Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

AWS Developer Blog:
Using Client-Side Encryption for Amazon S3 in the AWS SDK for PHP
Nov 10, 2017 @ 16:11:16

On the AWS Developer blog they've posted a new tutorial showing you how to use client-side encryption in the AWS PHP SDK for interactions with the AWS S3 service.

The AWS SDK for PHP released an S3EncryptionClient in version 3.38.0. With client-side encryption, data is encrypted and decrypted directly in your environment. This means that this data is encrypted before it’s transferred to Amazon S3, and you don’t rely on an external service to handle encryption for you.

The AWS SDK for PHP implements envelope encryption and uses OpenSSL for its encrypting and decrypting. The implementation is interoperable with other SDKs that match its feature support. It’s also compatible with the SDK’s promise-based asynchronous workflow.

The tutorial then walks you through the setup of a new S3EncryptionClient instance and how to use the putObject method to push the file contents up to S3 automagically using the encryption. It also includes a code example of pulling the file contents down and decrypting the contents via a getObject call.

tagged: aws s3 sdk tutorial encrypt decrypt client tutorial

Link: https://aws.amazon.com/blogs/developer/using-client-side-encryption-for-amazon-s3-in-the-aws-sdk-for-php/

Paragon Initiative:
Solve All Your Cryptography Problems in 3 Easy Steps
May 12, 2016 @ 16:55:55

On the Paragon Initiative site there's a new post that promises a way to solve all of your cryptography problems in PHP with three simple steps.

Last year, we began developing Halite, a FOSS high-level wrapper for the PHP bindings to libsodium. We use Halite extensively in our own projects (including our upcoming CMS which has quite a few of its own innovative cryptography features baked-in).

As of version 2.1.0, we are confident that Halite solves all of the application-layer cryptography problems that most PHP developers face; and it does so in three easy steps. (For transport-layer cryptography, you should still use TLS, of course.)

Their three steps to effectively using Halite and libsodium in your application are:

  • Step One: Managing Cryptography Keys
  • Step Two: Encrypting or Authenticating with Halite
  • Step Three: Decrypt or Verify

Each step comes with example code showing how to use the tool to accomplish it. There's also a few other problems that are solved by using the library including generating encrypted password hashes and whole file cryptography.

tagged: cryptography problem halite libsodium steps keys authentication encrypt decrypt

Link: https://paragonie.com/blog/2016/05/solve-all-your-cryptography-problems-in-three-easy-steps-with-halite

SitePoint PHP Blog:
How to Encrypt Large Messages with Asymmetric Keys and phpseclib
Jan 20, 2015 @ 17:40:51

On the SitePoint PHP blog today David Brumbaugh shows you how to encrypt large messages with phpseclib and asymmetric keys. phpseclib is a PHP library specifically designed to handle encryption and decryption in an easy-to-use way.

Most of us understand the need to encrypt sensitive data before transmitting it. Encryption is the process of translating plaintext (i.e. normal data) into ciphertext (i.e. secret data). During encryption, plaintext information is translated to ciphertext using a key and an algorithm. To read the data, the ciphertext must be decrypted (i.e. translated back to plaintext) using a key and an algorithm. [...] A core problem to be solved with any encryption algorithm is key distribution. How do you transmit keys to those who need them in order to establish secure communication? The solution to the problem depends on the nature of the keys and algorithms.

He talks some about the difference between symmetric and asymmetric algorithms and some advice about the selection of the right one (or ones) to use in your app. He also talks briefly about the problem with RSA keys, mostly that it has limits on the amount of text it can encrypt. His solution is to "encrypt the message with a symmetric key, then asymmetrically encrypt the key and attach it to the message". He explains the encryption/decryption process step by step and starts in showing the code to make phpseclib do the work. He shows how to generate the keys, build the encrypt function and the decrypt function with about 30 lines of code each.

tagged: encrypt decrypt large message asymetric key phpseclib tutorial

Link: http://www.sitepoint.com/encrypt-large-messages-asymmetric-keys-phpseclib/

Reddit.com:
Login Security (Best Practices Recommendations)
Aug 14, 2012 @ 17:20:08

On Reddit.com there's a good conversation going on in the PHP category about login security and best practices surrounding it.

So I was handed an ancient project which was up to me to fix / improve. About a week later I am about done but there is 1 thing I left...Login security. As it is now, it's just md5(password) that's saved in the database. Better then nothing, but far from good enough. My plan was to have a constant pepper in the class which handles the logins, then do something like crypt(pepper . $password) to store it, since that should generate a random salt and is slower then sha1 / md5 / etc. I feel this should be save enough, do any of you have any ideas on how to improve it (without non-standard extensions)?

There's lots of comments so far and a lot of them are following along the same lines - use a better method of encryption, something like crypt with Blowfish or something similar as well as some hashing (like HMAC).

tagged: security password hash encrypt bestpractice discussion

Link:

Hasin Hayder's Blog:
RSA Encrypting and Decrypting data with Zend_Crypt_Rsa Library
Sep 12, 2011 @ 16:17:08

Hasin Hayder has recently posted a tutorial to his blog showing how to use the Zend_Crypt_Rsa library for encrypting/decrytping data in a Zend Framework application.

Public/private key based encryption is very popular because of the strength it sets in encryption, specially above 1024 bits. Now there are external library to encrypt data using RSA encryption like RSA in phpclasses.org – the fun is we were also using this library in one of our ZF based project. But last week I’ve found that there is a hidden gem in the Library/Zend/Crypt folder (Zend_Crypt_Rsa) which can do the same thing using openssl library.

He couldn't find much in the way of documentation for the component, so he wrote up how to use it in three easy steps:

  • Create your RSA public/private key using ssh-keygen
  • Encrypt data using your public key
  • Decrypt the cipher

The Zend_Crypt_Rsa makes it simple to encrypt/decrypt the data, just taking in a passphrase, a path to the RSA key file and the message contents.

tagged: zendcryptrsa encrypt decrypt zendframework tutorial

Link:

Sameer Borate's Blog:
Encrypting uploaded files in PHP
Nov 09, 2010 @ 15:43:13

In this new post to his blog Sameer Borate looks at a method he's come up with to encrypt files uploaded into your application with the help of the Zend_Filter component of the Zend Framework.

As earlier I’d encountered Zends wonderful Zend_Filter class, I decided to go with it and use the Zend_Filter_Encrypt and Zend_Filter_Decrypt to accomplish the work. The Zend_Filter component provides a set of common useful data filters, among which are the encryption filters. Although my project was not developed in Zend, I could easily integrate the required classes in the code. Note that Zend has a great upload library, Zend_File_Transfer, that lets you easily manage file uploading and also encryption, but as I already had the upload code tested, I decided to just add the encryption part.

He includes the step-by-step process to get everything you need and which files you'll need to have included from the framework to make things work. He includes code for both encrypting and decrypting the file information as well as hints on selecting an algorithm and a random initialization vector. You can download the complete source if you want to jump right in.

tagged: encrypt upload file tutorial zendframework zendfilter

Link:

Evert Pot's Blog:
Storing encrypted session information in a cookie
Jul 14, 2010 @ 14:13:39

Evert Pot has a quick new post to his blog today talking about how to push encrypted information into a cookie for storage.

There have been a couple of approaches I've been considering [to replace sessions being stored in the database], one of which is simply storing all the information in a browser cookie. First I want to make clear I don't necessarily condone this. The reason I'm writing this post, is because I'm hoping for some more community feedback. Is this a really bad idea? I would love to know.

He includes some code to make it happen - a class that uses the hash_hmac function and a SHA1 encryption type (along with a salt) to convert the information into a string that can be (relatively) safely stored in a cookie. Be sure to read the comments for more opinions on the method.

tagged: store encrypt session cookie tutorial

Link:

NETTUTS.com:
Simple Techniques to Lock Down your Website
Oct 05, 2009 @ 12:54:53

On NETTUTS.com today there's a new post by Dustin Blake with a few simple tips and helpful techniques to locking down and protecting your website with some simple PHP scripts.

One crucial part of PHP development practice is always keeping in mind that security is not something you can simply buy off the shelf at your local convenient store. Ensuring the security of your web applications is a process, which over time, needs to be constantly evaluated, monitored, and hardened.

He shows a few methods you can use to secure things - generating random values, making random passwords to give to your users, creating salted passwords, obfuscation and an overview of cryptography in PHP. Complete source code is included.

tagged: tutorial secure encrypt salt random

Link:

NETTUTS.com:
Creating a Crypter Class with PHP
Sep 28, 2009 @ 12:51:19

On the NETTUTS.com site there's a new tutorial posted looking at creating a "crypter" class in PHP - a handy class to make encryption and decryption of data simpler.

Think about what we might need a class like this for? We want to encrypt important data with a password for security reasons. We also want, as already mentioned, to be able to decrypt that data when necessary. Why should you use symmetric algorithms? It's easy; when you're offering a password sent via email or something like that, you need the password to be sent in plaintext. The hash algorithms are not reversible. Once you have hashed a string you can't decipher the original text from the hash.

He lays out his basic class with three methods - the constructor that sets up the key and algorithm and the encrypt and decrypt functions. These use to mcrypt functions to handle the heavy lifting.

tagged: encrypt decrypt tutorial

Link:

Zend Developer Zone:
Using GnuPG with PHP
Aug 04, 2008 @ 19:32:56

The Zend Developer Zone has a new tutorial posted today showing how to use the open source encryption tool GnuPG from inside PHP.

While GnuPG works very well as a standalone tool, it also plays very well with PHP. This integration is possible due to PHP's ext/gnupg extension, which provides a flexible and powerful API to access GnuPG functions for encryption, decryption, message signing and verification, and key maintenance. And your mission (should you choose to accept it) will be to accompany me over the next few pages, while I give you a crash course in this API, showing you how easy it is to integrate these functions into your next PHP application.

The tutorial walks you through some of the basic concepts behind the "lock and key" GnuPG implements and how to get the extension installed so you can follow along. His examples range from a basic encryption of a string out to a full encrypt/decrypt example, how to sign information with a key and even a method for sending an encrypted message.

tagged: gnupg tutorial extension key message file crypt encrypt decrypt

Link:


Trending Topics: