The Paragon Initiative has posted a new white paper to their site covering secure data encryption in web applications written in PHP. The paper covers high level topics and offers some more practical suggestions about tools and guides to use in protecting your applications.
Encrypting network communications is absolutely essential to the security of anyone who wishes to use your website or application. The standard and most reliable form of network encryption is called Transport Layer Security (TLS), which was preceded by and older standard called Secure Socket Layer (SSL).
Websites that use SSL or TLS are accessible by typing https://domain.com into your browser instead of just http://domain.com. Consequently, the shorthand way to refer to HTTP over TLS is simply HTTPS. Contrasted with network cryptography, storing sensitive information is a much more challenging and interesting problem to solve, and is the focus of this paper.
Among the topics covered in the white paper are things like:
- The flow of a HTTPS request (and if it's "fast" or not)
- Secure password storage and handling
- On-demand encryption/decryption
- Cryptography library recommendations
- Using asymmetric cryptography with public and private keys
They also point to this curated list of resources to help you learn more about general web application security including cryptography.