Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Three Devs & A Maybe:
Symmetric and Asymmetric Encryption with Scott Arciszewski
Feb 07, 2018 @ 10:58:16

In the latest episode of the Three Devs and a Maybe podcast, hosted by Michael Budd, Fraser Hart, Lewis Cains and Edd Mann, they welcome back a guest for another round of security discussions: Scott Arciszewski around symmetric and asymmetric encryption.

In this weeks episode we are lucky to be joined again by Scott Arciszewski. We start off the show by discussing the difference between Symmetric and Asymmetric Encryption, what Authenticated Encryption is and how secret-keys are exchanged using Diffie-Hellman. From here, we move on to highlight how Elliptic-curve cryptography works, what DNSCrypt is and why prime numbers are so important in cryptography. Finally, we touch upon multi-factor authentication, how one time passwords work, SMS vulnerabilities and how to manage password recovery.

There's a wide range of security and cryptography related topics mentioned and linked in the post. You can listen to this latest show either using the in-page audio player or by downloading the mp3 directly. If you enjoy the episode, be sure to subscribe to their feed and follow them on Twitter to get updates when new shows are released.

tagged: threedevsandamaybe podcast scottarciszewski security cryptography encryption

Link: http://threedevsandamaybe.com/symmetric-and-asymmetric-encryption-with-scott-arciszewski/

php[architect]:
Security Corner: PHP, meet Libsodium
Jan 22, 2018 @ 11:02:33

On the php[architect] site they've posted an article that appeared in their December 2017 issue, an article that introduces Libsodium (by Eric Mann), a new addition to PHP's "security toolbelt" for encryption.

By the time you read this, the PHP community should have introduced the world to the newest version of our favorite language. This latest version adds better support for type annotations, allows trailing commas in lists (just like JavaScript and other dynamic languages) and introduced several security improvements. The most notable security addition, however, is the introduction of the Sodium cryptographic library as a core extension.

In the article he covers the basics of the Sodium library (that libsodium is built on top of) and what makes it different from other encryption methods. He also talks about what's been done to support it on pre-PHP 7.2 versions including the sodium_compat polyfill library and the PECL extension for PHP 7.0+. Example code is included showing how to use this new functionality via native functions once support for it has been compiled in.

tagged: phparchitect magazine securitycorner introduction libsodium encryption

Link: https://www.phparch.com/2017/12/security-corner-php-meet-libsodium/

AWS Developer Blog:
Using the Multipart Uploader with Client-Side Encryption for Amazon S3 in the AW
Dec 26, 2017 @ 10:22:18

On the AWS PHP SDK blog there's a new tutorial posted showing you how to use the multipart uploader with client-side encryption via the library.

The AWS SDK for PHP released support for multipart uploads with client-side encryption in version 3.48.0 via the S3EncryptionMultipartUploader. With client-side encryption, data is encrypted and decrypted directly in your environment. This means that this data is encrypted before it’s transferred to Amazon S3, and you don’t rely on an external service to handle encryption for you.

Multipart uploads are designed to improve the upload experience for larger objects. With it, you can upload objects via parts that can be uploaded independently, in any order, and in parallel. You can use a multipart upload for objects from 5 MB to 5 TB in size.

The article then starts you off with the requirements you'll need to follow along and some sample code to get the client up and running. The code then shows how to perform the file upload, making use of a file stream (via fopen) to pull in the contents of the file. The tutorial finishes by describing some of the other fields that can be used with the client and links to other SDKs that support this same functionality in other languages.

tagged: multipart uploader clientside encryption tutorial sdk aws

Link: https://aws.amazon.com/blogs/developer/using-the-multipart-uploader-with-client-side-encryption-for-amazon-s3-in-the-aws-sdk-for-php/

SitePoint PHP Blog:
How to Search on Securely Encrypted Database Fields
Jun 02, 2017 @ 12:53:59

On the SitePoint PHP blog today they've reposted an article that was originally posted on the ParagonIE blog about searching encrypted information in database fields from author Scott Arciszewski.

This question shows up from time to time in open source encryption libraries’ bug trackers. This was one of the “weird problems” covered in my talk at B-Sides Orlando (titled Building Defensible Solutions to Weird Problems), and we’ve previously dedicated a small section to it in one of our white papers.

You know how to search database fields, but the question is, How do we securely encrypt database fields but still use these fields in search queries?

Our secure solution is rather straightforward, but the path between most teams asking that question and discovering our straightforward solution is fraught with peril: bad designs, academic research projects, misleading marketing, and poor threat modeling.

They start off with some of the examples of bad ways to perform the searching of encrypted information, mostly around either using poor encryption levels or custom created encryption solutions. With those out of the way, the tutorial moves on to their recommended method: using an authenticated encryption scheme (libsodium) and blind indexing. The key to the method is to use a secondary column for the actual searching process, encrypting the value provided and running the search against that, not the encrypted value itself. The article then covers two questions that need to be asked before putting this method to use. The article ends with a method to enhance the previous searching to allow for "fuzzier" searching through the generation of some additional index values in a joined table.

tagged: search security encryption database field tutorial libsodium

Link: https://www.sitepoint.com/how-to-search-on-securely-encrypted-database-fields/

PHP Roundtable:
054: Security: Encryption, Hashing and PHP
Nov 07, 2016 @ 11:16:47

The PHP Roundtable podcast, hosted by Sammy Powers, has posted their latest episode covering Security: Encryption, Hashing and PHP. This time Sammy is joined by guests Scott Arciszewski, Chris Riley and Chris Cornutt.

We chat about security in the the PHP community, encryption & hashing in PHP and a new-hotness crypto library called libsodium.

You can catch this latest episode in a few different ways: either using the in-page audio or video player or you can watch it directly over on YouTube. If you enjoy the show, be sure to subscribe to their feed and follow them on Twitter for updates when new shows are being recorded and released.

tagged: phproundtable podcast video security encryption hashing sammypowers

Link: https://www.phproundtable.com/episode/security-encryption-hashing-and-php

Zend Framework Blog:
End-to-end encryption with Zend Framework 3
Aug 22, 2016 @ 11:56:35

With the recent release of the latest version of the zend-crypt package, the Zend Framework has announced that it's possible to use it to create end-to-end encryption in your applications (Zend Framework based or not).

Recently, we released zend-crypt 3.1.0, the cryptographic component from Zend Framework. This last version includes a hybrid cryptosystem, a feature that can be used to implement end-to-end encryption schema in PHP.

A hybrid cryptosystem is a cryptographic mechanism that uses symmetric encryption (e.g. AES) to encrypt a message, and public-key cryptography (e.g. RSA) to protect the encryption key. This methodology guarantee two advantages: the speed of a symmetric algorithm and the security of public-key cryptography.

He starts with a brief overview of how the system works and the flow of the request/response messaging. With this base in place, he gets into the code required to perform the encryption, first generating the keys needed for the encryption (and why he chose the mode/cypher he did for each). Then, using these keys, he shows how to use zend-crypt and its "Hybrid" handling to encrypt and decrypt a simple message. He also shows how to encrypt the contents of a file using a password.

tagged: endtoend encryption zendcrypt zendframework encryption tutorial string file

Link: https://framework.zend.com/blog/2016-08-19-end-to-end-encryption.html

Zend Framework Blog:
End-to-end encryption with Zend Framework 3
Aug 22, 2016 @ 11:56:35

With the recent release of the latest version of the zend-crypt package, the Zend Framework has announced that it's possible to use it to create end-to-end encryption in your applications (Zend Framework based or not).

Recently, we released zend-crypt 3.1.0, the cryptographic component from Zend Framework. This last version includes a hybrid cryptosystem, a feature that can be used to implement end-to-end encryption schema in PHP.

A hybrid cryptosystem is a cryptographic mechanism that uses symmetric encryption (e.g. AES) to encrypt a message, and public-key cryptography (e.g. RSA) to protect the encryption key. This methodology guarantee two advantages: the speed of a symmetric algorithm and the security of public-key cryptography.

He starts with a brief overview of how the system works and the flow of the request/response messaging. With this base in place, he gets into the code required to perform the encryption, first generating the keys needed for the encryption (and why he chose the mode/cypher he did for each). Then, using these keys, he shows how to use zend-crypt and its "Hybrid" handling to encrypt and decrypt a simple message. He also shows how to encrypt the contents of a file using a password.

tagged: endtoend encryption zendcrypt zendframework encryption tutorial string file

Link: https://framework.zend.com/blog/2016-08-19-end-to-end-encryption.html

SitePoint PHP Blog:
Using Halite for Privacy and Two-Way Encryption of Emails
Jun 23, 2016 @ 11:18:17

On the SitePoint PHP blog there's a new tutorial posted showing you how to use the Halite package to encrypt the contents of emails. The Halite library sits on top of the libsodium functionality to provide tested, hardened cryptographic results.

Cryptography is a complex matter. In fact, there is one golden rule: "Don’t implement cryptography yourself." The reason for this is that so many things can go wrong while implementing it, the slightest error can generate a vulnerability and if you look away, your precious data can be read by someone else.

[...] Some libraries out there implement cryptography primitives and operations, and leave a lot of decisions to the developer. [...] Nevertheless, there is one library that stands out from the rest for its simplicity and takes a lot of responsibility from the developer on the best practices, in addition to using the libsodium library. In this article we are going to explore Halite.

The tutorial then starts of helping you get the libsodium package installed on your system (assuming it's unix-based). They then start on the sample application - a basic "email" client able to send/receive messages between users. They set up RESTful endpoints to get the messages, use the Doctrine ORM for a database interface and show the use of the Halite Crypto class to encrypt/decrypt the message contents.

tagged: halite privacy twoway encryption email message tutorial libsodium

Link: https://www.sitepoint.com/using-halite-for-privacy-and-two-way-encryption-of-emails/

Fortrabbit.com:
Is your database password stored safely?
Sep 08, 2015 @ 11:48:18

The Fortrabbit blog has a post that want to help you store your database password securely and away from prying attacker eyes. While they use the example of a a database password, credentials for just about any other service could be protected the same way.

How do you protect your access data? Your sensitive secrets, basically anything your PHP application uses to authenticate or authorize with other services such as databases, caches, cloud storages, image resize services, transactional mail providers. All of them. Where do you put this — easily accessible while in development and secure for production?

They start by pointing out a few places where they should not be stored: in your code, in a version control system or in an environment variable (plain text). Instead, they suggest using a combination of a secret key that's configured in the application and encrypted versions of the values in environment variables. Some code is included showing how to set this up in a Laravel-based application, but the principle can be applied independent of the framework too with some other simple tools. They end the post with some links to other articles including a "considered harmful" piece reinforcing their methods.

tagged: credential protection password database tutorial encryption environment variable

Link: http://blog.fortrabbit.com/how-to-keep-a-secret

Paragon Initiative:
Using Libsodium in PHP Projects
Sep 02, 2015 @ 13:25:18

The Paragon Initiative site has posted a new guide to helping you integrate libsodium into your application to provide additional cryptographic functionality in addition to things like mcrypt and crypt

You shouldn't need a Ph.D in Applied Cryptography to build a secure web application. Enter libsodium, which allows developers to develop fast, secure, and reliable applications without needing to know what a stream cipher even is.

After reading this brief electronic manual, you should know what libsodium is, what features it has, and how to install it (both the library and the PHP extension from PECL). [You should also] generally understand which cryptography tool to use for a specific scenario [and] be capable of writing production-quality code that uses libsodium.

The guide (still a work in progress) starts by explaining what libsodium is and what it has to offer over other encryption methods. It talks about the role of random data in encryption, a few basic crypto concepts (like key-based encryption and hashing) and finally gets into some of the more advanced features of the libsodium extension.

Additionally, the guide is also open source so if you'd like to contribute, just submit a pull request for consideration.

tagged: paragoninitiative libsodium guide introduction advanced encryption

Link: https://paragonie.com/book/pecl-libsodium