Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Is your database password stored safely?
Sep 08, 2015 @ 11:48:18

The Fortrabbit blog has a post that want to help you store your database password securely and away from prying attacker eyes. While they use the example of a a database password, credentials for just about any other service could be protected the same way.

How do you protect your access data? Your sensitive secrets, basically anything your PHP application uses to authenticate or authorize with other services such as databases, caches, cloud storages, image resize services, transactional mail providers. All of them. Where do you put this — easily accessible while in development and secure for production?

They start by pointing out a few places where they should not be stored: in your code, in a version control system or in an environment variable (plain text). Instead, they suggest using a combination of a secret key that's configured in the application and encrypted versions of the values in environment variables. Some code is included showing how to set this up in a Laravel-based application, but the principle can be applied independent of the framework too with some other simple tools. They end the post with some links to other articles including a "considered harmful" piece reinforcing their methods.

tagged: credential protection password database tutorial encryption environment variable

Link: http://blog.fortrabbit.com/how-to-keep-a-secret

Paragon Initiative:
Using Libsodium in PHP Projects
Sep 02, 2015 @ 13:25:18

The Paragon Initiative site has posted a new guide to helping you integrate libsodium into your application to provide additional cryptographic functionality in addition to things like mcrypt and crypt

You shouldn't need a Ph.D in Applied Cryptography to build a secure web application. Enter libsodium, which allows developers to develop fast, secure, and reliable applications without needing to know what a stream cipher even is.

After reading this brief electronic manual, you should know what libsodium is, what features it has, and how to install it (both the library and the PHP extension from PECL). [You should also] generally understand which cryptography tool to use for a specific scenario [and] be capable of writing production-quality code that uses libsodium.

The guide (still a work in progress) starts by explaining what libsodium is and what it has to offer over other encryption methods. It talks about the role of random data in encryption, a few basic crypto concepts (like key-based encryption and hashing) and finally gets into some of the more advanced features of the libsodium extension.

Additionally, the guide is also open source so if you'd like to contribute, just submit a pull request for consideration.

tagged: paragoninitiative libsodium guide introduction advanced encryption

Link: https://paragonie.com/book/pecl-libsodium

Paragon Initiative:
You Wouldn't Base64 a Password - Cryptography Decoded
Aug 10, 2015 @ 12:33:43

The Paragon Initiative has posted an article about cryptography, introducing some of the basic concepts and explaining why "you wouldn't base64 a password" to adequately protect it in your application.

If you feel that cryptography is a weird, complicated, and slightly intimidating subject for which your feelings might be best described as lukewarm (on a good day), we hope that by the time you finish reading this page, you will have a clear understanding of the terms and concepts people use when this topic comes up.

He starts with some of the basics around hashing (keyless cryptography) and the advantages/disadvantages of the method. He moves from there a step up and gets into secret key cryptography, using things like HMAC hashing to ensure message validity. The next move up is to secret key encryption, using some kind of "secret" as a part of the encryption process along with the right algorithm and mode for the encryption level desired. He also covers authenticated key encryption, public key encryption, shared secrets and digital signatures. He ends the post covering some of the common pitfalls of using cryptography in things like password storage, file verification and a reminder that encoding (like base64 encoding) and compression aren't encryption.

tagged: encryption introduction cryptography base64 decoded tutorial hashing

Link: https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

Timoh's Blog:
PHP data encryption cheatsheet
Jun 17, 2014 @ 10:52:44

Timoh has published a data encryption cheatsheet to his blog today. It's "a short guide" to help you prevent some of the more common encryption-related problems in your application, specifically around symmetric data encryption.

This cheatsheet assumes a “client-server” situation, which is probably a typical case with PHP applications. Naturally the recommendations given here are not the “only possible way” to handle data encryption in PHP, but this cheatsheet aims to be straightforward and tries to leave less room for mistakes and (possibly confusing) choices.

The cheatsheet includes information on topics like:

  • Encryption algorithm / mode of operation / nonce (initializing vector)
  • Encryption and authentication keys
  • Key stretching
  • Key storage and management
  • Data compression

It's jam-packed full of great information, so definitely check it out if you're doing any kind of encryption in PHP.

tagged: data encryption cheatsheet common mistakes

Link: https://timoh6.github.io/2014/06/16/PHP-data-encryption-cheatsheet.html

Edd Mann:
Securing Sessions in PHP
Apr 09, 2014 @ 12:14:23

In his most recent post Edd Mann shows you how to secure your session in PHP applications via a custom SessionHandler class and a bit of encryption. For those interested in the full code right away, check out this gist over on Github.

Following on from my previous post on Self-signed SSL certificates, I would now like to address the second most common Web application vulnerability (Broken Authentication and Session Management). When delving into the subject I was unable to find a definitive resource for an PHP implementation. Due to this, I set out to combine all the best practice I could find into a single Session handler, to help protect against the common attack vectors. Since PHP 5.4, you are able to set the Session handler based on a class instance that extends the default 'SessionHandler' class.

He walks through the code talking about some of the functionality it offers, how it encrypts the data and integrates expiration and validation (fingerprinting). There's also an interesting set of methods (get and set) to access values in the current session. One thing to note, this example is only for PHP 5.4 and above as it makes use of the newer SessionHandler interface.

tagged: secure session encryption sessionhandler tutorial

Link: http://eddmann.com/posts/securing-sessions-in-php

SitePoint PHP Blog:
Risks and Challenges of Password Hashing
Mar 11, 2014 @ 09:31:45

The SitePoint PHP blog has a new post today about the challenges of password hashing and some of the common risks that can come with it. It's a continuation of a previous article about the actual techniques for hashing in PHP.

The fact that the output of a hash function cannot be reverted back to the input using an efficient algorithm does not mean that it cannot be cracked. Databases containing hashes of common words and short strings are usually within our reach with a simple google search. Also, common strings can be easily and quickly brute-forced or cracked with a dictionary attack.

He points to a video demonstrating a method for getting the password data and why just salted hashes aren't a secure method for storing this information. He mentions a "randomness issue" (and PHP's rand function). Instead, he shows an example with openssl_random_pseudo_bytes o pull a chunk of randomized data. He then talks some about password stretching using the PBKDF2 handling in PHP. Finally, he goes past the hashing and gets into encryption, mentioning "password tweaking" as an alternative to generating a single key for every user.

tagged: password hashing encryption challenge risk tutorial

Link: http://www.sitepoint.com/risks-challenges-password-hashing/

Hasin Hayder:
Create personalized phar files in PHP
Jan 15, 2014 @ 09:32:42

Hasin Hayder has a quick post talking about the creation of personalized phar files (packaged up PHP applications) using the Box Project tool.

Created a screencast to show how you can create phar files, most importantly personalized phar files to store some information inside it and protect it using user’s password. Those information is usable only when user providers a correct password. For packaging, I have used http://box-project.org which is an excellent phar packager. I’ve also used two functions from Josh Hartman’s blog to encrypt and decrypt data using Rijndael algorithm.

You can watch the full screencast over on YouTube. It walks you through the entire process of creating a simple script, using the two functions (mc_encrypt and mc_decrypt) to handle the encryption and defining the Box configuration JSON to create the package.

tagged: phar file tutorial screencast boxproject encryption password

Link: http://hasin.me/2014/01/14/create-personalized-phar-files-in-php

Anthony Ferrara:
Programming With Anthony - Encryption
Nov 29, 2012 @ 12:51:01

Anthony Ferrara has posted his second video tutorial to his site today introducing encryption for those not familiar with it. (The first video is here, "Paradigm Soup")

Encryption can be a complex beast of mathematical operations. In this video, we explore the evolution of modern cryptography and some of the basic underlying principles that it uses to keep data secure.

You can watch it in-page or head over to YouTube for the larger version. You can also follow his playlist to keep up with his future videos.

tagged: video tutorial encryption introduction series


Timoh's Pages:
Cryptography in web applications: a false sense of security?
Aug 22, 2012 @ 12:11:11

Timo has a new post looking at cryptography in PHP and some of the common misconceptions and how that functionality that your framework provides might not be good enough.

Does your framework of choice offer an easy way to perform data encryption? Maybe you have even utilized data encryption in some format. [...] It could not be much easier than that. It is hard to argue. But things won’t stay as simple as this if you look at the meaning of “secure data encryption” a little bit closer. Usually people encrypt their data to make sure the data will stay safe. What does this actually mean? Simply put, it means your data stays secret as long as the secret key stays secret. No matter if an active attack is going on and the adversary can read your encrypted data.

He looks at why, by itself, encryption isn't that useful - it's only when its applied. He also covers some of the basic questions to ask when working with things like HMAC hashing and ciphertext malleability. He talks about random number/string generation for IVs, encryption keys and what you can do to help make your encryption more secure in its implementation.

tagged: cryptography security encryption application


Smashing Magazine:
Replicating MySQL AES Encryption Methods With PHP
May 30, 2012 @ 08:43:04

On the Smashing Magazine site today there's a new tutorial showing you how to replace your MySQL encryption methods for AES with their PHP equivalent.

At our company, we process a lot of requests on the leading gift cards and coupons websites in the world. The senior developers had a meeting in late October to discuss working on a solution to replicate the MySQL functions of AES_ENCRYPT and AES_DECRYPT in the language of PHP. This article centers on what was produced by senior developer Derek Woods and how to use it in your own applications.

He starts with a little bit of backstory - why to even bother using encryption, what AES encryption is and why you should probably avoid using the MySQL implementation of it in your apps. PHP's mcrypt functions don't return the same hashes as their MySQL counterparts (he includes the "why" of this) and includes some quick code to replicate the MySQL behavior. He also mentions some issues with the transformation, newlines and shows the source for their completed "aes_crypt" and "aes_decrypt" functions.

tagged: mysql aes encryption method tutorial