SlideShare una empresa de Scribd logo

PHP7.2와 모던 암호학

Johney Park
Johney Park

모던 암호학의 이슈와 PHP7.2에 추가된 Libsodium에 대한 설명

Ingeniería
1 de 20
Descargar para leer sin conexión
PHP7.2 Johney Park
Use Libsodium TL; DR
? ?
Side Channel Attack • , ( ) ? • , , , , , , ? • 
 Meltdown, Spectre • Large Prime Number
Elliptic Curve Cryptography • • RSA 3072bit = ECC 256bit • key • • Side Channel Attack
Authenticated Encryption • Message Authentication Code • • (nonce) •
Post-Quantum Cryptography • •
PHP 7.2 ? Libsodium & Argon2
Libsodium • NaCl(salt) (2008-2010) • Networking and cryptography library, high-speed software library for network communication, encryption, decryption, signature, etc. • US EU Funding • C(with inline assembler), C++, Python Wrapper • Libsodium NaCl Cross-Platform (2013) • • 2017 PHP7.2
Argon2 • Side Channel Attack Hash Algorithm • 2015 • password_hash Libsodium , Libsodium password_hash BCRYPT . ( 7.2 ) • password_hash Libsodium • Libsodium • hash
Argon2 $password = 'secret password'; $hash = password_hash($password, PASSWORD_ARGON2I); echo $hash . PHP_EOL; if (password_verify($password, $hash)) { echo 'valid password' . PHP_EOL; if(password_needs_rehash($hash, PASSWORD_ARGON2I)) { echo 'save new password hash' . PHP_EOL; } } else { echo 'invalid password!' . PHP_EOL; } $argon2i$v=19$m=1024,t=2,p=2$RWRRb01PMnRETU8zMXNrag$/ BKnBpq0Yl82OsimPaNn/SlnAuaGsYWi3H95bfZKFSc valid password
Argon2 $password = 'secret password'; $hash = sodium_crypto_pwhash_str( $password, SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE ); echo $hash . PHP_EOL; if (sodium_crypto_pwhash_str_verify($hash, $password)) { sodium_memzero($password); echo 'valid password' . PHP_EOL; if (sodium_crypto_pwhash_str_needs_rehash($hash, SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE)) { echo 'save new password hash' . PHP_EOL; } } else { sodium_memzero($password); echo 'invalid password!' . PHP_EOL; } $argon2id$v=19$m=65536,t=2,p=1$zYnVgQGMf+YpTKZzTvqv2g$XHM3XJpOOgeQvibBX9fY4OB 6CA06aJVcsF+DmMFOMtc valid password
Hash • Rainbow table , Collision Attack • Libsodium generic hash BLAKE2b • short hash SipHash-2-4 • Libsodium • PHP hash MD5 SHA-1 . SHA-256 SHA-512
Hash $hash = sodium_bin2hex(sodium_crypto_generichash('message')); echo $hash . PHP_EOL; 2e7836cc18ab1db2a2e239ebf4043772b3359520198b5fd55443b01a1023a5b0 $key = random_bytes(SODIUM_CRYPTO_SHORTHASH_KEYBYTES); $hash = sodium_bin2hex(sodium_crypto_shorthash('message', $key)); echo $hash . PHP_EOL; 7b02d09fb8bd2289 $hash = hash('sha256', 'message'); echo $hash . PHP_EOL; ab530a13e45914982b79f9b7e3fba994cfd1f3fb22f71cea1afbf02b460c6d1d
Secret Key • XSalsa20 • Poly1305 MAC • nonce • AEAD AEAD . ( ..)
Secret Key $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); $message = 'secret message'; $cipher_text = sodium_bin2hex(sodium_crypto_secretbox($message, $nonce, $key)); sodium_memzero($message); echo $cipher_text . PHP_EOL; 9bb7d572868a8ddb773398fd107b3ccbf8f6dd010809bb1f76008a4a2abc $plain_text = sodium_crypto_secretbox_open(sodium_hex2bin($cipher_text), $nonce, $key); echo $plain_text . PHP_EOL; secret message
Public Key • X25519 XSalsa20 • Poly1305 MAC
Public Key $key_pair = sodium_crypto_box_keypair(); $public_key = sodium_crypto_box_publickey($key_pair); $message = 'secret message'; $cipher_text = sodium_bin2hex(sodium_crypto_box_seal($message, $public_key)); sodium_memzero($message); echo $cipher_text . PHP_EOL; 03fb2a60f2dbbe74c5f5eb2a9d13ea6a58c44badd2aa0963ff096c5b344bc5358a724badf814fa22c5566d 8b36867ddbf9ceb4fccbb77a3f303a037429ea $plain_text = sodium_crypto_box_seal_open(sodium_hex2bin($cipher_text), $key_pair); echo $plain_text . PHP_EOL; secret message
Libsodium 7.1
Reference • Official site
 https://www.gitbook.com/book/jedisct1/ libsodium/details • Paragon IE
 https://paragonie.com/book/pecl- libsodium

Recomendados

Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF... InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...Bishop Fox
 

Recomendados

Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF... InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...Bishop Fox
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb Jose Manuel Ortega Candel
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the GatewaysOnur Alanbel
 
Proofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 WebinarProofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 WebinarJason Williams
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms raceDEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms raceFelipe Prado
 
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio CoutoCODE BLUE
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletNemanja Nikodijević
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentPavel Odintsov
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardBishop Fox
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Pyongyang Fortress
Pyongyang FortressPyongyang Fortress
Pyongyang FortressMayank Dhiman
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
解密解密
解密解密解密解密
解密解密Tom Chen
 
Phpstormを使いこなす
Phpstormを使いこなすPhpstormを使いこなす
Phpstormを使いこなすYutaka Tachibana
 

Más contenido relacionado

La actualidad más candente

2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali LinuxJason Murray
 
osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb Jose Manuel Ortega Candel
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the GatewaysOnur Alanbel
 
Proofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 WebinarProofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 WebinarJason Williams
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms raceDEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms raceFelipe Prado
 
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio CoutoCODE BLUE
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletNemanja Nikodijević
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentPavel Odintsov
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardBishop Fox
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesinaz2
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 

La actualidad más candente (20)

2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the Gateways
 
Proofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 WebinarProofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 Webinar
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms raceDEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
DEF CON 27 - ROGER DINGLEDINE -tor censorship arms race
 
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environment
 
RFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID HardRFID Hacking: Live Free or RFID Hard
RFID Hacking: Live Free or RFID Hard
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Pyongyang Fortress
Pyongyang FortressPyongyang Fortress
Pyongyang Fortress
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 

Similar a PHP7.2와 모던 암호학

解密解密
解密解密解密解密
解密解密Tom Chen
 
Phpstormを使いこなす
Phpstormを使いこなすPhpstormを使いこなす
Phpstormを使いこなすYutaka Tachibana
 
WebRTC と Native とそれから、それから。
WebRTC と Native とそれから、それから。 WebRTC と Native とそれから、それから。
WebRTC と Native とそれから、それから。 tnoho
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebula Project
 
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...Dmytro Korzhevin
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...Peter Kálnai
 
A 5 security x line platform
A 5 security x line platformA 5 security x line platform
A 5 security x line platformLINE Corporation
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] Jose Manuel Ortega Candel
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST SecurityDavid Blevins
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004James Morris
 

Similar a PHP7.2와 모던 암호학 (20)

解密解密
解密解密解密解密
解密解密
 
Phpstormを使いこなす
Phpstormを使いこなすPhpstormを使いこなす
Phpstormを使いこなす
 
WebRTC と Native とそれから、それから。
WebRTC と Native とそれから、それから。 WebRTC と Native とそれから、それから。
WebRTC と Native とそれから、それから。
 
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoul...
 
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
OpenNebulaConf 2019 - Crytek: A Video gaming Edge Implementation "on the shou...
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
A 5 security x line platform
A 5 security x line platformA 5 security x line platform
A 5 security x line platform
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition]
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
 
Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004Kernel Security for 2.8 - Kernel Summit 2004
Kernel Security for 2.8 - Kernel Summit 2004
 

Último

Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwaitjaanualu31
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsvanyagupta248
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...soginsider
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksMagic Marks
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersMairaAshraf6
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesRAJNEESHKUMAR341697
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Call Girls Mumbai
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayEpec Engineered Technologies
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxmaisarahman1
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 

Último (20)

Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to Computers
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 

PHP7.2와 모던 암호학

  • 3. ? ?
  • 4. Side Channel Attack • , ( ) ? • , , , , , , ? • 
 Meltdown, Spectre • Large Prime Number
  • 5. Elliptic Curve Cryptography • • RSA 3072bit = ECC 256bit • key • • Side Channel Attack
  • 6. Authenticated Encryption • Message Authentication Code • • (nonce) •
  • 9. Libsodium • NaCl(salt) (2008-2010) • Networking and cryptography library, high-speed software library for network communication, encryption, decryption, signature, etc. • US EU Funding • C(with inline assembler), C++, Python Wrapper • Libsodium NaCl Cross-Platform (2013) • • 2017 PHP7.2
  • 10. Argon2 • Side Channel Attack Hash Algorithm • 2015 • password_hash Libsodium , Libsodium password_hash BCRYPT . ( 7.2 ) • password_hash Libsodium • Libsodium • hash
  • 11. Argon2 $password = 'secret password'; $hash = password_hash($password, PASSWORD_ARGON2I); echo $hash . PHP_EOL; if (password_verify($password, $hash)) { echo 'valid password' . PHP_EOL; if(password_needs_rehash($hash, PASSWORD_ARGON2I)) { echo 'save new password hash' . PHP_EOL; } } else { echo 'invalid password!' . PHP_EOL; } $argon2i$v=19$m=1024,t=2,p=2$RWRRb01PMnRETU8zMXNrag$/ BKnBpq0Yl82OsimPaNn/SlnAuaGsYWi3H95bfZKFSc valid password
  • 12. Argon2 $password = 'secret password'; $hash = sodium_crypto_pwhash_str( $password, SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE ); echo $hash . PHP_EOL; if (sodium_crypto_pwhash_str_verify($hash, $password)) { sodium_memzero($password); echo 'valid password' . PHP_EOL; if (sodium_crypto_pwhash_str_needs_rehash($hash, SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE)) { echo 'save new password hash' . PHP_EOL; } } else { sodium_memzero($password); echo 'invalid password!' . PHP_EOL; } $argon2id$v=19$m=65536,t=2,p=1$zYnVgQGMf+YpTKZzTvqv2g$XHM3XJpOOgeQvibBX9fY4OB 6CA06aJVcsF+DmMFOMtc valid password
  • 13. Hash • Rainbow table , Collision Attack • Libsodium generic hash BLAKE2b • short hash SipHash-2-4 • Libsodium • PHP hash MD5 SHA-1 . SHA-256 SHA-512
  • 14. Hash $hash = sodium_bin2hex(sodium_crypto_generichash('message')); echo $hash . PHP_EOL; 2e7836cc18ab1db2a2e239ebf4043772b3359520198b5fd55443b01a1023a5b0 $key = random_bytes(SODIUM_CRYPTO_SHORTHASH_KEYBYTES); $hash = sodium_bin2hex(sodium_crypto_shorthash('message', $key)); echo $hash . PHP_EOL; 7b02d09fb8bd2289 $hash = hash('sha256', 'message'); echo $hash . PHP_EOL; ab530a13e45914982b79f9b7e3fba994cfd1f3fb22f71cea1afbf02b460c6d1d
  • 15. Secret Key • XSalsa20 • Poly1305 MAC • nonce • AEAD AEAD . ( ..)
  • 16. Secret Key $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); $message = 'secret message'; $cipher_text = sodium_bin2hex(sodium_crypto_secretbox($message, $nonce, $key)); sodium_memzero($message); echo $cipher_text . PHP_EOL; 9bb7d572868a8ddb773398fd107b3ccbf8f6dd010809bb1f76008a4a2abc $plain_text = sodium_crypto_secretbox_open(sodium_hex2bin($cipher_text), $nonce, $key); echo $plain_text . PHP_EOL; secret message
  • 17. Public Key • X25519 XSalsa20 • Poly1305 MAC
  • 18. Public Key $key_pair = sodium_crypto_box_keypair(); $public_key = sodium_crypto_box_publickey($key_pair); $message = 'secret message'; $cipher_text = sodium_bin2hex(sodium_crypto_box_seal($message, $public_key)); sodium_memzero($message); echo $cipher_text . PHP_EOL; 03fb2a60f2dbbe74c5f5eb2a9d13ea6a58c44badd2aa0963ff096c5b344bc5358a724badf814fa22c5566d 8b36867ddbf9ceb4fccbb77a3f303a037429ea $plain_text = sodium_crypto_box_seal_open(sodium_hex2bin($cipher_text), $key_pair); echo $plain_text . PHP_EOL; secret message