SlideShare ist ein Scribd-Unternehmen logo

PHP Identity and Data Security

Jonathan LeBlanc
Jonathan LeBlanc

This document provides an overview of password and data security best practices for PHP applications. It discusses common password attacks and how to protect against them using techniques like salting, key stretching algorithms and two-factor authentication. It also covers encrypting data using symmetric and asymmetric cryptography algorithms like AES, RSA and digital signatures. The document provides code examples for hashing and validating passwords, encrypting and decrypting messages and data at rest or in transit.

Technologie
1 von 41
Downloaden Sie, um offline zu lesen
PHP Identity and Data Security! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
Release Date:! July 2016! ! Book Details:! http://bit.ly/iddatasecurity! Identity & Data Security Book!
Security is Hard!
1: 123456 ! 2: password ! 3: 12345678 ! 4: qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars!
Protecting Identity!
Password Attack Vectors!
Brute Force Attacks! Calculate all key variations within a given length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks!
Salting and Peppering!
//hashing identical messages with no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts!
Storing Salts! Store alongside the hash! ! Salt Reuse! Salts should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts!
bcrypt! Designed for password security, based on the blowfish cipher, CPU & RAM intensive.! ! PBKDF2! Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.! ! scrypt! Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! Password Encryption Algorithms!
! //fetch password from user creation request! $password = $_POST['password'];! ! //salt option deprecated in PHP 7.0.0+! $options = [! 'cost' => 12! ];! ! //create 60 character hash, with default unique salt, and options ! $hash = password_hash($password, PASSWORD_BCRYPT, $options);! ! //STORE HASH IN USER DATABASE RECORD! //SALT IS BUILT INTO HASH! Hashing with bcrypt!
//fetch login request information! $username = $_POST['username'];! $password = $_POST['password'];! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //verify if login attempt password matches stored user hash! if (password_verify($password, $user->hash)){! echo "password matches";! } else {! echo "password doesn't match";! }! Login Hash Comparison with bcrypt!
! ! //fetch password from user creation request! $password = $_POST['password'];! ! //set iterations and random initialization vector! $iterations = 1000;! $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);! ! //hash password using sha256! $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);! ! //STORE HASH AND SALT IN USER DATABASE RECORD! Hashing with PBKDF2!
! //fetch login request info and set iterations! $username = $_POST['username'];! $password = $_POST['password'];! $iterations = 1000;! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //manually hash the login attempt password! $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);! ! //validate if hashes match! if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match';! } else {! echo 'password mismatch';! }! ! Login Hash Comparison with PBKDF2!
Protecting Data!
Ideal Scenario: SSL/TLS!
Domain Validation (DV)! Certificate authority (CA) validates domain access only! Certificate Types!
Organization Validation (OV)! ! CA validates DV and basic organization information! Certificate Types!
Extended Validation (EV)! CA validates DV, OV, and legal existance of the organization! Certificate Types!
//generate private key and self-signed certificate valid for 1 year! openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key!
//update httpd.conf file to enable SSL (uncomment the following)! #LoadModule ssl_module libexec/apache2/mod_ssl.so! #Include /private/etc/apache2/extra/httpd-ssl.conf! ! //update httpd-ssl.conf file for CRT location! SSLCertificateFile "/private/etc/apache2/server.crt"! ! //copy crt and private key files to above location! cp server.crt server.key /private/etc/apache2/! Configuring SSL capabilities and setting certificates on Apache server!
<VirtualHost *:443>! #general virtual hosts information! DocumentRoot "/Users/jleblanc/localhost/ssltest"! ServerName ssltest! ErrorLog "/private/var/log/apache2/local.example.com-error_log"! CustomLog "/private/var/log/apache2/local.example.com-access_log" common! ! #SSL details! SSLEngine on! SSLCertificateFile "/private/etc/apache2/server.crt”! SSLCertificateKeyFile "/private/etc/apache2/server.key"! ! #SSL engine options! <FilesMatch ".(cgi|shtml|phtml|php)$">! SSLOptions +StdEnvVars! </FilesMatch>! <Directory "/Library/WebServer/CGI-Executables">! SSLOptions +StdEnvVars! </Directory>! </VirtualHost>! Update httpd-vhosts.conf!
Synchronous Cryptography!
Single User Environment!
Encryption (ECB, CBC, OFB, CFB, CTR)! Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation!
//set initialization data! $numbytes = 16;! $strongcrypto = true;! $mode = 'aes-256-cbc';! $message = 'my secure message';! ! //creation initialization vector and shared private key! $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! ! //create ciphertext with no options! $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);! Configuring and encrypting message!
//----! // data sent to server: iv, ciphertext! // data known by server: key! //----! ! //set algorithm and mode! $mode = 'aes-256-cbc’;! ! //decrypt provided cipher! $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);! Decrypting ciphertext!
//display block ciphers and modes! print_r(openssl_get_cipher_methods());! Getting all available ciphers and modes !
Asynchronous Cryptography!
Multi-User Environment!
//create private key in private.key! openssl genrsa -out private.key 2048! ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys!
//set public key data from files and object to send! $public_key = openssl_get_publickey(file_get_contents('public.pem'));! $data = '{"message": "my super secure message"}';! ! //encrypt object and public keys! openssl_seal($data, $encrypted, $encpub, array($public_key));! ! //encrypted data and encrypted public key! $sealed_data = base64_encode($encrypted);! $envelope = base64_encode($encpub[0]);! ! //SEND SEALED DATA AND ENVELOPE TO RECIPIENT! Preparing Message, Encrypting, and Signing!
//OBTAIN SEALED DATA AND ENVELOPE FROM SENDER! ! //set private key data! $private_key = openssl_get_privatekey(file_get_contents('private.key'));! ! //decode data! $sealed_data = base64_decode($sealed_data);! $envelope = base64_decode($envelope);! ! //rypt data using private key! openssl_open($sealed_data, $plaintext, $envelope, $private_key);! ! //decrypted message available in $plaintext! Decrypting and Verifying Message!
Security Fundamentals Wrapup!
Thank You!! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!

Empfohlen

Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Token Based Authentication Systems
Token Based Authentication SystemsToken Based Authentication Systems
Token Based Authentication SystemsHüseyin BABAL
 
Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Yuriko IKEDA
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 

Empfohlen

Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Token Based Authentication Systems
Token Based Authentication SystemsToken Based Authentication Systems
Token Based Authentication SystemsHüseyin BABAL
 
Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Yuriko IKEDA
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'mStanisław Wasiutyński
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Redis
RedisRedis
RedisPuneet Kumar
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Automated Testing
Automated TestingAutomated Testing
Automated TestingSpeed FC
 
บท7
บท7บท7
บท7kiddy67
 
CGI.pm - 3ло?!
CGI.pm - 3ло?!CGI.pm - 3ло?!
CGI.pm - 3ло?!Anatoly Sharifulin
 
MongoDB: How it Works
MongoDB: How it WorksMongoDB: How it Works
MongoDB: How it WorksMike Dirolf
 
Talk NullByteCon 2015
Talk NullByteCon 2015Talk NullByteCon 2015
Talk NullByteCon 2015Roberto Soares
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptographyErik LaBianca
 
JSOP in 60 seconds
JSOP in 60 secondsJSOP in 60 seconds
JSOP in 60 secondsDavid Nuescheler
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)Vladimir Dzhuvinov
 
F2e security
F2e securityF2e security
F2e securityjay li
 
Cookies
CookiesCookies
Cookiesamuthadeepa
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Groupsiculars
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWestDerrick Isaacson
 
Web security
Web securityWeb security
Web securitydavidahaskins
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECloudIDSummit
 

Weitere ähnliche Inhalte

Was ist angesagt?

I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Automated Testing
Automated TestingAutomated Testing
Automated TestingSpeed FC
 
MongoDB: How it Works
MongoDB: How it WorksMongoDB: How it Works
MongoDB: How it WorksMike Dirolf
 
F2e security
F2e securityF2e security
F2e securityjay li
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Groupsiculars
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 

Was ist angesagt? (18)

Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'm
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Redis
RedisRedis
Redis
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Automated Testing
Automated TestingAutomated Testing
Automated Testing
 
บท7
บท7บท7
บท7
 
CGI.pm - 3ло?!
CGI.pm - 3ло?!CGI.pm - 3ло?!
CGI.pm - 3ло?!
 
MongoDB: How it Works
MongoDB: How it WorksMongoDB: How it Works
MongoDB: How it Works
 
Talk NullByteCon 2015
Talk NullByteCon 2015Talk NullByteCon 2015
Talk NullByteCon 2015
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
JSOP in 60 seconds
JSOP in 60 secondsJSOP in 60 seconds
JSOP in 60 seconds
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)
 
F2e security
F2e securityF2e security
F2e security
 
Cookies
CookiesCookies
Cookies
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
 
Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP Argentina
 

Ähnlich wie PHP Identity and Data Security

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWestDerrick Isaacson
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECloudIDSummit
 
Maximize your Cache for No Cash
Maximize your Cache for No CashMaximize your Cache for No Cash
Maximize your Cache for No CashYorick Phoenix
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Derrick Isaacson
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsMartin Vigo
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done righttladesignz
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
 
Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Derrick Isaacson
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjectsWO Community
 
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridasFrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridasLoiane Groner
 
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 

Ähnlich wie PHP Identity and Data Security (20)

Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Cargo Cult Security at OpenWest
Cargo Cult Security at OpenWestCargo Cult Security at OpenWest
Cargo Cult Security at OpenWest
 
Web security
Web securityWeb security
Web security
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSE
 
Maximize your Cache for No Cash
Maximize your Cache for No CashMaximize your Cache for No Cash
Maximize your Cache for No Cash
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015Cargo Cult Security UJUG Sep2015
Cargo Cult Security UJUG Sep2015
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Web application security
Web application securityWeb application security
Web application security
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
 
Roberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacksRoberto Bicchierai - Defending web applications from attacks
Roberto Bicchierai - Defending web applications from attacks
 
Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18Cargo Cult Security 2014_01_18
Cargo Cult Security 2014_01_18
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjects
 
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridasFrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
 
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
CODE BLUE 2014 : マイクロソフトの脆弱性調査 : ベンダーでありながら発見者となるために by デイヴィッド・シードマン David Se...
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hack
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 

Mehr von Jonathan LeBlanc

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsJonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessJonathan LeBlanc
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with BoxJonathan LeBlanc
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer WorkshopJonathan LeBlanc
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security PracticesJonathan LeBlanc
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI ElementsJonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingJonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyJonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityJonathan LeBlanc
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsJonathan LeBlanc
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesJonathan LeBlanc
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and TrendsJonathan LeBlanc
 

Mehr von Jonathan LeBlanc (20)

JavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the ClientJavaScript App Security: Auth and Identity on the Client
JavaScript App Security: Auth and Identity on the Client
 
Improving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data InsightsImproving Developer Onboarding Through Intelligent Data Insights
Improving Developer Onboarding Through Intelligent Data Insights
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
 
Box Platform Developer Workshop
Box Platform Developer WorkshopBox Platform Developer Workshop
Box Platform Developer Workshop
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
 
BattleHack Los Angeles
BattleHack Los Angeles BattleHack Los Angeles
BattleHack Los Angeles
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with Beacons
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & Wearables
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and Trends
 
Rebuilding Commerce
Rebuilding CommerceRebuilding Commerce
Rebuilding Commerce
 

Kürzlich hochgeladen

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Kürzlich hochgeladen (20)

React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

PHP Identity and Data Security

  • 1. PHP Identity and Data Security! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
  • 2. Release Date:! July 2016! ! Book Details:! http://bit.ly/iddatasecurity! Identity & Data Security Book!
  • 4. 1: 123456 ! 2: password ! 3: 12345678 ! 4: qwerty ! 5: 12345 ! 6: 123456789! 7: football! 8: 1234! 9: 1234567! Top Passwords of 2015! 10: baseball! 11: welcome! 12: 1234567890! 13: abc123! 14: 111111! 15: 1qaz2wsx! 16: dragon! 17: master! 18: monkey! 19: letmein! 20: login! 21: princess! 22: qwertyuiop! 23: solo! 24: passw0rd! 25: starwars!
  • 5.
  • 8. Brute Force Attacks! Calculate all key variations within a given length, then trying each one until the password is guessed. ! Protect via: Key stretching, CAPTCHA, 2FA! ! Dictionary Attacks! Use a list of predetermined words/phrase to guess password.! Protect via: Salting! ! Rainbow Tables! Use precalculated password hashes to break encryption.! Protect via: Salting ! Protecting Against Password Attacks!
  • 10. //hashing identical messages with no salt! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! hash('mechagodzilla') = ! 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227! ! //hashing identical messages with random salt! hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ! f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6! hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ! 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866! hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ! 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e! Hashing with and without salts!
  • 11. Storing Salts! Store alongside the hash! ! Salt Reuse! Salts should be be unique per password! ! Salt Length! Same size as hash? 64 bits? 128 bits?! Considerations when using Salts!
  • 12. bcrypt! Designed for password security, based on the blowfish cipher, CPU & RAM intensive.! ! PBKDF2! Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.! ! scrypt! Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory! Password Encryption Algorithms!
  • 13. ! //fetch password from user creation request! $password = $_POST['password'];! ! //salt option deprecated in PHP 7.0.0+! $options = [! 'cost' => 12! ];! ! //create 60 character hash, with default unique salt, and options ! $hash = password_hash($password, PASSWORD_BCRYPT, $options);! ! //STORE HASH IN USER DATABASE RECORD! //SALT IS BUILT INTO HASH! Hashing with bcrypt!
  • 14. //fetch login request information! $username = $_POST['username'];! $password = $_POST['password'];! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //verify if login attempt password matches stored user hash! if (password_verify($password, $user->hash)){! echo "password matches";! } else {! echo "password doesn't match";! }! Login Hash Comparison with bcrypt!
  • 15. ! ! //fetch password from user creation request! $password = $_POST['password'];! ! //set iterations and random initialization vector! $iterations = 1000;! $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);! ! //hash password using sha256! $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);! ! //STORE HASH AND SALT IN USER DATABASE RECORD! Hashing with PBKDF2!
  • 16. ! //fetch login request info and set iterations! $username = $_POST['username'];! $password = $_POST['password'];! $iterations = 1000;! ! //fetch user record from database! $user = fetchDBRecord($username);! ! //manually hash the login attempt password! $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);! ! //validate if hashes match! if (hash_equals ($loginhash, $user->hash)){ ! echo 'password match';! } else {! echo 'password mismatch';! }! ! Login Hash Comparison with PBKDF2!
  • 19. Domain Validation (DV)! Certificate authority (CA) validates domain access only! Certificate Types!
  • 20. Organization Validation (OV)! ! CA validates DV and basic organization information! Certificate Types!
  • 21. Extended Validation (EV)! CA validates DV, OV, and legal existance of the organization! Certificate Types!
  • 22.
  • 23. //generate private key and self-signed certificate valid for 1 year! openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt! Generate your self-signed certificate and private key!
  • 24. //update httpd.conf file to enable SSL (uncomment the following)! #LoadModule ssl_module libexec/apache2/mod_ssl.so! #Include /private/etc/apache2/extra/httpd-ssl.conf! ! //update httpd-ssl.conf file for CRT location! SSLCertificateFile "/private/etc/apache2/server.crt"! ! //copy crt and private key files to above location! cp server.crt server.key /private/etc/apache2/! Configuring SSL capabilities and setting certificates on Apache server!
  • 25. <VirtualHost *:443>! #general virtual hosts information! DocumentRoot "/Users/jleblanc/localhost/ssltest"! ServerName ssltest! ErrorLog "/private/var/log/apache2/local.example.com-error_log"! CustomLog "/private/var/log/apache2/local.example.com-access_log" common! ! #SSL details! SSLEngine on! SSLCertificateFile "/private/etc/apache2/server.crt”! SSLCertificateKeyFile "/private/etc/apache2/server.key"! ! #SSL engine options! <FilesMatch ".(cgi|shtml|phtml|php)$">! SSLOptions +StdEnvVars! </FilesMatch>! <Directory "/Library/WebServer/CGI-Executables">! SSLOptions +StdEnvVars! </Directory>! </VirtualHost>! Update httpd-vhosts.conf!
  • 26.
  • 28.
  • 30. Encryption (ECB, CBC, OFB, CFB, CTR)! Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.! ! Authentication(CMAC)! Data authenticity mode. Receiver can validate whether cleartext came from intended sender.! ! Authenticated Encryption (CCM, GCM, KW/KWP/TKW)! Includes both data privacy and authenticity.! Modes of Operation!
  • 31. //set initialization data! $numbytes = 16;! $strongcrypto = true;! $mode = 'aes-256-cbc';! $message = 'my secure message';! ! //creation initialization vector and shared private key! $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);! ! //create ciphertext with no options! $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);! Configuring and encrypting message!
  • 32. //----! // data sent to server: iv, ciphertext! // data known by server: key! //----! ! //set algorithm and mode! $mode = 'aes-256-cbc’;! ! //decrypt provided cipher! $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);! Decrypting ciphertext!
  • 33. //display block ciphers and modes! print_r(openssl_get_cipher_methods());! Getting all available ciphers and modes !
  • 35.
  • 37. //create private key in private.key! openssl genrsa -out private.key 2048! ! //create public key in public.pem! openssl rsa -in private.key -outform PEM -pubout -out public.pem! Generating Public / Private Keys!
  • 38. //set public key data from files and object to send! $public_key = openssl_get_publickey(file_get_contents('public.pem'));! $data = '{"message": "my super secure message"}';! ! //encrypt object and public keys! openssl_seal($data, $encrypted, $encpub, array($public_key));! ! //encrypted data and encrypted public key! $sealed_data = base64_encode($encrypted);! $envelope = base64_encode($encpub[0]);! ! //SEND SEALED DATA AND ENVELOPE TO RECIPIENT! Preparing Message, Encrypting, and Signing!
  • 39. //OBTAIN SEALED DATA AND ENVELOPE FROM SENDER! ! //set private key data! $private_key = openssl_get_privatekey(file_get_contents('private.key'));! ! //decode data! $sealed_data = base64_decode($sealed_data);! $envelope = base64_decode($envelope);! ! //rypt data using private key! openssl_open($sealed_data, $plaintext, $envelope, $private_key);! ! //decrypted message available in $plaintext! Decrypting and Verifying Message!
  • 41. Thank You!! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!

Hinweis der Redaktion

  1. Where to store the salt Salt Reuse Salt Length
  2. Password attack vectors
  3. Where to store the salt Salt Reuse Salt Length
  4. Examples of not using a salt vs using a salt
  5. Moore’s law – computing power doubles every 2 years
  6. Examples of not using a salt vs using a salt
  7. Examples of not using a salt vs using a salt
  8. Examples of not using a salt vs using a salt
  9. Examples of not using a salt vs using a salt