Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP 7.2: The First Programming Language to Add Modern Cryptography to its Standard Library
Feb 14, 2017 @ 12:10:29

In this post to the dev.to site Scott Arciszewski talks about a milestone in the PHP language, it being the first language to "add modern cryptography to its standard library" (PHP 7.2).

Last week, the voting phase closed on an RFC to add libsodium to PHP 7.2. The result was unanimous (37 in favor, 0 against).

When version 7.2 releases at the end of the year, PHP will be the first programming language to adopt modern cryptography in its standard library.

He goes on to talk about what "modern cryptography" is describing concepts like secure primitives and showing example of the high-level API the integration will provide. The post finishes out with a rebuttal against some of the nay-sayers around PHP and its reputation for security. They say that there's "no way PHP is more secure than " so Scott compares this libsodium addition to some of the features in other languages and where they're lacking in relation.

tagged: programming language cryptography standard library libsodium php72

Link: https://dev.to/paragonie/php-72-the-first-programming-language-to-add-modern-cryptography-to-its-standard-library

SitePoint PHP Blog:
Using Halite for Privacy and Two-Way Encryption of Emails
Jun 23, 2016 @ 11:18:17

On the SitePoint PHP blog there's a new tutorial posted showing you how to use the Halite package to encrypt the contents of emails. The Halite library sits on top of the libsodium functionality to provide tested, hardened cryptographic results.

Cryptography is a complex matter. In fact, there is one golden rule: "Don’t implement cryptography yourself." The reason for this is that so many things can go wrong while implementing it, the slightest error can generate a vulnerability and if you look away, your precious data can be read by someone else.

[...] Some libraries out there implement cryptography primitives and operations, and leave a lot of decisions to the developer. [...] Nevertheless, there is one library that stands out from the rest for its simplicity and takes a lot of responsibility from the developer on the best practices, in addition to using the libsodium library. In this article we are going to explore Halite.

The tutorial then starts of helping you get the libsodium package installed on your system (assuming it's unix-based). They then start on the sample application - a basic "email" client able to send/receive messages between users. They set up RESTful endpoints to get the messages, use the Doctrine ORM for a database interface and show the use of the Halite Crypto class to encrypt/decrypt the message contents.

tagged: halite privacy twoway encryption email message tutorial libsodium

Link: https://www.sitepoint.com/using-halite-for-privacy-and-two-way-encryption-of-emails/

Paragon Initiative:
Solve All Your Cryptography Problems in 3 Easy Steps
May 12, 2016 @ 11:55:55

On the Paragon Initiative site there's a new post that promises a way to solve all of your cryptography problems in PHP with three simple steps.

Last year, we began developing Halite, a FOSS high-level wrapper for the PHP bindings to libsodium. We use Halite extensively in our own projects (including our upcoming CMS which has quite a few of its own innovative cryptography features baked-in).

As of version 2.1.0, we are confident that Halite solves all of the application-layer cryptography problems that most PHP developers face; and it does so in three easy steps. (For transport-layer cryptography, you should still use TLS, of course.)

Their three steps to effectively using Halite and libsodium in your application are:

  • Step One: Managing Cryptography Keys
  • Step Two: Encrypting or Authenticating with Halite
  • Step Three: Decrypt or Verify

Each step comes with example code showing how to use the tool to accomplish it. There's also a few other problems that are solved by using the library including generating encrypted password hashes and whole file cryptography.

tagged: cryptography problem halite libsodium steps keys authentication encrypt decrypt

Link: https://paragonie.com/blog/2016/05/solve-all-your-cryptography-problems-in-three-easy-steps-with-halite

Paragon Initiative:
One Login To Rule them All - Seamless and Secure Cross-Domain Authentication
Feb 24, 2016 @ 11:48:28

On the Paragon Initiative site they've posted a new tutorial sharing a method for creating "one login to rule them all" for your PHP-based applications. The goal is to make one system that can provides a single authentication point and secure credential storage.

Problem: You want to create a system whereby when a user authenticates to example.com, they're also automatically logged in at foo.com, bar.com, baz.com, and any other domains that you decide to add to the list at a later date. Okay, great, that seems straightforward, except there's a complication: The Same Origin Policy prevents you from getting/setting cookies on domains other than the one you control.

[...] Let's narrow it down a little bit further: Unlike a situation where e.g. "Login with Facebook" would be appropriate, you control all of the domains. They just happen to be different, so the Same Origin Policy kicks in. For simplicity, feel free to assume they're on the same server and application codebase, but you have a multi-site architecture in place where some of the sites have a different domain name.

Let's work around this limitation with as few moving parts as possible.

He then shoes how to use libsodium (via the Halite wrapper) to secure your credentials (passwords) and hooking it into a custom API endpoint that takes in a hex-encoded JSON string and a signature for the payload. He then expands this to provide "automatic login" handling making use of another endpoint to fetch an image to and log in the user by passing it the payload and signature values. He ends the post with a few security concerns around using this method and some things that it assumes are correct (and robust enough).

tagged: login single seamless crossdomain payload signature libsodium tutorial api

Link: https://paragonie.com/blog/2016/02/one-login-rule-them-all-seamless-and-secure-cross-domain-authentication

Paragon Initiative:
How to Safely Store a Password in 2016
Feb 16, 2016 @ 11:19:46

On the Paragon Initiative site they've posted a new article showing you how to safely store a password (in 2016) that discusses both the concepts around good password hashing and how to do it in several languages (including PHP).

The Problem: You want people to be able to create a unique user account, with a password, which they will use to access your application. How can you safely implement this feature?

He advises using libsodium for some of the best protection but points out that it's not widely supported yet. An alternative that is, however, is bcrypt (including PHP. He shows how to hash a password in:

  • PHP
  • Java
  • C# (.NET)
  • Ruby
  • Python
  • Node.js

Each of them is basically a one-line kind of change and doesn't require much effort on the developer's part to implement. He ends the post with a few FAQs around Argon2, PBKDF2 and why he's chosen to advise bcrypt over scrypt.

tagged: password hash libsodium advice bcrypt language tutorial

Link: https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

Paragon Initiative:
Let's Re-Think Security Trade-Offs
Dec 16, 2015 @ 12:38:08

On the Paragon Initiative blog there's a post that suggests changing your thinking about security trade-offs, those concessions we make every day in the development choices we make around the security of our applications versus other concerns.

The theory goes: You cannot have perfect security against all possible threats all the time for free. Usually, we expect our applications to incur a cost (usually in terms of CPU, memory, or electricity usage) in order to be secure. It seems logically correct that, if you need more security, your cost must therefore be higher.

Fortunately, this is not always true! Sometimes, given a choice between two solutions, the more secure option costs less than the insecure one.

The article points out that what we think might be a "fair tradeoff" between two choices may only look as much on the surface. They give the example of random number generation and the speed involved in using the random functions versus the true CSPRNG in PHP 7 (or the compatibility library). The article also points out that even those in the security industry make these same kinds of decisions. Essentially they lesson they're trying to suggest is that trade offs in security are usually based on the wrong assumptions or a limited knowledge of the technologies offered.

And if you reach the point where you have to make a choice between a secure option and an insecure option that might be better by some other metric, make sure you actually document and measure this trade-off. You might find that the benefit of the insecure choice is negligible, and that you therefore should opt for security.
tagged: security tradeoff performance unfair expert libsodium assumption

Link: https://paragonie.com/blog/2015/12/let-s-re-think-security-trade-offs

Paragon Initiative:
Choosing the Right Cryptography Library for your PHP Project: A Guide
Nov 16, 2015 @ 12:19:16

On the Paragon Initiative blog there's a new article posted that wants to help you pick the right cryptography library for your project and your needs. In it they make several recommendations and the benefits of each.

Cryptography is not magic. Adding encryption to an application doesn't automatically make it secure against attackers (especially if you aren't authenticating your ciphertext). But if you do need it to satisfy a business need, conventional wisdom states that you almost certainly should not try to design your own cryptography. Instead, you should use an existing cryptography library.

Okay, great. So which PHP cryptography library should I use? That depends on your exact requirements. Let's look at some good choices. (We won't cover any terrible choices.)

The three libraries they recommend are: Halite, the Libsodium library, the Defuse Security PHP Encryption library and the PHPSecLib library. For each they make some recommendations on places they may be most effective and how it using them relates to passwords (hint, hashing over encryption).

tagged: cryptography library choice hailite libsodium phpencryption phpseclib password

Link: https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide

Paragon Initiative:
Using Libsodium in PHP Projects
Sep 02, 2015 @ 13:25:18

The Paragon Initiative site has posted a new guide to helping you integrate libsodium into your application to provide additional cryptographic functionality in addition to things like mcrypt and crypt

You shouldn't need a Ph.D in Applied Cryptography to build a secure web application. Enter libsodium, which allows developers to develop fast, secure, and reliable applications without needing to know what a stream cipher even is.

After reading this brief electronic manual, you should know what libsodium is, what features it has, and how to install it (both the library and the PHP extension from PECL). [You should also] generally understand which cryptography tool to use for a specific scenario [and] be capable of writing production-quality code that uses libsodium.

The guide (still a work in progress) starts by explaining what libsodium is and what it has to offer over other encryption methods. It talks about the role of random data in encryption, a few basic crypto concepts (like key-based encryption and hashing) and finally gets into some of the more advanced features of the libsodium extension.

Additionally, the guide is also open source so if you'd like to contribute, just submit a pull request for consideration.

tagged: paragoninitiative libsodium guide introduction advanced encryption

Link: https://paragonie.com/book/pecl-libsodium

Paragon Initiative:
Secure Data Encryption in Web Applications with PHP
Aug 03, 2015 @ 10:58:47

The Paragon Initiative has posted a new white paper to their site covering secure data encryption in web applications written in PHP. The paper covers high level topics and offers some more practical suggestions about tools and guides to use in protecting your applications.

Encrypting network communications is absolutely essential to the security of anyone who wishes to use your website or application. The standard and most reliable form of network encryption is called Transport Layer Security (TLS), which was preceded by and older standard called Secure Socket Layer (SSL).

Websites that use SSL or TLS are accessible by typing https://domain.com into your browser instead of just http://domain.com. Consequently, the shorthand way to refer to HTTP over TLS is simply HTTPS. Contrasted with network cryptography, storing sensitive information is a much more challenging and interesting problem to solve, and is the focus of this paper.

Among the topics covered in the white paper are things like:

  • The flow of a HTTPS request (and if it's "fast" or not)
  • Secure password storage and handling
  • On-demand encryption/decryption
  • Cryptography library recommendations
  • Using asymmetric cryptography with public and private keys

They also point to this curated list of resources to help you learn more about general web application security including cryptography.

tagged: secure application cryptography https password library libsodium resources

Link: https://paragonie.com/white-paper/2015-secure-php-data-encryption