News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP Manual Masterpieces:
I Can't Spell PBKDF
November 13, 2013 @ 09:58:08

On the PHP Manual Masterpieces site has a recent post looking at PBKDF and PHP (and, more specifically, the information that's presented about it in the manual).

So why are we here? Well, a faithful follower slipped me a tip to check out the documentation. It turned out I agreed: I don't like it. [...] Let's be clear: I have read the backing C code of this feature and I see nothing wrong with the actual functionality. My issues are strictly with the documentation and the API, both of which are very PHP-ish in the sorts of ways that drive me to hateblog about a programming language on a Friday night. It turns out there are people who are totally okay with these design decisions, and I can't help that their subjective tastes are wrong, but that's just how it is.

She mentions three different major issues with the documentation currently in the manual:

  • Non-copypaste-safe cryptography
  • The fact that PHP does not fail effectively when it comes to cryptographic handling
  • The lack of units defined (like for the "length" parameter of hash_pbkdf2)
0 comments voice your opinion now!
pbkdf cryptography manual examples error failure units

Link: http://phpmanualmasterpieces.tumblr.com/post/66426423275/i-cant-spell-pbkdf

Scott Arciszewski:
Using scrypt in PHP-based Websites
October 30, 2013 @ 10:48:18

Scott Arciszewski has posted a new tutorial to his site helping you get scrypt installed as an alternative to some of the other cryptographic functionality that's already supported by PHP (like bcrypt).

Most newbie PHP developers suck at developing user authentication systems. When not storing passwords in plaintext, they just wing it with a simple hash function and hope it's good enough. Instead of md5(), sha1(), or hash(), you should consider using scrypt, pbkdf2, or bcrypt. Today, I'll go through the steps required to start using scrypt in your web applications.

He walks you through the exact steps you'll need to get scrypt installed and working happily with PHP (provided you have root on the machine). Thankfully, it's pretty easy thanks to the scrypt extension provided through PECL. He gives a brief introduction to using the scrypt function and links to an updated version of a scrypt wrapper you can use in your applications.

0 comments voice your opinion now!
scrypt cryptography hashing extension pecl tutorial

Link: https://s.arciszewski.me/blog/2013/10/php-scrypt-setup

Timoh's Pages:
Cryptography in web applications a false sense of security?
August 22, 2012 @ 12:11:11

Timo has a new post looking at cryptography in PHP and some of the common misconceptions and how that functionality that your framework provides might not be good enough.

Does your framework of choice offer an easy way to perform data encryption? Maybe you have even utilized data encryption in some format. [...] It could not be much easier than that. It is hard to argue. But things won't stay as simple as this if you look at the meaning of "secure data encryption" a little bit closer. Usually people encrypt their data to make sure the data will stay safe. What does this actually mean? Simply put, it means your data stays secret as long as the secret key stays secret. No matter if an active attack is going on and the adversary can read your encrypted data.

He looks at why, by itself, encryption isn't that useful - it's only when its applied. He also covers some of the basic questions to ask when working with things like HMAC hashing and ciphertext malleability. He talks about random number/string generation for IVs, encryption keys and what you can do to help make your encryption more secure in its implementation.

0 comments voice your opinion now!
cryptography security encryption application


Paul Reinheimer's Blog:
Cookies don't replace Sessions
January 24, 2012 @ 09:26:20

In a new post to his blog Paul Reinheimer talks about replacing sessions with cookies and some of the (security) pitfalls that can come with it.

I've seen several instances where people have demonstrated the ease with which encrypted cookies can replace sessions within PHP. Michael Nitschinger wrote a piece recently demonstrating the switch with Lithium, while CodeIgniter does this by default (optionally encrypting). The problem is that while replacing sessions with cookies works, it introduces a few risks not present with native session support, and these risks tend to be under documented.

He gives an illustration of an attacker who sits between Amazon and one of their warehouses. Despite encrypting their order details, all it would take is the attacker to grab an order and copy it and resend (a "replay attack"). He's created an example application to illustrate the point (source on github). The attacker doesn't even have to know what the encrypted information contains - they only have to replicate it.

0 comments voice your opinion now!
cookies session cryptography advice security replay attack


Suspekt Blog:
mt_srand and not so random numbers
August 18, 2008 @ 13:49:31

Stefan Esser points out a problem with the mt_rand and rand methods in PHP that makes them not quite random enough for cryptographic uses.

PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these algorithms are seeded by a single 32 bit dword when they are first used in a process or one of the seeding functions srand() or mt_srand() is called.

He looks at how its currently implemented, some examples of bad methods to get "random" numbers, how shared resources are a problem and an example of a cross-application attack (the application in more than once place using the same method for getting random numbers).

In the comments he recommends either grabbing from /dev/random (if you're on a unix-based system) or making the creation of your numbers a bit more complex to include things the outside world wouldn't know.

0 comments voice your opinion now!
mtrand random number rand cryptography problem


DevX.com:
A Guide to Cryptography in PHP
May 06, 2008 @ 13:47:22

The DevX.com site has posted an introductory guide to using cryptography in PHP, showing how to use the various packages the language has to offer.

Cryptography is just one piece of the security puzzle, along with SSL/TLS, certificates, digital signatures, and so on. This article explains how to use PHP to implement the most common cryptographic algorithms. In addition to describing PHP's default encryption functions, you'll see how to use a wide variety of cryptographic libraries and packages.

They start with a look at some of the built-in functions like md5, sh1 and crypt as well as a table detailing the different encryption methods (like mcrypt, mhash or crypt_blowfish). They follow this up with examples of some of them including a method for making secret keys with the Crypt_DiffieHellman PEAR Package.

0 comments voice your opinion now!
cryptography mcrypt mhash blowfish rsa hmac diffiehellman



Community Events





Don't see your event here?
Let us know!


list threedevsandamaybe release opinion framework laravel code refactor series introduction unittest language symfony2 testing developer interview install api podcast community

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework