No ratings yet.

Strong Cryptography in PHP

How to use cryptography in php

 

 

 

 

 

 

 
we can say that an encryption algorithm is considered highly resistant to cryptanalytic attacks.
It’s difficult to answer to this question as we don’t have a simple metric of security.

Kinds of web attacks:

  1. Implementation attacks
  2. Brute forcing attacks
  3. Theoretical attacks

 
There are least four ways of cryptography:

  1. Hash
  2. OpenSSL
  3. crypt()
  4. Mcrypt 

crypt() function in php

One-way string hashing

  1. Support strong cryptography
  2. bcrypt, sha-256, sha-512
  3. PHP 5.3.2 – sha-256/512
  4. PHP 5.3.0 – bcrypt support

 

Mcrypt function in php
Mcrypt is an interface to the mcrypt library, which supports a wide variety of block algorithms.

 It supports the following encryption algorithms:

 3DES, ARCFOUR, BLOWFISH, CAST, DES, ENIGMA, GOST, IDEA (non-free), LOKI97,  SKIPJACK, TEAN, TWOFISH, WAKE, XTEA,MARS, PANAMA, RIJNDAEL, RC2, RC4, RC6, SAFER, SERPENT

Hash function in php

  1. With this extension you can generate hash values or HMAC (Hash-based Message Authentication
    Code)
  2. This extension replace the old mhash extension
  3. The Hash extension requires no external libraries
    and is enabled by default as of PHP 5.1.2.
  4. It Supports hash algorithms: SHA384, SHA512, RIPEMD, RIPEMD,MD4, MD5, SHA1, SHA256,  WHIRLPOOL, GOST, TIGER, HAVAL, etc

 

How to use OpenSSL in php

  1. You can use OpenSSL to protect data using public key cryptography with the RSA algorithm.
  2. The OpenSSL extension uses the functions of the OpenSSL project for generation and verification of signatures and for sealing (encrypting) and opening (decrypting) data

 

how to secure user password in php:

First step never use user password as a key and second thing hash it with salt
salt is term and function used in php for avoid dictionary attacks.

Pseudo random key

function pseudoRandomKey($size) {
if (function_exists(‘openssl_random_pseudo_bytes’)) {
$rnd = openssl_random_pseudo_bytes($size, $strong);
if($strong === TRUE)
return $rnd;
}
$sha=”; $rnd=”;
for ($i=0;$i<$size;$i++) {
$sha= hash(‘sha256’,$sha.mt_rand());
$char= mt_rand(0,62);
$rnd.= chr(hexdec($sha[$char].$sha[$char+1]));
}
return $rnd;
}

How to build a key from  user password in php:

Build a key from a user password Hash the password with a random salt + stretching

$salt= pseudoRandomKey(128);
$hash=”;
for ($i=0;$i<HASH_CYCLE_LIMIT;$i++) {
$hash= hash(‘sha512’,$hash.$salt.$password);
}

what is hash cycle limit and how it works:

HASH_CYCLE_LIMIT depends on the CPU speed, should
take between 200 to 1000 ms
1- Intel Core 2 at 2.1Ghz, LIMIT? 20’000 (500 ms)

How to store a password safely in php:

Hash the password using bcrypt (PHP 5.3.0)

$salt = substr(str_replace(‘+’, ‘.’,
base64_encode($salt)), 0, 22);
$hash= crypt($password,’$2a$’.$cost.’$’.$salt);
where $cost is the base-2 logarithm of the iteration count
(Blowfish). Must be in range 04-31.
 How to check if a password is valid or not:

$hash==crypt($password,,$hash))

Safely store a password (sha256)

function securePassword ($password, $salt) {
$hash=”;
for ($i=0;$i<SHA_LIMIT_LOOP;$i++) {
$hash= hash(‘sha256’,$hash.$salt.$password);
}
return base64_encode($salt).’$’.$hash;
}

For instance, $password= ‘thisIsTheSecretPassword’ and $salt=
‘hsjYeg/bxn()%3jdhsGHq0’
aHNqWWVnL2J4bigpJTNqZGhzR0hxMA==$3658oilkju22af719adabcf5
0db8a0b4cd0d14e075qwerh3e5f47bde620a3c13
Green= salt, Red= encrypted password

How to check a hash password valid or not in php

function validPassword ($password, $hash) {
$delimiter= strpos($hash,’$’);
if ($delimiter===false) {
return false;
}
$salt= base64_decode(substr($hash,0,$delimiter));
$tHash=”;
for ($i=0;$i<SHA_LIMIT_LOOP;$i++) {
$tHash= hash(‘sha256’,$tHash.$salt.$password);
}
return (base64_encode($salt).’$’.$tHash==$hash);
}

 

encrypt with AES (CBC mode)

 

$ivSize= mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,
MCRYPT_MODE_CBC);
$iv= mcrypt_create_iv($ivSize, MCRYPT_RAND);
$key= pseudoRandomKey(16); // 128 bit
$encrypted= mcrypt_encrypt(
MCRYPT_RIJNDAEL_128,$key, $data, MCRYPT_MODE_CBC, $iv);

decrypt with AES in php:
$data= mcrypt_decrypt(
MCRYPT_RIJNDAEL_128,
$key,
$encrypted,
MCRYPT_MODE_CBC,
$iv
);

 what is the $iv?

Initialization vector (IV)

In cryptography, an Initialization Vector (IV) is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom.

How to generate public and private keys in php:

$privateKey = openssl_pkey_new(array(
‘private_key_bits’ => 2048,
‘private_key_type’ => OPENSSL_KEYTYPE_RSA ));
openssl_pkey_export_to_file($privateKey, ‘/path/to/privatekey’, $passphrase);
$keyDetails = openssl_pkey_get_details($privateKey);
file_put_contents(‘/path/to/publickey’, $keyDetails[‘key’]);

Encrypt/decrypt using RSA
// encrypt
$pubKey= openssl_pkey_get_public(‘pubkeyfile’);
openssl_public_encrypt($plaintext, $encrypted, $pubKey);
// decrypt
$privateKey= openssl_pkey_get_private(‘privkeyfile’, $passphrase);
openssl_private_decrypt($encrypted, $plaintext, $privateKey);

 

php cryptography tutorials

Please rate this