Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

NetTuts.com:
Generate Random Alphanumeric Strings in PHP
Nov 21, 2018 @ 11:52:17

On the NetTuts.com site they've posted a tutorial showing how to generate random alphanumeric strings in PHP including information on how the different "randomness" methods work in PHP (and when to use which method).

Let me begin this post by saying that almost no event is truly random. Even the outcome of a classic coin toss could in theory be predicted if we knew the effect of every factor involved, like air friction, gravity, and initial force.

The same thing is applicable to the generation of random numbers and alphanumeric strings. The best we can hope for is to generate numbers and strings that don't seem to follow a pattern and can't be practically predicted by an attacker.

In this tutorial, we will cover different techniques for generating random numbers and alphanumeric strings in PHP. Some of them will be cryptographically secure, while others are meant only for casual use, like assigning pseudo-random file names or creating URLs and suggesting usernames.

They start with a look at generating random numbers using the rand, mt_rand and random_int functions. There's a mention of which to use when cryptographically secure random integers are needed as well. They also talk about seeding the random number generator and generating random float values.

From there they move on to the focus of the article - generating the random alphanumeric strings using a few different methods:

  • generating "shuffled" strings
  • generating random strings
  • generate random hexadecimal strings
  • generating cryptographically secure random strings

Each of the above sections (as well as the previous ones) come with code examples and explanations of the randomness each provides.

tagged: generate random alphanumeric strings tutorial cryptography

Link: https://code.tutsplus.com/tutorials/generate-random-alphanumeric-strings-in-php--cms-32132

Zend Blog:
Modern cryptography in PHP 7.2 with Sodium
Nov 16, 2018 @ 12:14:24

On the Zend blog there's a new tutorial posted by Enrico Zimuel covering the use of libsodium in PHP 7.2 to provide stronger encryption for your data.

Recently, at ZendCon & OpenEnterprise 2018, I presented a session about the usage of Sodium in PHP 7.2. Here you can find the slides of this session.

Sodium is a powerful library for modern cryptography. It is a portable, cross-compilable, installable and packageable fork of NaCl, a famous cryptographic tool designed by Prof. D.J. Bernstein.

The tutorial begins with an outline of the Sodium encryption including the algorithms it can use and how it helps to prevent side-channel attacks. It then lists out some of the common use cases and provides a simple code sample showing how to use it to encrypt a simple message with a randomly generated key.

tagged: cryptography modern libsodium tutorial introduction

Link: https://blog.zend.com/2018/11/06/modern-cryptography-in-php-7-2-with-sodium/#.W-7xpJNKi-o

php[architect]:
Education Station: Shifting and Masking with a Side of Crypto
Feb 23, 2018 @ 11:34:45

The php[architect] site has posted an article published in their February 2018 issue by Edward Barnard as a part of his "Education Station" column. The article covers bit shifting and how it relates to cryptography in PHP.

The basics can be tricky. This month we take a careful walk-through of a few lines of cryptographic code in PHP. This leads us through the difference between ones’ complement and two’s complement representation. We achieve weirdness by combining logical AND with integer addition.

He starts with a bit of a history lesson going back to mainframes and keypunching followed by a look at the logical and bitwise operators. He then takes some of these basics and applies them to the world of cryptography and provides some example code and a constant-time encoding algorithm. This leads to a discussion about ones' compliment, signed zero, two's compliment and "packing".

tagged: shifting masking phparchitect educationstation cryptography

Link: https://www.phparch.com/2018/02/education-station-shifting-and-masking-with-a-side-of-crypto/

Three Devs & A Maybe:
Symmetric and Asymmetric Encryption with Scott Arciszewski
Feb 07, 2018 @ 10:58:16

In the latest episode of the Three Devs and a Maybe podcast, hosted by Michael Budd, Fraser Hart, Lewis Cains and Edd Mann, they welcome back a guest for another round of security discussions: Scott Arciszewski around symmetric and asymmetric encryption.

In this weeks episode we are lucky to be joined again by Scott Arciszewski. We start off the show by discussing the difference between Symmetric and Asymmetric Encryption, what Authenticated Encryption is and how secret-keys are exchanged using Diffie-Hellman. From here, we move on to highlight how Elliptic-curve cryptography works, what DNSCrypt is and why prime numbers are so important in cryptography. Finally, we touch upon multi-factor authentication, how one time passwords work, SMS vulnerabilities and how to manage password recovery.

There's a wide range of security and cryptography related topics mentioned and linked in the post. You can listen to this latest show either using the in-page audio player or by downloading the mp3 directly. If you enjoy the episode, be sure to subscribe to their feed and follow them on Twitter to get updates when new shows are released.

tagged: threedevsandamaybe podcast scottarciszewski security cryptography encryption

Link: http://threedevsandamaybe.com/symmetric-and-asymmetric-encryption-with-scott-arciszewski/

Dev.to:
PHP 7.2: The First Programming Language to Add Modern Cryptography to its Standard Library
Feb 14, 2017 @ 12:10:29

In this post to the dev.to site Scott Arciszewski talks about a milestone in the PHP language, it being the first language to "add modern cryptography to its standard library" (PHP 7.2).

Last week, the voting phase closed on an RFC to add libsodium to PHP 7.2. The result was unanimous (37 in favor, 0 against).

When version 7.2 releases at the end of the year, PHP will be the first programming language to adopt modern cryptography in its standard library.

He goes on to talk about what "modern cryptography" is describing concepts like secure primitives and showing example of the high-level API the integration will provide. The post finishes out with a rebuttal against some of the nay-sayers around PHP and its reputation for security. They say that there's "no way PHP is more secure than " so Scott compares this libsodium addition to some of the features in other languages and where they're lacking in relation.

tagged: programming language cryptography standard library libsodium php72

Link: https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library

Paragon Initiative:
Solve All Your Cryptography Problems in 3 Easy Steps
May 12, 2016 @ 11:55:55

On the Paragon Initiative site there's a new post that promises a way to solve all of your cryptography problems in PHP with three simple steps.

Last year, we began developing Halite, a FOSS high-level wrapper for the PHP bindings to libsodium. We use Halite extensively in our own projects (including our upcoming CMS which has quite a few of its own innovative cryptography features baked-in).

As of version 2.1.0, we are confident that Halite solves all of the application-layer cryptography problems that most PHP developers face; and it does so in three easy steps. (For transport-layer cryptography, you should still use TLS, of course.)

Their three steps to effectively using Halite and libsodium in your application are:

  • Step One: Managing Cryptography Keys
  • Step Two: Encrypting or Authenticating with Halite
  • Step Three: Decrypt or Verify

Each step comes with example code showing how to use the tool to accomplish it. There's also a few other problems that are solved by using the library including generating encrypted password hashes and whole file cryptography.

tagged: cryptography problem halite libsodium steps keys authentication encrypt decrypt

Link: https://paragonie.com/blog/2016/05/solve-all-your-cryptography-problems-in-three-easy-steps-with-halite

Paragon Initiative:
Choosing the Right Cryptography Library for your PHP Project: A Guide
Nov 16, 2015 @ 12:19:16

On the Paragon Initiative blog there's a new article posted that wants to help you pick the right cryptography library for your project and your needs. In it they make several recommendations and the benefits of each.

Cryptography is not magic. Adding encryption to an application doesn't automatically make it secure against attackers (especially if you aren't authenticating your ciphertext). But if you do need it to satisfy a business need, conventional wisdom states that you almost certainly should not try to design your own cryptography. Instead, you should use an existing cryptography library.

Okay, great. So which PHP cryptography library should I use? That depends on your exact requirements. Let's look at some good choices. (We won't cover any terrible choices.)

The three libraries they recommend are: Halite, the Libsodium library, the Defuse Security PHP Encryption library and the PHPSecLib library. For each they make some recommendations on places they may be most effective and how it using them relates to passwords (hint, hashing over encryption).

tagged: cryptography library choice hailite libsodium phpencryption phpseclib password

Link: https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide

Paragon Initiative:
Coming to WordPress 4.4: CSPRNG
Oct 12, 2015 @ 12:52:42

The Paragon Initiative blog has a post from Scott Arciszewski about a new feature coming to upcoming WordPress versions - the use of a cryptographically security random number generator starting in version 4.4.0.

At Paragon Initiative Enterprises, we believe that security should be the default state of affairs, not something only in the reach of security experts. That is why [...] our team spends a great deal of time working to improve the security of popular free and open source software.

Today, we're pleased to announce an exciting security enhancement coming to WordPress in the next major version. Starting in 4.4.0, wp_rand() is cryptographically secure on all platforms.

He walks the reader through the "road" that's lead to the introduction of this support and the work he did in the past to help push the project (and others) towards it. Given that the WordPress project has a lot of emphasis on backwards compatibility, effort need to be put into a method that would work across new and old PHP versions. The random_compat library was created and was adopted not only by WordPress but also by several other major PHP projects.

Our part in this long and crazy journey has reached its end. In the course of fixing the same flaw in two distinct projects, the PHP community banded together to identify and expunge a bug in the PHP core, create a new feature in PHP 7, and in some small way helped to secure the CMS that powers more than 20% of websites on the Internet.
tagged: wordpress csprng random number generator cryptography security

Link: https://paragonie.com/blog/2015/10/coming-wordpress-4-4-csprng

Paragon Initiative:
How to Safely Implement Cryptography Features in Any Application
Oct 07, 2015 @ 11:51:41

The Paragon Initiative blog has posted a new article showing you how to safely implement cryptography in any PHP-based application (or really just about any application) with the help of libsodium.

Why not {Mcrypt, OpenSSL, Bouncy Castle, KeyCzar, etc.}? These cryptography libraries are really building blocks that by and large must be used, with expert care, to build the interfaces you want developers to use. In most cases, libsodium is the interface you want developers to use. [...] By default, these libraries don't provide [authenticated encryption](https://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken). Most of them force developers to use RSA (or ECDSA but certainly not EdDSA), which is [hard to get right](http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html) and for which [index calculus attacks are improving each year](https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2501/original/20141227.pdf).

He goes on to talk about NaCI as a possible option (libsodium is from a fork of it) but points out that NaCI isn't as easily available as libsodium to non-C/Python developers. He shares a few reasons why he thinks "libsodium is so great" and a few reasons not to use it (mostly dealing with outside limitations, not technical ones). Finally he points you in the right direction to help you get started using libsodium for PHP as a PECL extension.

tagged: cryptography feature safe guide tutorial introduction pecl extension

Link: https://paragonie.com/blog/2015/09/how-to-safely-implement-cryptography-in-any-application

Paragon Initiative:
You Wouldn't Base64 a Password - Cryptography Decoded
Aug 10, 2015 @ 12:33:43

The Paragon Initiative has posted an article about cryptography, introducing some of the basic concepts and explaining why "you wouldn't base64 a password" to adequately protect it in your application.

If you feel that cryptography is a weird, complicated, and slightly intimidating subject for which your feelings might be best described as lukewarm (on a good day), we hope that by the time you finish reading this page, you will have a clear understanding of the terms and concepts people use when this topic comes up.

He starts with some of the basics around hashing (keyless cryptography) and the advantages/disadvantages of the method. He moves from there a step up and gets into secret key cryptography, using things like HMAC hashing to ensure message validity. The next move up is to secret key encryption, using some kind of "secret" as a part of the encryption process along with the right algorithm and mode for the encryption level desired. He also covers authenticated key encryption, public key encryption, shared secrets and digital signatures. He ends the post covering some of the common pitfalls of using cryptography in things like password storage, file verification and a reminder that encoding (like base64 encoding) and compression aren't encryption.

tagged: encryption introduction cryptography base64 decoded tutorial hashing

Link: https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded