1. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Implementing Security
Routines with
Zend Framework 2
by Er Galvão Abbott
Authentication
Filter & Validation
Password Recovery Cryptography
Authorization
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 1 / 34
Brute-Force
2. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Er Galvão Abbott is the President of ABRAPHP – Brazilian
Association of PHP Professionals and Director of
PHP Conference Brasil.
Works for 20 years developing web interfaced systems and
applications, being 15 of those with PHP and 7 with Zend
Framework. Have worked with several companies, both local and
off-shore.
Talks at events, teaches both on-site and on-line courses and is
the founder and leader of the PHPBR UG, a national User Group that
counts with more than 1.200 registered users.
Site: http://www.galvao.eti.br/
Twitter: @galvao
Slides and Documents: http://slideshare.net/ergalvao
https://speakerdeck.com/galvao
Github: http://github.com/galvao
Who?!
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34
3. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Goal
Discuss in both conceptual and technical detail about how to
implement Security Routines with Zend Framework 2.
I'll present the following topics:
→ Authentication
→ Brute-force protection
→ Password recovery
→ Cryptography
→ Authorization
→ Data Filtering and Validation
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 3 / 34
4. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Security != a piece of cake*
Why? Because, for an example, I'm required to tell you this:
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34
* Not the framework
(Hilarious!)
Before we begin
5. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Security != a piece of cake*
Why? Because, for an example, I'm required to tell you this:
Disclaimer (or the “Not my fault” part)
!Perfect|Complete
$this is... !Fool proof
!The only|right way
Found out an example why? Let me know!
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34
* Not the framework
(Hilarious!)
Before we begin
6. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Authentication
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 6 / 34
7. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Authentication
ZfcUser, right?!
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 7 / 34
8. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Authentication
ZfcUser, right?!
YES! Well...
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 8 / 34
9. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Let's talk about wheels...
Authentication
If you don't [want to]know much about security...
http://modules.zendframework.com/ZF-Commons/ZfcUser
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 9 / 34
10. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Let's talk about wheels...
Authentication
If you don't [want to]know much about security...
http://modules.zendframework.com/ZF-Commons/ZfcUser
if you do...
Authentication
Crypt
Filter
Form
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 10 / 34
11. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Now that we've put that aside...
Authentication
Authentication → Service*
Cryptography → (Can also be a) Service*
Authentication attempts → Event
* Yes, yes, it could be done as a Module, Plugin, etc...
-.-”
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 11 / 34
12. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Authentication
Show me the code!
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 12 / 34
13. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
code
Authentication &
Cryptography
<<
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 13 / 34
14. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
code
Cryptography
<<
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 14 / 34
15. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
code
Authentication
<<
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 15 / 34
16. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
code
Authentication
<<
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 16 / 34
17. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Password Recovery
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 17 / 34
18. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Password Recovery
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 18 / 34
Checklist
1. User doesn't “need to change pwd” already;
2. User is “active”;
3. Randomize a temporary pwd;
4. Randomize a temporary, short-life, token;
5. Send a tokenized link for the user to change his pwd;
6. He must correctly enter the temp pwd;
7. If the new pwd and/or token expires, inactivate, make him
contact support;
8. Else, change the pwd, mark the user as “OK”.
9. If any step fails, see step 7!
For your randomization needs: https://github.com/galvao/PHPToolkit*
* Shameless advertising
detected!
19. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Password Recovery
Key points
Know what to do and what to avoid
Lazyness and “user-comfortcentrism” are your enemies
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 19 / 34
20. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Brute Force
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 20 / 34
21. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Brute Force
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 21 / 34
It's all about TIME
1. Generate a timestamp;
2. Log the attempt;
3. Get previous attempt timestamp;
4. Interval = current - previous
5. If the interval is suspicious, lock the user out;
6. If x unsucessful attempts, lock the user out;
22. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Brute Force
Show me the code!
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 22 / 34
23. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
code
Brute Force
<<
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 23 / 34
24. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Authorization
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 24 / 34
25. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Authorization
The relation between roles and resources.
Roles can inherit from other roles.
Resources may be available to multiple roles.
It's all about CAN & CAN'T
A few not-so-obvious-things to consider:
1. Everyone has a role;
2. Static storage > Dynamic storage;
3. Ideally, role of the current user should be fetched dynamically...
4. … and a user's role should be “immutable”.
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 25 / 34
26. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Authorization
ZendPermissionAcl
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 26 / 34
27. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Filter / Validation
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 27 / 34
28. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Filter / Validation
A few not-so-obvious-things to consider:
1. Filter first, then Validate;
2. Filtering changes data, backup raw data;
3. White List whenever possible (Ideally? ALWAYS)
4. K.I.S.S.
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 28 / 34
29. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Filter / Validation
A few not-so-obvious-things to consider:
1. Filter first, then Validate;
2. Filtering changes data, backup raw data;
3. White List whenever possible (Ideally? ALWAYS)
4. K.I.S.S. (Keep It Simple, Stupid...)
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 29 / 34
30. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Filter / Validation
A few not-so-obvious-things to consider:
1. Filter first, then Validate;
2. Filtering changes data, backup raw data;
3. White List whenever possible (Ideally? ALWAYS)
4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!)
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 30 / 34
31. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Filter / Validation Flexibility in ZF2
In the form
Filter &
Validation In the model
Separated
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 31 / 34
32. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Filter / Validation
Show me the code!
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 32 / 34
33. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
code
Filter &
Validation
<<
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 33 / 34
34. Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
Muchas gracias!
? Questions?
↓ Criticism?
↑ Complements?!
CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 34 / 34