames

▸ Dictionary attack using dictionary and common passwords

▸ Take time

▸ Advanced Persistent Threat (APT)


CONSIDERATIONS


▸ Countermeasures

▸ Lock accounts, but causes Denial of Service

▸ Add time to each login

▸ Lock by IP address

▸ Vary failed login attempt behavior (Ex: HTTP status, redirect)


CONSIDERATIONS


▸ Countermeasures

▸ Key words in HTML comments (invalid login, bad username or password)

▸ Security questions

▸ CAPTCHA

▸ Add another factor (multi-factor authentication)


CONSIDERATIONS

▸ Rainbow Tables

▸ Table with hashes already figured out

▸ Used for hashing that always generates same hash for an input

▸ Counter with modern algorithms, salts

▸ Common for MD5, SHA1, LM


CONSIDERATIONS

▸ Rainbow Tables

▸ Internet search for the hash

▸ Online hash cracking sites


CONSIDERATIONS

▸ Max Message Length

▸ Only X characters considered when generating hash

▸ Ex: MD5 max is 128 characters in, 32 hex out


CONSIDERATIONS

▸ Identify sensitive data

▸ Determine appropriate encryption

▸ Use cryptography to keep data safe


CONSIDERATIONS

▸ Cryptography can help minimize damage

▸ Electronic data breaches

▸ Stolen electronic devices

▸ Data transmission


CONSIDERATIONS

▸ Cryptography cannot help minimize damage

▸ Phishing attacks

▸ Credential theft

▸ Escalation of privileges

▸ DoS/DDoS

▸ Social engineering


CONSIDERATIONS

▸ Security education

▸ Verizon Data Breach Investigation Report

▸ SANS Institution, email digest

▸ Krebs on Security blog

▸ OWASP

▸ BrightTALK


QUESTIONS?

▸ https://joind.in/talk/53c3d



SOURCES

▸ Merriam-Webster Dictionary online

▸ PHP.net documentation

▸ Virendra Chandak https://www.virendrachandak.com

▸ OWASP

▸ Verizon 2016 Data Breach Investigations Report

http://php.net

https://www.virendrachandak.com