SlideShare una empresa de Scribd logo

Cryptography in PHP: use cases

Enrico Zimuel
Enrico Zimuel

Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.

TecnologíaEducación
1 de 36
Descargar para leer sin conexión
October 2011 Cryptography in PHP: use cases Enrico Zimuel Zend Technologies
About me October 2011 • Enrico Zimuel (ezimuel) • Software Engineer since 1996 – Assembly x86, C/C++, Java, Perl, PHP • Enjoying PHP since 1999 • Senior PHP Engineer at Zend Technologies since 2008 • Author of two italian books about Email: enrico@zend.com applied cryptography • B.Sc. Computer Science and Economics from University of Pescara (Italy)
Summary October 2011 ● Cryptography in PHP ● Some use cases: ● Safe way to store passwords ● Generate pseudo-random numbers ● Encrypt/decrypt sensitive data ● Demo: encrypt PHP session data
Cryptography in PHP October 2011 ● crypt() ● Mcrypt ● Hash ● OpenSSL
crypt() October 2011 ● One-way string hashing ● Support strong cryptography ● bcrypt, sha-256, sha-512 ● PHP 5.3.0 – bcrypt support ● PHP 5.3.2 – sha-256/512 ● Note: don't use PHP 5.3.7 (bug #55439)
Mcrypt October 2011 ● Mcrypt is an interface to the mcrypt library ● Supports the following encryption algorithms: ● 3DES, ARCFOUR, BLOWFISH, CAST, DES, ENIGMA, GOST, IDEA (non-free), LOKI97, MARS, PANAMA, RIJNDAEL, RC2, RC4, RC6, SAFER, SERPENT, SKIPJACK, TEAN, TWOFISH, WAKE, XTEA
Hash October 2011 ● Enabled by default from PHP 5.1.2 ● Hash or HMAC (Hash-based Message Authentication Code) ● Supported hash algorithms: MD4, MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD, RIPEMD, WHIRLPOOL, GOST, TIGER, HAVAL, etc
OpenSSL October 2011 ● The OpenSSL extension uses the functions of the OpenSSL project for generation and verification of signatures and for sealing (encrypting) and opening (decrypting) data ● Public key cryptography (RSA algorithm)
Which algorithm? October 2011 ● Some suggestions: ● Symmetric encryption: – Blowfish / Twofish – Rijndael (AES, FIST 197 standard since 2001) ● Hash: SHA-256, 384, 512 ● Public key: RSA
Cryptography vs. Security October 2011 ● Cryptography doesn't mean security ● Encryption is not enough ● Bruce Schneier quotes: ● “Security is only as strong as the weakest link” ● “Security is a process, not a product”
Cryptography vs. Security October 2011
October 2011 Use cases
Use case 1: store a password October 2011 ● Scenario: ● Web applications with a protect area ● Username and password to login ● Problem: how to safely store a password?
Hash a password October 2011 ● Basic ideas, use of hash algorithms: ● md5($password) – not secure – Dictionary attack (pre-built) ● md5($salt . $password) – better but still insecure – Dictionary attacks: ● 700'000'000 passwords a second using CUDA (budget of 2000 $, a week) ● Cloud computing, 500'000'000 passwords a second (about $300/hour)
bcrypt October 2011 ● Better idea, use of bcrypt algorithm: ● bcrypt prevent the dictionary attacks because is slow as hell ● Based on a variant of Blowfish ● Introduce a work factor, which allows you to determine how expensive the hash function will be
bcrypt in PHP October 2011 ● Hash the password using bcrypt (PHP 5.3+) $salt = substr(str_replace('+', '.', $salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22); base64_encode($salt)), 0, 22); $hash = crypt($password,'$2a$'.$workload.'$'.$salt); $hash = crypt($password,'$2a$'.$workload.'$'.$salt); ● $salt is a random string (it is not a secret!) ● $workload is the bcrypt's workload (from 10 to 31)
bcrypt workload benchmark $workload time in sec October 2011 10 0.1 11 0.2 12 0.4 13 0.7 14 1.5 Suggestion: Spend ≈ 1 sec (or more) 15 3 16 6 17 12 18 24.3 19 48.7 20 97.3 21 194.3 OS: Linux kernel 2.6.38 CPU: Intel Core2, 2.1Ghz 22 388.2 RAM: 2 GB - PHP: 5.3.6 … …
bcrypt output October 2011 ● Example of bcrypt's output: $2a$14$c2Rmc2Fka2hmamhzYWRmauBpwLLDFKNPTfmCeuMHVnMVaLatNlFZO ● c2Rmc2Fka2hmamhzYWRmau is the salt ● Workload: 14 ● Length of 60 btyes
bcrypt authentication October 2011 ● How to check if a $userpassword is valid for a $hash value? if ($hash==crypt($userpassword,$hash)) { if ($hash==crypt($userpassword,$hash)) { echo 'The password is correct'; echo 'The password is correct'; } else { } else { echo 'The password is not correct!'; echo 'The password is not correct!'; }}
Use case 2: generate random data in PHP October 2011 ● Scenario: ● Generate random passwords for – Login systems – API systems ● Problem: how to generate random data in PHP?
Random number generators October 2011
PHP vs. randomness October 2011 ● How generate a pseudo-random value in PHP? ● Not good for cryptography purpose: ● rand() ● mt_rand() ● Good for cryptography (PHP 5.3+): ● openssl_random_pseudo_bytes()
rand() is real random? October 2011 Pseudo-random bits rand() in PHP on Windows From random.org website
Use case 3: encrypt data October 2011 ● Scenario: ● We want to store some sensitive data (e.g. credit card numbers) ● Problem: ● How to encrypt this data in PHP?
Symmetric encryption October 2011 ● Using Mcrypt extension: ● mcrypt_encrypt(string $cipher,string $key, string $data,string $mode[,string $iv]) ● mcrypt_decrypt(string $cipher,string $key, string $data,string $mode[,string $iv]) ● What are these $mode and $iv parameters?
Encryption mode October 2011 ● Symmetric encryption mode: ● ECB, CBC, CFB, OFB, NOFB or STREAM ● We are going to use the CBC that is the most used and secure ● Cipher-Block Chaining (CBC) mode of operation was invented in 1976 by IBM
CBC October 2011 The Plaintext (input) is divided into blocks Block 1 Block 2 Block 3 ... Block 1 Block 2 Block 3 The Ciphertext (output) is the concatenation of the cipher-blocks
IV October 2011 ● Initialization Vector (IV) is a fixed-size input that is typically required to be random or pseudo ● The IV is not a secret, you can send it in plaintext ● Usually IV is stored before the encrypted message ● Must be unique for each encrypted message
Encryption is not enough October 2011 ● We cannot use only encryption to store sensitive data, we need also authentication! ● Encryption doesn't prevent alteration of data ● Padding Oracle Attack (Vaudenay, EuroCrypt 2002) ● We need to authenticate: ● MAC (Message Authentication Code) ● HMAC (Hash-based Message Authentication Code)
HMAC October 2011 ● In PHP we can generate an HMAC using the hash_hmac() function: hash_hmac ($algo, $msg, $key) $algo is the hash algorithm to use (e.g. sha256) $msg is the message $key is the key for the HMAC
Encryption + authentication October 2011 ● Three possible ways: ● Encrypt-then-authenticate ● Authenticate-then-encrypt ● Encrypt-and-authenticate ● We will use encrypt-then-authenticate, as suggested by Schneier in [1]
Demo: encrypt session data October 2011 ● Specific PHP session handler to encrypt session data using files ● Use of AES (Rijndael 128) + HMAC (SHA-256) ● Pseudo-random session key ● The encryption and authentication keys are stored in a cookie variable ● Source code: https://github.com/ezimuel/PHP-Secure-Session
Conclusion (1) October 2011 ● Use standard algorithms for cryptography: ● AES (Rijndael 128), SHA-* hash family, RSA ● Generate random data using the function: ● openssl_random_pseudo_bytes() ● Store passwords using bcrypt: ● crypt($password, '$2a$'.$workload.'$'.$salt)
Conclusion (2) October 2011 ● For symmetric encryption: ● Use CBC mode with a different random IV for each encryption ● Always authenticate the encryption data (using HMAC): encrypt-then-authenticate ● Use HTTPS (SSL/TLS) to protect the communication client/server
References October 2011 (1) N. Ferguson, B. Schneier, T. Kohno, “Cryptography Engineering”, Wiley Publishing, 2010 (2) Serge Vaudenay, “Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS”, EuroCrypt 2002 ● Web: ● PHP cryptography extensions ● How to safely store a password ● bcrypt algorithm ● SHA-1 challenge ● Nvidia CUDA ● Random.org
Thank you! October 2011 ● Vote this talk: ● http://joind.in/3748 ● Comments and feedbacks: ● enrico@zend.com

Recomendados

Replication and Consistency in Cassandra... What Does it All Mean? (Christoph...
Replication and Consistency in Cassandra... What Does it All Mean? (Christoph...Replication and Consistency in Cassandra... What Does it All Mean? (Christoph...
Replication and Consistency in Cassandra... What Does it All Mean? (Christoph...DataStax
 
Understanding Presto - Presto meetup @ Tokyo #1
Understanding Presto - Presto meetup @ Tokyo #1Understanding Presto - Presto meetup @ Tokyo #1
Understanding Presto - Presto meetup @ Tokyo #1Sadayuki Furuhashi
 
Zookeeper 소개
Zookeeper 소개Zookeeper 소개
Zookeeper 소개beom kyun choi
 
Cassandra background-and-architecture
Cassandra background-and-architectureCassandra background-and-architecture
Cassandra background-and-architectureMarkus Klems
 
Introduction to Storm
Introduction to Storm Introduction to Storm
Introduction to Storm Chandler Huang
 
Apache BookKeeper: A High Performance and Low Latency Storage Service
Apache BookKeeper: A High Performance and Low Latency Storage ServiceApache BookKeeper: A High Performance and Low Latency Storage Service
Apache BookKeeper: A High Performance and Low Latency Storage ServiceSijie Guo
 
Metrics Are Not Enough: Monitoring Apache Kafka and Streaming Applications
Metrics Are Not Enough: Monitoring Apache Kafka and Streaming ApplicationsMetrics Are Not Enough: Monitoring Apache Kafka and Streaming Applications
Metrics Are Not Enough: Monitoring Apache Kafka and Streaming Applicationsconfluent
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedInDiscover Pinterest
 

Recomendados

Replication and Consistency in Cassandra... What Does it All Mean? (Christoph...
Replication and Consistency in Cassandra... What Does it All Mean? (Christoph...Replication and Consistency in Cassandra... What Does it All Mean? (Christoph...
Replication and Consistency in Cassandra... What Does it All Mean? (Christoph...DataStax
 
Understanding Presto - Presto meetup @ Tokyo #1
Understanding Presto - Presto meetup @ Tokyo #1Understanding Presto - Presto meetup @ Tokyo #1
Understanding Presto - Presto meetup @ Tokyo #1Sadayuki Furuhashi
 
Zookeeper 소개
Zookeeper 소개Zookeeper 소개
Zookeeper 소개beom kyun choi
 
Cassandra background-and-architecture
Cassandra background-and-architectureCassandra background-and-architecture
Cassandra background-and-architectureMarkus Klems
 
Introduction to Storm
Introduction to Storm Introduction to Storm
Introduction to Storm Chandler Huang
 
Apache BookKeeper: A High Performance and Low Latency Storage Service
Apache BookKeeper: A High Performance and Low Latency Storage ServiceApache BookKeeper: A High Performance and Low Latency Storage Service
Apache BookKeeper: A High Performance and Low Latency Storage ServiceSijie Guo
 
Metrics Are Not Enough: Monitoring Apache Kafka and Streaming Applications
Metrics Are Not Enough: Monitoring Apache Kafka and Streaming ApplicationsMetrics Are Not Enough: Monitoring Apache Kafka and Streaming Applications
Metrics Are Not Enough: Monitoring Apache Kafka and Streaming Applicationsconfluent
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedInDiscover Pinterest
 
Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...
Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...
Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...Amazon Web Services
 
Deploying Confluent Platform for Production
Deploying Confluent Platform for ProductionDeploying Confluent Platform for Production
Deploying Confluent Platform for Productionconfluent
 
Distributed Counters in Cassandra (Cassandra Summit 2010)
Distributed Counters in Cassandra (Cassandra Summit 2010)Distributed Counters in Cassandra (Cassandra Summit 2010)
Distributed Counters in Cassandra (Cassandra Summit 2010)kakugawa
 
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponHBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponCloudera, Inc.
 
A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)PingCAP
 
Hive + Tez: A Performance Deep Dive
Hive + Tez: A Performance Deep DiveHive + Tez: A Performance Deep Dive
Hive + Tez: A Performance Deep DiveDataWorks Summit
 
Sharding Methods for MongoDB
Sharding Methods for MongoDBSharding Methods for MongoDB
Sharding Methods for MongoDBMongoDB
 
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...Altinity Ltd
 
Scaling Hadoop at LinkedIn
Scaling Hadoop at LinkedInScaling Hadoop at LinkedIn
Scaling Hadoop at LinkedInDataWorks Summit
 
Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017Gwen (Chen) Shapira
 
Rainbird: Realtime Analytics at Twitter (Strata 2011)
Rainbird: Realtime Analytics at Twitter (Strata 2011)Rainbird: Realtime Analytics at Twitter (Strata 2011)
Rainbird: Realtime Analytics at Twitter (Strata 2011)Kevin Weil
 
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...confluent
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaJeff Holoman
 
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API Examples
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API ExamplesApache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API Examples
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API ExamplesBinu George
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...HostedbyConfluent
 
Library spaces in different places: the benchmarking experiences
Library spaces in different places: the benchmarking experiencesLibrary spaces in different places: the benchmarking experiences
Library spaces in different places: the benchmarking experiencesPhilippine Association of Academic/Research Librarians
 
Solrcloud Leader Election
Solrcloud Leader ElectionSolrcloud Leader Election
Solrcloud Leader Electionravikgiitk
 
Sqoop
SqoopSqoop
SqoopPrashant Gupta
 
Design cube in Apache Kylin
Design cube in Apache KylinDesign cube in Apache Kylin
Design cube in Apache KylinYang Li
 
Cryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesCryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesZend by Rogue Wave Software
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroTal Shmueli
 

Más contenido relacionado

La actualidad más candente

Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...
Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...
Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...Amazon Web Services
 
Deploying Confluent Platform for Production
Deploying Confluent Platform for ProductionDeploying Confluent Platform for Production
Deploying Confluent Platform for Productionconfluent
 
Distributed Counters in Cassandra (Cassandra Summit 2010)
Distributed Counters in Cassandra (Cassandra Summit 2010)Distributed Counters in Cassandra (Cassandra Summit 2010)
Distributed Counters in Cassandra (Cassandra Summit 2010)kakugawa
 
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponHBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponCloudera, Inc.
 
A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)PingCAP
 
Hive + Tez: A Performance Deep Dive
Hive + Tez: A Performance Deep DiveHive + Tez: A Performance Deep Dive
Hive + Tez: A Performance Deep DiveDataWorks Summit
 
Sharding Methods for MongoDB
Sharding Methods for MongoDBSharding Methods for MongoDB
Sharding Methods for MongoDBMongoDB
 
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...Altinity Ltd
 
Scaling Hadoop at LinkedIn
Scaling Hadoop at LinkedInScaling Hadoop at LinkedIn
Scaling Hadoop at LinkedInDataWorks Summit
 
Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017Gwen (Chen) Shapira
 
Rainbird: Realtime Analytics at Twitter (Strata 2011)
Rainbird: Realtime Analytics at Twitter (Strata 2011)Rainbird: Realtime Analytics at Twitter (Strata 2011)
Rainbird: Realtime Analytics at Twitter (Strata 2011)Kevin Weil
 
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...confluent
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaJeff Holoman
 
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API Examples
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API ExamplesApache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API Examples
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API ExamplesBinu George
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...HostedbyConfluent
 
Solrcloud Leader Election
Solrcloud Leader ElectionSolrcloud Leader Election
Solrcloud Leader Electionravikgiitk
 
Design cube in Apache Kylin
Design cube in Apache KylinDesign cube in Apache Kylin
Design cube in Apache KylinYang Li
 

La actualidad más candente (20)

Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...
Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...
Infrastructure at Scale: Apache Kafka, Twitter Storm & Elastic Search (ARC303...
 
Deploying Confluent Platform for Production
Deploying Confluent Platform for ProductionDeploying Confluent Platform for Production
Deploying Confluent Platform for Production
 
Distributed Counters in Cassandra (Cassandra Summit 2010)
Distributed Counters in Cassandra (Cassandra Summit 2010)Distributed Counters in Cassandra (Cassandra Summit 2010)
Distributed Counters in Cassandra (Cassandra Summit 2010)
 
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponHBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
 
A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)A Brief Introduction of TiDB (Percona Live)
A Brief Introduction of TiDB (Percona Live)
 
Hive + Tez: A Performance Deep Dive
Hive + Tez: A Performance Deep DiveHive + Tez: A Performance Deep Dive
Hive + Tez: A Performance Deep Dive
 
Sharding Methods for MongoDB
Sharding Methods for MongoDBSharding Methods for MongoDB
Sharding Methods for MongoDB
 
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
OSA Con 2022 - Using ClickHouse Database to Power Analytics and Customer Enga...
 
Scaling Hadoop at LinkedIn
Scaling Hadoop at LinkedInScaling Hadoop at LinkedIn
Scaling Hadoop at LinkedIn
 
Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017Multi-Datacenter Kafka - Strata San Jose 2017
Multi-Datacenter Kafka - Strata San Jose 2017
 
Rainbird: Realtime Analytics at Twitter (Strata 2011)
Rainbird: Realtime Analytics at Twitter (Strata 2011)Rainbird: Realtime Analytics at Twitter (Strata 2011)
Rainbird: Realtime Analytics at Twitter (Strata 2011)
 
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...
Pinterest’s Story of Streaming Hundreds of Terabytes of Pins from MySQL to S3...
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
 
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API Examples
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API ExamplesApache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API Examples
Apache Zookeeper Explained: Tutorial, Use Cases and Zookeeper Java API Examples
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
 
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...
Building an Interactive Query Service in Kafka Streams With Bill Bejeck | Cur...
 
Library spaces in different places: the benchmarking experiences
Library spaces in different places: the benchmarking experiencesLibrary spaces in different places: the benchmarking experiences
Library spaces in different places: the benchmarking experiences
 
Solrcloud Leader Election
Solrcloud Leader ElectionSolrcloud Leader Election
Solrcloud Leader Election
 
Sqoop
SqoopSqoop
Sqoop
 
Design cube in Apache Kylin
Design cube in Apache KylinDesign cube in Apache Kylin
Design cube in Apache Kylin
 

Similar a Cryptography in PHP: use cases

Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroTal Shmueli
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamCodemotion
 
Redis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRedis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRoberto Franchini
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To UsCharles Southerland
 
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft...
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft..."Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft...
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft...Dataconomy Media
 
PyConIT6 - MAKING SESSIONS AND CACHING ROOMMATES
PyConIT6 - MAKING SESSIONS AND CACHING ROOMMATESPyConIT6 - MAKING SESSIONS AND CACHING ROOMMATES
PyConIT6 - MAKING SESSIONS AND CACHING ROOMMATESAlessandro Molina
 
Module: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconModule: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconIoannis Psaras
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend FrameworkEnrico Zimuel
 
Netflix Open Source Meetup Season 4 Episode 2
Netflix Open Source Meetup Season 4 Episode 2Netflix Open Source Meetup Season 4 Episode 2
Netflix Open Source Meetup Season 4 Episode 2aspyker
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
inside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdfinside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdfxiso
 
"Developing a multicurrency, multisignature wallet" by Alex Melville
"Developing a multicurrency, multisignature wallet" by Alex Melville "Developing a multicurrency, multisignature wallet" by Alex Melville
"Developing a multicurrency, multisignature wallet" by Alex Melville ICOVO
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Docker, Inc.
 

Similar a Cryptography in PHP: use cases (20)

Cryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use CasesCryptography in PHP: Some Use Cases
Cryptography in PHP: Some Use Cases
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies Intro
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
 
Redis - for duplicate detection on real time stream
Redis - for duplicate detection on real time streamRedis - for duplicate detection on real time stream
Redis - for duplicate detection on real time stream
 
Redis for duplicate detection on real time stream
Redis for duplicate detection on real time streamRedis for duplicate detection on real time stream
Redis for duplicate detection on real time stream
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft...
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft..."Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft...
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft...
 
PyConIT6 - MAKING SESSIONS AND CACHING ROOMMATES
PyConIT6 - MAKING SESSIONS AND CACHING ROOMMATESPyConIT6 - MAKING SESSIONS AND CACHING ROOMMATES
PyConIT6 - MAKING SESSIONS AND CACHING ROOMMATES
 
Module: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconModule: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness Beacon
 
Cryptography with Zend Framework
Cryptography with Zend FrameworkCryptography with Zend Framework
Cryptography with Zend Framework
 
Netflix Open Source Meetup Season 4 Episode 2
Netflix Open Source Meetup Season 4 Episode 2Netflix Open Source Meetup Season 4 Episode 2
Netflix Open Source Meetup Season 4 Episode 2
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
inside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdfinside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdf
 
Cryptography Attacks and Applications
Cryptography Attacks and ApplicationsCryptography Attacks and Applications
Cryptography Attacks and Applications
 
"Developing a multicurrency, multisignature wallet" by Alex Melville
"Developing a multicurrency, multisignature wallet" by Alex Melville "Developing a multicurrency, multisignature wallet" by Alex Melville
"Developing a multicurrency, multisignature wallet" by Alex Melville
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?
 

Más de Enrico Zimuel

Integrare Zend Framework in Wordpress
Integrare Zend Framework in WordpressIntegrare Zend Framework in Wordpress
Integrare Zend Framework in WordpressEnrico Zimuel
 
Quick start on Zend Framework 2
Quick start on Zend Framework 2Quick start on Zend Framework 2
Quick start on Zend Framework 2Enrico Zimuel
 
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecnicheIntroduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecnicheEnrico Zimuel
 
A quick start on Zend Framework 2
A quick start on Zend Framework 2A quick start on Zend Framework 2
A quick start on Zend Framework 2Enrico Zimuel
 
Zend Framework 2 quick start
Zend Framework 2 quick startZend Framework 2 quick start
Zend Framework 2 quick startEnrico Zimuel
 
Manage cloud infrastructures in PHP using Zend Framework 2 (and 1)
Manage cloud infrastructures in PHP using Zend Framework 2 (and 1)Manage cloud infrastructures in PHP using Zend Framework 2 (and 1)
Manage cloud infrastructures in PHP using Zend Framework 2 (and 1)Enrico Zimuel
 
Manage cloud infrastructures using Zend Framework 2 (and ZF1)
Manage cloud infrastructures using Zend Framework 2 (and ZF1)Manage cloud infrastructures using Zend Framework 2 (and ZF1)
Manage cloud infrastructures using Zend Framework 2 (and ZF1)Enrico Zimuel
 
Framework software e Zend Framework
Framework software e Zend FrameworkFramework software e Zend Framework
Framework software e Zend FrameworkEnrico Zimuel
 
How to scale PHP applications
How to scale PHP applicationsHow to scale PHP applications
How to scale PHP applicationsEnrico Zimuel
 
Velocizzare Joomla! con Zend Server Community Edition
Velocizzare Joomla! con Zend Server Community EditionVelocizzare Joomla! con Zend Server Community Edition
Velocizzare Joomla! con Zend Server Community EditionEnrico Zimuel
 
Zend_Cache: how to improve the performance of PHP applications
Zend_Cache: how to improve the performance of PHP applicationsZend_Cache: how to improve the performance of PHP applications
Zend_Cache: how to improve the performance of PHP applicationsEnrico Zimuel
 
XCheck a benchmark checker for XML query processors
XCheck a benchmark checker for XML query processorsXCheck a benchmark checker for XML query processors
XCheck a benchmark checker for XML query processorsEnrico Zimuel
 
Introduzione alle tabelle hash
Introduzione alle tabelle hashIntroduzione alle tabelle hash
Introduzione alle tabelle hashEnrico Zimuel
 
Crittografia quantistica: fantascienza o realtà?
Crittografia quantistica: fantascienza o realtà?Crittografia quantistica: fantascienza o realtà?
Crittografia quantistica: fantascienza o realtà?Enrico Zimuel
 
Introduzione alla crittografia
Introduzione alla crittografiaIntroduzione alla crittografia
Introduzione alla crittografiaEnrico Zimuel
 
Crittografia è sinonimo di sicurezza?
Crittografia è sinonimo di sicurezza?Crittografia è sinonimo di sicurezza?
Crittografia è sinonimo di sicurezza?Enrico Zimuel
 
Sviluppo di applicazioni sicure
Sviluppo di applicazioni sicureSviluppo di applicazioni sicure
Sviluppo di applicazioni sicureEnrico Zimuel
 
Misure minime di sicurezza informatica
Misure minime di sicurezza informaticaMisure minime di sicurezza informatica
Misure minime di sicurezza informaticaEnrico Zimuel
 

Más de Enrico Zimuel (20)

Integrare Zend Framework in Wordpress
Integrare Zend Framework in WordpressIntegrare Zend Framework in Wordpress
Integrare Zend Framework in Wordpress
 
Quick start on Zend Framework 2
Quick start on Zend Framework 2Quick start on Zend Framework 2
Quick start on Zend Framework 2
 
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecnicheIntroduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
Introduzione alla Posta Elettronica Certificata (PEC): le regole tecniche
 
A quick start on Zend Framework 2
A quick start on Zend Framework 2A quick start on Zend Framework 2
A quick start on Zend Framework 2
 
Zend Framework 2 quick start
Zend Framework 2 quick startZend Framework 2 quick start
Zend Framework 2 quick start
 
PHP goes mobile
PHP goes mobilePHP goes mobile
PHP goes mobile
 
Zend Framework 2
Zend Framework 2Zend Framework 2
Zend Framework 2
 
Manage cloud infrastructures in PHP using Zend Framework 2 (and 1)
Manage cloud infrastructures in PHP using Zend Framework 2 (and 1)Manage cloud infrastructures in PHP using Zend Framework 2 (and 1)
Manage cloud infrastructures in PHP using Zend Framework 2 (and 1)
 
Manage cloud infrastructures using Zend Framework 2 (and ZF1)
Manage cloud infrastructures using Zend Framework 2 (and ZF1)Manage cloud infrastructures using Zend Framework 2 (and ZF1)
Manage cloud infrastructures using Zend Framework 2 (and ZF1)
 
Framework software e Zend Framework
Framework software e Zend FrameworkFramework software e Zend Framework
Framework software e Zend Framework
 
How to scale PHP applications
How to scale PHP applicationsHow to scale PHP applications
How to scale PHP applications
 
Velocizzare Joomla! con Zend Server Community Edition
Velocizzare Joomla! con Zend Server Community EditionVelocizzare Joomla! con Zend Server Community Edition
Velocizzare Joomla! con Zend Server Community Edition
 
Zend_Cache: how to improve the performance of PHP applications
Zend_Cache: how to improve the performance of PHP applicationsZend_Cache: how to improve the performance of PHP applications
Zend_Cache: how to improve the performance of PHP applications
 
XCheck a benchmark checker for XML query processors
XCheck a benchmark checker for XML query processorsXCheck a benchmark checker for XML query processors
XCheck a benchmark checker for XML query processors
 
Introduzione alle tabelle hash
Introduzione alle tabelle hashIntroduzione alle tabelle hash
Introduzione alle tabelle hash
 
Crittografia quantistica: fantascienza o realtà?
Crittografia quantistica: fantascienza o realtà?Crittografia quantistica: fantascienza o realtà?
Crittografia quantistica: fantascienza o realtà?
 
Introduzione alla crittografia
Introduzione alla crittografiaIntroduzione alla crittografia
Introduzione alla crittografia
 
Crittografia è sinonimo di sicurezza?
Crittografia è sinonimo di sicurezza?Crittografia è sinonimo di sicurezza?
Crittografia è sinonimo di sicurezza?
 
Sviluppo di applicazioni sicure
Sviluppo di applicazioni sicureSviluppo di applicazioni sicure
Sviluppo di applicazioni sicure
 
Misure minime di sicurezza informatica
Misure minime di sicurezza informaticaMisure minime di sicurezza informatica
Misure minime di sicurezza informatica
 

Último

Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Último (20)

Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Cryptography in PHP: use cases

  • 1. October 2011 Cryptography in PHP: use cases Enrico Zimuel Zend Technologies
  • 2. About me October 2011 • Enrico Zimuel (ezimuel) • Software Engineer since 1996 – Assembly x86, C/C++, Java, Perl, PHP • Enjoying PHP since 1999 • Senior PHP Engineer at Zend Technologies since 2008 • Author of two italian books about Email: enrico@zend.com applied cryptography • B.Sc. Computer Science and Economics from University of Pescara (Italy)
  • 3. Summary October 2011 ● Cryptography in PHP ● Some use cases: ● Safe way to store passwords ● Generate pseudo-random numbers ● Encrypt/decrypt sensitive data ● Demo: encrypt PHP session data
  • 4. Cryptography in PHP October 2011 ● crypt() ● Mcrypt ● Hash ● OpenSSL
  • 5. crypt() October 2011 ● One-way string hashing ● Support strong cryptography ● bcrypt, sha-256, sha-512 ● PHP 5.3.0 – bcrypt support ● PHP 5.3.2 – sha-256/512 ● Note: don't use PHP 5.3.7 (bug #55439)
  • 6. Mcrypt October 2011 ● Mcrypt is an interface to the mcrypt library ● Supports the following encryption algorithms: ● 3DES, ARCFOUR, BLOWFISH, CAST, DES, ENIGMA, GOST, IDEA (non-free), LOKI97, MARS, PANAMA, RIJNDAEL, RC2, RC4, RC6, SAFER, SERPENT, SKIPJACK, TEAN, TWOFISH, WAKE, XTEA
  • 7. Hash October 2011 ● Enabled by default from PHP 5.1.2 ● Hash or HMAC (Hash-based Message Authentication Code) ● Supported hash algorithms: MD4, MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD, RIPEMD, WHIRLPOOL, GOST, TIGER, HAVAL, etc
  • 8. OpenSSL October 2011 ● The OpenSSL extension uses the functions of the OpenSSL project for generation and verification of signatures and for sealing (encrypting) and opening (decrypting) data ● Public key cryptography (RSA algorithm)
  • 9. Which algorithm? October 2011 ● Some suggestions: ● Symmetric encryption: – Blowfish / Twofish – Rijndael (AES, FIST 197 standard since 2001) ● Hash: SHA-256, 384, 512 ● Public key: RSA
  • 10. Cryptography vs. Security October 2011 ● Cryptography doesn't mean security ● Encryption is not enough ● Bruce Schneier quotes: ● “Security is only as strong as the weakest link” ● “Security is a process, not a product”
  • 13. Use case 1: store a password October 2011 ● Scenario: ● Web applications with a protect area ● Username and password to login ● Problem: how to safely store a password?
  • 14. Hash a password October 2011 ● Basic ideas, use of hash algorithms: ● md5($password) – not secure – Dictionary attack (pre-built) ● md5($salt . $password) – better but still insecure – Dictionary attacks: ● 700'000'000 passwords a second using CUDA (budget of 2000 $, a week) ● Cloud computing, 500'000'000 passwords a second (about $300/hour)
  • 15. bcrypt October 2011 ● Better idea, use of bcrypt algorithm: ● bcrypt prevent the dictionary attacks because is slow as hell ● Based on a variant of Blowfish ● Introduce a work factor, which allows you to determine how expensive the hash function will be
  • 16. bcrypt in PHP October 2011 ● Hash the password using bcrypt (PHP 5.3+) $salt = substr(str_replace('+', '.', $salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22); base64_encode($salt)), 0, 22); $hash = crypt($password,'$2a$'.$workload.'$'.$salt); $hash = crypt($password,'$2a$'.$workload.'$'.$salt); ● $salt is a random string (it is not a secret!) ● $workload is the bcrypt's workload (from 10 to 31)
  • 17. bcrypt workload benchmark $workload time in sec October 2011 10 0.1 11 0.2 12 0.4 13 0.7 14 1.5 Suggestion: Spend ≈ 1 sec (or more) 15 3 16 6 17 12 18 24.3 19 48.7 20 97.3 21 194.3 OS: Linux kernel 2.6.38 CPU: Intel Core2, 2.1Ghz 22 388.2 RAM: 2 GB - PHP: 5.3.6 … …
  • 18. bcrypt output October 2011 ● Example of bcrypt's output: $2a$14$c2Rmc2Fka2hmamhzYWRmauBpwLLDFKNPTfmCeuMHVnMVaLatNlFZO ● c2Rmc2Fka2hmamhzYWRmau is the salt ● Workload: 14 ● Length of 60 btyes
  • 19. bcrypt authentication October 2011 ● How to check if a $userpassword is valid for a $hash value? if ($hash==crypt($userpassword,$hash)) { if ($hash==crypt($userpassword,$hash)) { echo 'The password is correct'; echo 'The password is correct'; } else { } else { echo 'The password is not correct!'; echo 'The password is not correct!'; }}
  • 20. Use case 2: generate random data in PHP October 2011 ● Scenario: ● Generate random passwords for – Login systems – API systems ● Problem: how to generate random data in PHP?
  • 21. Random number generators October 2011
  • 22. PHP vs. randomness October 2011 ● How generate a pseudo-random value in PHP? ● Not good for cryptography purpose: ● rand() ● mt_rand() ● Good for cryptography (PHP 5.3+): ● openssl_random_pseudo_bytes()
  • 23. rand() is real random? October 2011 Pseudo-random bits rand() in PHP on Windows From random.org website
  • 24. Use case 3: encrypt data October 2011 ● Scenario: ● We want to store some sensitive data (e.g. credit card numbers) ● Problem: ● How to encrypt this data in PHP?
  • 25. Symmetric encryption October 2011 ● Using Mcrypt extension: ● mcrypt_encrypt(string $cipher,string $key, string $data,string $mode[,string $iv]) ● mcrypt_decrypt(string $cipher,string $key, string $data,string $mode[,string $iv]) ● What are these $mode and $iv parameters?
  • 26. Encryption mode October 2011 ● Symmetric encryption mode: ● ECB, CBC, CFB, OFB, NOFB or STREAM ● We are going to use the CBC that is the most used and secure ● Cipher-Block Chaining (CBC) mode of operation was invented in 1976 by IBM
  • 27. CBC October 2011 The Plaintext (input) is divided into blocks Block 1 Block 2 Block 3 ... Block 1 Block 2 Block 3 The Ciphertext (output) is the concatenation of the cipher-blocks
  • 28. IV October 2011 ● Initialization Vector (IV) is a fixed-size input that is typically required to be random or pseudo ● The IV is not a secret, you can send it in plaintext ● Usually IV is stored before the encrypted message ● Must be unique for each encrypted message
  • 29. Encryption is not enough October 2011 ● We cannot use only encryption to store sensitive data, we need also authentication! ● Encryption doesn't prevent alteration of data ● Padding Oracle Attack (Vaudenay, EuroCrypt 2002) ● We need to authenticate: ● MAC (Message Authentication Code) ● HMAC (Hash-based Message Authentication Code)
  • 30. HMAC October 2011 ● In PHP we can generate an HMAC using the hash_hmac() function: hash_hmac ($algo, $msg, $key) $algo is the hash algorithm to use (e.g. sha256) $msg is the message $key is the key for the HMAC
  • 31. Encryption + authentication October 2011 ● Three possible ways: ● Encrypt-then-authenticate ● Authenticate-then-encrypt ● Encrypt-and-authenticate ● We will use encrypt-then-authenticate, as suggested by Schneier in [1]
  • 32. Demo: encrypt session data October 2011 ● Specific PHP session handler to encrypt session data using files ● Use of AES (Rijndael 128) + HMAC (SHA-256) ● Pseudo-random session key ● The encryption and authentication keys are stored in a cookie variable ● Source code: https://github.com/ezimuel/PHP-Secure-Session
  • 33. Conclusion (1) October 2011 ● Use standard algorithms for cryptography: ● AES (Rijndael 128), SHA-* hash family, RSA ● Generate random data using the function: ● openssl_random_pseudo_bytes() ● Store passwords using bcrypt: ● crypt($password, '$2a$'.$workload.'$'.$salt)
  • 34. Conclusion (2) October 2011 ● For symmetric encryption: ● Use CBC mode with a different random IV for each encryption ● Always authenticate the encryption data (using HMAC): encrypt-then-authenticate ● Use HTTPS (SSL/TLS) to protect the communication client/server
  • 35. References October 2011 (1) N. Ferguson, B. Schneier, T. Kohno, “Cryptography Engineering”, Wiley Publishing, 2010 (2) Serge Vaudenay, “Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS”, EuroCrypt 2002 ● Web: ● PHP cryptography extensions ● How to safely store a password ● bcrypt algorithm ● SHA-1 challenge ● Nvidia CUDA ● Random.org
  • 36. Thank you! October 2011 ● Vote this talk: ● http://joind.in/3748 ● Comments and feedbacks: ● enrico@zend.com