The Sodium crypto library of PHP 7.2 (PHP Day 2018)

5/14/2018 The Sodium crypto library of PHP 7.2 - phpDay 2018
https://www.zimuel.it/slides/phpday2018/sodium?print-pdf#/ 1/40
© 2018 Rogue Wave Software, Inc. All Rights Reserved.
THESODIUMCRYPTOLIBRARYTHESODIUMCRYPTOLIBRARY
OFPHP7.2OFPHP7.2
by
Senior Software Engineer
, Verona (Italy), May 12
Enrico Zimuel
Rogue Wave Software, Inc.
phpDay 2018

ABOUTMEABOUTME
Developer since 1996
Senior Software Engineer at
Inc.
Core team of ,
and
and international speaker
Research Programmer at
Co-founder of (Italy)
Rogue Wave Software
Apigility
Expressive Zend Framework
TEDx
Amsterdam University
PUG Torino

OVERVIEWOVERVIEW
NaCl/Sodium libraries
Elliptic Curve Cryptography
Sodium in PHP 7.2:
1. Encrypt with a shared-key
2. Authenticate with a shared-key
3. Sending secret messages
4. Digital signature
5. AEAD AES-GCM
6. Store passwords safely
7. Derive a key from a user's password

CRYPTOGRAPHYCRYPTOGRAPHY
Cryptography is hard. Hard to design, hard to implement,
hard to use, and hard to get right.

NACLNACL
NaCl: Networking and Cryptography library
High-speed software library for network
communication, encryption, decryption, signatures, etc
by Prof. , and
Highly-secure primitives and constructions,
implemented with extreme care to avoid
Daniel J. Bernstein others
side-channel
attacks

SIDE-CHANNELATTACKSIDE-CHANNELATTACK
Attack based on information gained from the
implementation of a computer system, rather than
weaknesses in the implemented algorithm itself

DECODERSAKEYUSINGPOWERANALYSISDECODERSAKEYUSINGPOWERANALYSIS
Source: Protecting Against Side-Channel Attacks with an Ultra-Low Power Processor

TIMINGATTACKTIMINGATTACK
An attacker measures the CPU time to perform some
procedures involving a secret (e.g. encryption key). If this
time depends on the secret, the attacker may be able to
deduce information about the secret.

EXAMPLEINPHPEXAMPLEINPHP
function compare(string $expected, string $actual): bool
{
$lenExpected = strlen($expected);
$lenActual = strlen($actual);
if ($lenExpected !== $lenActual) {
return false;
}
for($i=0; $i < $lenActual; $i++) {
if ($expected[$i] !== $actual[$i]) {
return false;
}
}
return true;
}

PREVENTTIMINGATTACK*PREVENTTIMINGATTACK*
* constant-time comparison
function compare(string $expected, string $actual): bool
{
$lenExpected = strlen($expected);
$lenActual = strlen($actual);
$len = min($lenExpected, $lenActual);
$result = 0;
for ($i = 0; $i < $len; $i++) {
$result |= ord($expected[$i]) ^ ord($actual[$i]);
}
$result |= $lenExpected ^ $lenActual;
return ($result === 0);
}

BESTTIMINGATTACKBESTTIMINGATTACK
In 2006 Adi Shamir, Eran Tromer, and Dag Arne Osvik
used a timing attack to discover, in 65 milliseconds, the
secret key used in widely deployed software for hard-
disk encryption.
Source: Cache Attacks and Countermeasures: the Case of AES

SODIUMCRYPTOLIBRARYSODIUMCRYPTOLIBRARY

SODIUMSODIUM
Sodium (libsodium) is a fork of NaCl
A portable, cross-compilable, installable, packageable,
API-compatible version of NaCl
Same implementations of crypto primitives as NaCl
Shared library and a standard set of headers (portable
implementation)
O cial web site: libsodium.org

FEATURESFEATURES
Authenticated public-key and authenticated shared-
key encryption
Public-key and shared-key signatures
Hashing
Keyed hashes for short messages
Secure pseudo-random numbers generation

ALGORITHMSINSODIUMALGORITHMSINSODIUM
Di e–Hellman key-exchange function
, stream ciphers
message-authentication code
public-key signature system
, password hashing
authenticated encryption algorithm
Curve25519
Salsa20 ChaCha20
Poly1305
Ed25519
Argon2 Scrypt
AES-GCM

ELLIPTICCURVESELLIPTICCURVES

ELLIPTICCURVESELLIPTICCURVES
= + ax + by
2
x
3

ADD2POINTSADD2POINTS
A + B = C, A + C = D, A + D = E

SCALARMULTIPLICATIONSCALARMULTIPLICATION
Given and nd such that is hard
P + P = 2P
P Q k Q = kP

SODIUMINPHPSODIUMINPHP
Available (as standard library) from PHP 7.2
PECL extension ( ) for PHP 7.0/7.1
85 functions with pre x sodium_
e.g. sodium_crypto_box_keypair()
libsodium

EXAMPLE1:EXAMPLE1:
ENCRYPTWITHASHARED-KEYENCRYPTWITHASHARED-KEY

SYMMETRICENCRYPTIONSYMMETRICENCRYPTION
Note: the encryption is always authenticated, you need to store also nonce + ciphertext
Algorithms: to encrypt and for MAC
$msg = 'This is a super secret message!';
// Generating an encryption key and a nonce
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); // 256 bit
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); // 24 bytes
// Encrypt
$ciphertext = sodium_crypto_secretbox($msg, $nonce, $key);
// Decrypt
$plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
echo $plaintext === $msg ? 'Success' : 'Error';
XSalsa20 Poly1305

EXAMPLE2:EXAMPLE2:
AUTHENTICATEWITHASHARED-KEYAUTHENTICATEWITHASHARED-KEY

SYMMETRICAUTHENTICATIONSYMMETRICAUTHENTICATION
Note: the message is not encrypted
Algorithm:
$msg = 'This is the message to authenticate!';
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); // 256 bit
// Generate the Message Authentication Code
$mac = sodium_crypto_auth($msg, $key);
// Altering $mac or $msg, verification will fail
echo sodium_crypto_auth_verify($mac, $msg, $key) ? 'Success' : 'Error';
HMAC-SHA512

EXAMPLE3:EXAMPLE3:
SENDINGSECRETMESSAGESSENDINGSECRETMESSAGES

PUBLIC-KEYENCRYPTIONPUBLIC-KEYENCRYPTION
Note: it provides con dentiality, integrity and non-repudiation
Algorithms: to encrypt, for MAC, and for key exchange
$aliceKeypair = sodium_crypto_box_keypair();
$alicePublicKey = sodium_crypto_box_publickey($aliceKeypair);
$aliceSecretKey = sodium_crypto_box_secretkey($aliceKeypair);
$bobKeypair = sodium_crypto_box_keypair();
$bobPublicKey = sodium_crypto_box_publickey($bobKeypair); // 32 bytes
$bobSecretKey = sodium_crypto_box_secretkey($bobKeypair); // 32 bytes
$msg = 'Hi Bob, this is Alice!';
$nonce = random_bytes(SODIUM_CRYPTO_BOX_NONCEBYTES); // 24 bytes
$keyEncrypt = $aliceSecretKey . $bobPublicKey;
$ciphertext = sodium_crypto_box($msg, $nonce, $keyEncrypt);
$keyDecrypt = $bobSecretKey . $alicePublicKey;
$plaintext = sodium_crypto_box_open($ciphertext, $nonce, $keyDecrypt);
echo $plaintext === $msg ? 'Success' : 'Error';
XSalsa20 Poly1305 XS25519

EXAMPLE4:EXAMPLE4:
DIGITALSIGNATUREDIGITALSIGNATURE

DIGITALSIGNATUREDIGITALSIGNATURE
Note: the message is not encrypted, signedMsg includes signature + msg
Algorithm:
$keypair = sodium_crypto_sign_keypair();
$publicKey = sodium_crypto_sign_publickey($keypair); // 32 bytes
$secretKey = sodium_crypto_sign_secretkey($keypair); // 64 bytes
$msg = 'This message is from Alice';
// Sign a message
$signedMsg = sodium_crypto_sign($msg, $secretKey);
// Or generate only the signature (detached mode)
$signature = sodium_crypto_sign_detached($msg, $secretKey); // 64 bytes
// Verify the signed message
$original = sodium_crypto_sign_open($signedMsg, $publicKey);
echo $original === $msg ? 'Signed msg ok' : 'Error signed msg';
// Verify the signature
echo sodium_crypto_sign_verify_detached($signature, $msg, $publicKey) ?
'Signature ok' : 'Error signature';
Ed25519

EXAMPLE5:EXAMPLE5:
AES-GCMAES-GCM

AEADAES-256-GCMAEADAES-256-GCM
Note: you need to store also ad and nonce + ciphertext
if (! sodium_crypto_aead_aes256gcm_is_available()) {
throw new Exception("AES-GCM is not supported on this platform");
}
$msg = 'Super secret message!';
$key = random_bytes(SODIUM_CRYPTO_AEAD_AES256GCM_KEYBYTES);
$nonce = random_bytes(SODIUM_CRYPTO_AEAD_AES256GCM_NPUBBYTES);
// AEAD encryption
$ad = 'Additional public data';
$ciphertext = sodium_crypto_aead_aes256gcm_encrypt(
$msg,
$ad,
$nonce,
$key
);
// AEAD decryption
$decrypted = sodium_crypto_aead_aes256gcm_decrypt(
$ciphertext,

EXAMPLE6:EXAMPLE6:
STOREPASSWORDSSAFELYSTOREPASSWORDSSAFELY

ARGON2IARGON2I
An example of Argon2i hash:
$password = 'password';
$hash = sodium_crypto_pwhash_str(
$password,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
); // 97 bytes
echo sodium_crypto_pwhash_str_verify($hash, $password) ?
'OK' : 'Error';
$argon2id$v=19$m=65536,t=2,p=1$EF1BpShRmCYHN7ryxlhtBg$zLZO4IWjx3E...

ARGON2INPHP7.2ARGON2INPHP7.2
Comparing with Sodium:
Note: password_hash() is not compatible with sodium_crypto_pwhash_str()
// Argon2i without Sodium
$hash = password_hash($password, PASSWORD_ARGON2I); // 95 bytes
echo password_verify($password, $hash) ? 'OK' : 'Error';
$argon2id$v=19$m=65536,t=2,p=1$EF1BpShRmCYH... // 97 bytes, Sodium
$argon2i$v=19$m=1024,t=2,p=2$Y3pweEtMdS82SG... // 95 bytes, PHP

EXAMPLE7:EXAMPLE7:
DERIVEAKEYFROMAUSER'SPASSWORDDERIVEAKEYFROMAUSER'SPASSWORD

PASSWORDAREBADPASSWORDAREBAD
Not random
Predictable (most of the time)
Only a subset of ASCII codes (typically vs )
Never use it as encryption/authentication key!
Use KDF to derive a key from a password
68 256

DERIVEAKEYUSINGARGON2IDERIVEAKEYUSINGARGON2I
Example: generating a binary key of 32 bytes
Note: you need to store also the salt to generate the same key from password
$salt = random_bytes(SODIUM_CRYPTO_PWHASH_SALTBYTES);
$key = sodium_crypto_pwhash(
32,
$password,
$salt,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);

UTILITYINSODIUMUTILITYINSODIUM
Wiping Sensitive Data from Memory:
Hex2bin / Bin2Hex:
Constant-time string comparison:
sodium_memzero(&$secret)
sodium_hex2bin(string $hex, string $ignore = '
sodium_bin2hex(string $bin)
sodium_compare(string $str1, string $str2)

REFERENCESREFERENCES
D.J. Bernstein, T.Lange, and P.Schwabe, ,
Lecture Notes in Computer Science 7533, Springer, 2012. ISBN 978-3-642-33480-1
Daniel J. Bernstein,
OpenDNS Security Research, , March 6, 2013
D.A. Osvik, A.Shamir, E.Tromer, , Lecture
Notes in Computer Science, vol 3860. Springer, 2006
Anthony Ferrara, , 2014
Eric Sesterhenn, , 2017
Angela Raucher, ,
Synopsys
Willy Raedy, , Full Stack Academy of Code
Scott Arciszewski, , Paragonie, 2017
The security impact of a new cryptographic library
Cryptography in NaCl
Introducing Sodium, a new cryptographic library
Cache Attacks and Countermeasures: the Case of AES
It's All About Time
Benchmarking memcmp() for timing attacks
Protecting Against Side-Channel Attacks with an Ultra-Low Power Processor
Elliptic Curve Cryptography Tutorial
Libsodium Quick Reference

THANKS!THANKS!
Rate this talk at
This work is licensed under a
.
I used to make this presentation.
joind.in/talk/5769a
Creative Commons Attribution-ShareAlike 3.0 Unported License
reveal.js

The Sodium crypto library of PHP 7.2 (PHP Day 2018)

Recommended

Recommended

More Related Content

Similar to The Sodium crypto library of PHP 7.2 (PHP Day 2018)

Similar to The Sodium crypto library of PHP 7.2 (PHP Day 2018) (20)

More from Zend by Rogue Wave Software

More from Zend by Rogue Wave Software (20)

Recently uploaded

Recently uploaded (20)

The Sodium crypto library of PHP 7.2 (PHP Day 2018)