SlideShare ist ein Scribd-Unternehmen logo

Encryption: It's For More Than Just Password - tek13

John Congdon
John Congdon

This presentation was given at php|tek13. It covers today's best practices for password hashing, and encryption techniques.

TechnologieBildung
1 von 93
Downloaden Sie, um offline zu lesen
ENCRYPTION It’s For MoreThan Just Passwords 1Thursday, May 16, 13
JOHN CONGDON 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com •FaxBurner.com 2Thursday, May 16, 13
JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com •FaxBurner.com •I Am Not A Cryptographer 2Thursday, May 16, 13
Hashing Encryption Today’s Discussion Points 3Thursday, May 16, 13
Plain Text $username = $_POST[‘username’]; $password = $_POST[‘password’]; $user = getUserByUserName($username); if ($user->password == $password) { $valid = true; } else { $valid = false; } 4Thursday, May 16, 13
Plain Text: Vulnerabilities SQL-Injection gives you every users password 5Thursday, May 16, 13
Cryptographic Hashing 6Thursday, May 16, 13
Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. 6Thursday, May 16, 13
Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. H A S H “message” “digest” 6Thursday, May 16, 13
Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 6Thursday, May 16, 13
Cryptographic Hashing: One Way 7Thursday, May 16, 13
Cryptographic Hashing: One Way H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 7Thursday, May 16, 13
Cryptographic Hashing: One Way H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 7Thursday, May 16, 13
Cryptographic Hashing: Algorithms <?php print_r(hash_algos()); ?> Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512 [8] => ripemd128 [9] => ripemd160 [10] => ripemd256 [11] => ripemd320 [12] => whirlpool [13] => tiger128,3 [14] => tiger160,3 [15] => tiger192,3 [16] => tiger128,4 [17] => tiger160,4 [18] => tiger192,4 [19] => snefru [20] => snefru256 [21] => gost [22] => adler32 [23] => crc32 [24] => crc32b [25] => salsa10 [26] => salsa20 [27] => haval128,3 [28] => haval160,3 [29] => haval192,3 [30] => haval224,3 [31] => haval256,3 [32] => haval128,4 [33] => haval160,4 [34] => haval192,4 [35] => haval224,4 [36] => haval256,4 [37] => haval128,5 [38] => haval160,5 [39] => haval192,5 [40] => haval224,5 [41] => haval256,5 ) 8Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities SQL-Injection gives you every users hashed password 9Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities 10Thursday, May 16, 13
Rainbow Table Example: Searched for a Hash 11Thursday, May 16, 13
Rainbow Table Example: Searched for a Hash 11Thursday, May 16, 13
Cryptographic Hashing: Vulnerabilities 12Thursday, May 16, 13
Salting Cryptographic Hashes 13Thursday, May 16, 13
Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. 13Thursday, May 16, 13
Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. $hash = md5(‘RAND_SALT’ . $_POST[‘password’]); 13Thursday, May 16, 13
Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. $hash = md5(‘RAND_SALT’ . $_POST[‘password’]); RAND_SALT must come from a cryptographically secure source. Not From (rand, mt_rand, or uniqid) Use (/dev/urandom, mcrypt, openssl) 13Thursday, May 16, 13
Today’s Best Practice: BCrypt 14Thursday, May 16, 13
Today’s Best Practice: BCrypt •Slower by design 14Thursday, May 16, 13
Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) 14Thursday, May 16, 13
Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) •Should be configured to take 0.25 to 0.50 a second 14Thursday, May 16, 13
Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) •Should be configured to take 0.25 to 0.50 a second •Start with a cost of 10, use higher if possible 14Thursday, May 16, 13
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php 15Thursday, May 16, 13
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php 16Thursday, May 16, 13
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php array password_get_info(string $hash) Returns 3 elements algorithm: Constant value algoName: bcrypt options: the options provided to password_hash Array ( [algo] => 1 [algoName] => bcrypt [options] => Array ( [cost] => 11 ) ) 17Thursday, May 16, 13
PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php boolean password_needs_rehash ( string $hash , string $algo [, string $options ] ) Assuming password_verify was successful above: if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) { $user->password = password_hash($password....); $user->update(); } 18Thursday, May 16, 13
I Lied: PHP >= 5.3.7 Password Hashing API https://github.com/ircmaxell/password_compat A forward compatible password API implementation that will work until you are ready to upgrade to 5.5. This will work for all versions of PHP that has the $2y fix. Upgrading to 5.5 will not break your current code if you use this library. 19Thursday, May 16, 13
Example: Creating a user <?php require 'password.php'; $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT); if ($hash === false) { //handle this error case somehow... } $user = Model_User::createNewUser($_POST[‘username’]); $user->setPassword($hash); $user->update(); 20Thursday, May 16, 13
Example: Logging a user in <?php require 'password.php'; $user = Model_User::getUserByUserName($_POST[‘username’]); if (password_verify($_POST[‘password’], $user->password)) { return true; } else { die(“Invalid credentials”); } 21Thursday, May 16, 13
Example: Logging a user in and checking for rehash ... $user = Model_User::getUserByUserName($_POST[‘username’]); if (password_verify($_POST[‘password’], $user->password)) { if (password_needs_rehash($user->password, $algo, $options)) { $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT, $options); $user->setPassword($hash); $user->update(); } ... 22Thursday, May 16, 13
http://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.html Want More? Get Statistics Here One of my favorite data points from Anthony’s slides 23Thursday, May 16, 13
Questions on Password Hashing? 24Thursday, May 16, 13
More Than Just Passwords 25Thursday, May 16, 13
More Than Just Passwords We may store more sensitive data than just passwords. 25Thursday, May 16, 13
More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. 25Thursday, May 16, 13
More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. Decryption makes original value usable by us. 25Thursday, May 16, 13
More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. Decryption makes original value usable by us. •Credit Card Info •Social Security Numbers •Date of Birth •Personally Identifiable Information 25Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there alternative solutions? 26Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there alternative solutions? Example: Credit card companies usually offer a token solution. 26Thursday, May 16, 13
Symmetric vs Asymmetric 27Thursday, May 16, 13
Symmetric vs Asymmetric Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand 27Thursday, May 16, 13
Symmetric vs Asymmetric Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand Asymmetric Two keys (Public & Private) Encryption/Decryption Public key encrypts Private key decrypts Signing/Verifying Private key signs Public key verifies 27Thursday, May 16, 13
Common Asymmetric Uses SSH Keys HTTPS / SSL PGP: Pretty Good Privacy Email Files Really any message 28Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors • Similar to SALT in hashing (It’s not a secret) 29Thursday, May 16, 13
Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors • Similar to SALT in hashing (It’s not a secret) • Must be random per encrypted text 29Thursday, May 16, 13
Example: Encrypt using crypt $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $message = ‘My Credit Card Number is 4123123412341234’; $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM); $cipher = mcrypt_encrypt( MCRYPT_BLOWFISH, $crypt_key, $message, MCRYPT_MODE_CBC, $iv ); 30Thursday, May 16, 13
HMAC: Hash-based Message Authentication Code Using a separate key, this will give us a signature letting us know that the data has not been tampered with. When Encrypting: Always encrypt first, and then get signature of the CipherText. Store it with your InitializationVector and CipherText. When Decrypting: Always verify signature first, and then decrypt if matched. 31Thursday, May 16, 13
Example: Using HMAC $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $hmac = hash_hmac(‘sha512’, $cipher_text, $hmac_key); //Store it with your encrypted data $encrypted = base64_encode($iv . $cipher . $hmac); 32Thursday, May 16, 13
Example: Decrypt using HMAC and crypt $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $encrypted = base64_decode($encrypted); $iv = substr($encrypted, 0, $iv_size); $hmac = substr($encrypted, -64); $cipher = substr($encrypted, $iv_size, -64); if ($hmac != hash_hmac(‘sha512’, $cipher, $hmac_key)) { return false; } $message = mcrypt_decrypt( MCRYPT_BLOWFISH, $crypt_key, $cipher, MCRYPT_MODE_CBC, $iv ); 33Thursday, May 16, 13
Use a Library http://phpseclib.sourceforge.net/ They’ve done the hard parts, save yourself the headache and just use it. It’s even PHP4+ compatible, so no excuses. 34Thursday, May 16, 13
Example: Using phpseclib 35Thursday, May 16, 13
Example: Using phpseclib $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $message = ‘My Credit Card Number is 4123123412341234’; require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $des = new Crypt_DES(); $des->setKey($crypt_key); $cipher = $des->encrypt($message); $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $hmac = bin2hex($hash->hash($cipher)); 35Thursday, May 16, 13
Example: Using phpseclib $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $message = ‘My Credit Card Number is 4123123412341234’; require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $des = new Crypt_DES(); $des->setKey($crypt_key); $cipher = $des->encrypt($message); $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $hmac = bin2hex($hash->hash($cipher)); require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $verify_hmac = bin2hex($hash->hash($ciph if ($verify_hmac == $hmac) { $des = new Crypt_DES(); $des->setKey($crypt_key); $message = $des->decrypt($cipher); } 35Thursday, May 16, 13
Encryption !== Protection Data obtained through SQL Injection attacks or other non system penetration attacks should be relatively secure. For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of system security, will disclose the key to the attacker, leaving ALL encryption useless. Apache environment variable, memory, config files, password entered during system startup, do not keep the key private. 36Thursday, May 16, 13
AVOID ENCRYPTION AT ALL COSTS! There is no such thing as 100% secure. 37Thursday, May 16, 13
Other Things To Consider 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. 38Thursday, May 16, 13
Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. •Think about restricting requests per second 38Thursday, May 16, 13
Other Things To Consider Paranoid about password safety? Consider encrypting the hash. Renders SQL-Injection and rainbow tables/brute force useless. •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. •Think about restricting requests per second 38Thursday, May 16, 13
Credits I’ve learned a lot while preparing this presentation. Thanks especially to Anthony Ferrara (@ircmaxell) http://blog.ircmaxell.com 39Thursday, May 16, 13
Questions? 40Thursday, May 16, 13
JOHN CONGDON PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
JOHN CONGDON •twitter: @johncongdon PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
JOHN CONGDON •twitter: @johncongdon •email: john@johncongdon.com PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
JOHN CONGDON •twitter: @johncongdon •email: john@johncongdon.com •irc: freednode.net (#sdphp) PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13

Empfohlen

Ashley E. Beal - Resume 2016
Ashley E. Beal - Resume 2016Ashley E. Beal - Resume 2016
Ashley E. Beal - Resume 2016
Ashley Beal, PHR
 
WAF Year in Review FNL A4
WAF Year in Review FNL A4WAF Year in Review FNL A4
WAF Year in Review FNL A4
Deanna Titzler
 
AllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits presentation - Security in Theory
AllBits presentation - Security in Theory
AllBits BVBA (freelancer)
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
Akash Mahajan
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Hashing
HashingHashing
Hashing
Bitcoin Association of Australia
 
Release with confidence
Release with confidenceRelease with confidence
Release with confidence
John Congdon
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
John Congdon
 

Empfohlen

Ashley E. Beal - Resume 2016
Ashley E. Beal - Resume 2016Ashley E. Beal - Resume 2016
Ashley E. Beal - Resume 2016
Ashley Beal, PHR
 
WAF Year in Review FNL A4
WAF Year in Review FNL A4WAF Year in Review FNL A4
WAF Year in Review FNL A4
Deanna Titzler
 
AllBits presentation - Security in Theory
AllBits presentation - Security in TheoryAllBits presentation - Security in Theory
AllBits presentation - Security in Theory
AllBits BVBA (freelancer)
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
Akash Mahajan
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Hashing
HashingHashing
Hashing
Bitcoin Association of Australia
 
Release with confidence
Release with confidenceRelease with confidence
Release with confidence
John Congdon
 
Encryption: It's For More Than Just Passwords
Encryption: It's For More Than Just PasswordsEncryption: It's For More Than Just Passwords
Encryption: It's For More Than Just Passwords
John Congdon
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Sandro Moreira
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
Samir Dash
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
AnitaRaj43
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard37
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Encryption: It's For More Than Just Password - tek13

  • 1. ENCRYPTION It’s For MoreThan Just Passwords 1Thursday, May 16, 13
  • 3. JOHN CONGDON •PHP Developer Since 2003 2Thursday, May 16, 13
  • 4. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer 2Thursday, May 16, 13
  • 5. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online 2Thursday, May 16, 13
  • 6. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com 2Thursday, May 16, 13
  • 7. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com 2Thursday, May 16, 13
  • 8. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com •FaxBurner.com 2Thursday, May 16, 13
  • 9. JOHN CONGDON •PHP Developer Since 2003 •SDPHP User Group Organizer •Sr PHP Developer for Networx Online •PhoneBurner.com •MeetingBurner.com •FaxBurner.com •I Am Not A Cryptographer 2Thursday, May 16, 13
  • 11. Plain Text $username = $_POST[‘username’]; $password = $_POST[‘password’]; $user = getUserByUserName($username); if ($user->password == $password) { $valid = true; } else { $valid = false; } 4Thursday, May 16, 13
  • 12. Plain Text: Vulnerabilities SQL-Injection gives you every users password 5Thursday, May 16, 13
  • 14. Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. 6Thursday, May 16, 13
  • 15. Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. H A S H “message” “digest” 6Thursday, May 16, 13
  • 16. Cryptographic Hashing Wikipedia Definition: A cryptographic hash function is a hash function; that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bitstring, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest. H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 6Thursday, May 16, 13
  • 17. Cryptographic Hashing: One Way 7Thursday, May 16, 13
  • 18. Cryptographic Hashing: One Way H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 7Thursday, May 16, 13
  • 19. Cryptographic Hashing: One Way H A S H “message” “digest” “unicorn” “1abcb33beeb811dca15f0ac3e47b88d9” 7Thursday, May 16, 13
  • 20. Cryptographic Hashing: Algorithms <?php print_r(hash_algos()); ?> Array ( [0] => md2 [1] => md4 [2] => md5 [3] => sha1 [4] => sha224 [5] => sha256 [6] => sha384 [7] => sha512 [8] => ripemd128 [9] => ripemd160 [10] => ripemd256 [11] => ripemd320 [12] => whirlpool [13] => tiger128,3 [14] => tiger160,3 [15] => tiger192,3 [16] => tiger128,4 [17] => tiger160,4 [18] => tiger192,4 [19] => snefru [20] => snefru256 [21] => gost [22] => adler32 [23] => crc32 [24] => crc32b [25] => salsa10 [26] => salsa20 [27] => haval128,3 [28] => haval160,3 [29] => haval192,3 [30] => haval224,3 [31] => haval256,3 [32] => haval128,4 [33] => haval160,4 [34] => haval192,4 [35] => haval224,4 [36] => haval256,4 [37] => haval128,5 [38] => haval160,5 [39] => haval192,5 [40] => haval224,5 [41] => haval256,5 ) 8Thursday, May 16, 13
  • 21. Cryptographic Hashing: Vulnerabilities SQL-Injection gives you every users hashed password 9Thursday, May 16, 13
  • 23. Rainbow Table Example: Searched for a Hash 11Thursday, May 16, 13
  • 24. Rainbow Table Example: Searched for a Hash 11Thursday, May 16, 13
  • 27. Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. 13Thursday, May 16, 13
  • 28. Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. $hash = md5(‘RAND_SALT’ . $_POST[‘password’]); 13Thursday, May 16, 13
  • 29. Salting Cryptographic Hashes Wikipedia Definition: In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase. A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. $hash = md5(‘RAND_SALT’ . $_POST[‘password’]); RAND_SALT must come from a cryptographically secure source. Not From (rand, mt_rand, or uniqid) Use (/dev/urandom, mcrypt, openssl) 13Thursday, May 16, 13
  • 30. Today’s Best Practice: BCrypt 14Thursday, May 16, 13
  • 31. Today’s Best Practice: BCrypt •Slower by design 14Thursday, May 16, 13
  • 32. Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) 14Thursday, May 16, 13
  • 33. Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) •Should be configured to take 0.25 to 0.50 a second 14Thursday, May 16, 13
  • 34. Today’s Best Practice: BCrypt •Slower by design •Configurable to help withstand the test of time (cost param) •Should be configured to take 0.25 to 0.50 a second •Start with a cost of 10, use higher if possible 14Thursday, May 16, 13
  • 35. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php 15Thursday, May 16, 13
  • 36. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php 16Thursday, May 16, 13
  • 37. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php array password_get_info(string $hash) Returns 3 elements algorithm: Constant value algoName: bcrypt options: the options provided to password_hash Array ( [algo] => 1 [algoName] => bcrypt [options] => Array ( [cost] => 11 ) ) 17Thursday, May 16, 13
  • 38. PHP 5.5 Password Hashing API http://www.php.net/manual/en/ref.password.php boolean password_needs_rehash ( string $hash , string $algo [, string $options ] ) Assuming password_verify was successful above: if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) { $user->password = password_hash($password....); $user->update(); } 18Thursday, May 16, 13
  • 39. I Lied: PHP >= 5.3.7 Password Hashing API https://github.com/ircmaxell/password_compat A forward compatible password API implementation that will work until you are ready to upgrade to 5.5. This will work for all versions of PHP that has the $2y fix. Upgrading to 5.5 will not break your current code if you use this library. 19Thursday, May 16, 13
  • 40. Example: Creating a user <?php require 'password.php'; $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT); if ($hash === false) { //handle this error case somehow... } $user = Model_User::createNewUser($_POST[‘username’]); $user->setPassword($hash); $user->update(); 20Thursday, May 16, 13
  • 41. Example: Logging a user in <?php require 'password.php'; $user = Model_User::getUserByUserName($_POST[‘username’]); if (password_verify($_POST[‘password’], $user->password)) { return true; } else { die(“Invalid credentials”); } 21Thursday, May 16, 13
  • 42. Example: Logging a user in and checking for rehash ... $user = Model_User::getUserByUserName($_POST[‘username’]); if (password_verify($_POST[‘password’], $user->password)) { if (password_needs_rehash($user->password, $algo, $options)) { $hash = password_hash($_POST[‘password’], PASSWORD_DEFAULT, $options); $user->setPassword($hash); $user->update(); } ... 22Thursday, May 16, 13
  • 43. http://blog.ircmaxell.com/2013/01/password-storage-talk-at-php-benelux-13.html Want More? Get Statistics Here One of my favorite data points from Anthony’s slides 23Thursday, May 16, 13
  • 45. More Than Just Passwords 25Thursday, May 16, 13
  • 46. More Than Just Passwords We may store more sensitive data than just passwords. 25Thursday, May 16, 13
  • 47. More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. 25Thursday, May 16, 13
  • 48. More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. Decryption makes original value usable by us. 25Thursday, May 16, 13
  • 49. More Than Just Passwords We may store more sensitive data than just passwords. Passwords are easy, we don’t care about the original value. Decryption makes original value usable by us. •Credit Card Info •Social Security Numbers •Date of Birth •Personally Identifiable Information 25Thursday, May 16, 13
  • 50. AVOID ENCRYPTION AT ALL COSTS! 26Thursday, May 16, 13
  • 51. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. 26Thursday, May 16, 13
  • 52. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. 26Thursday, May 16, 13
  • 53. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? 26Thursday, May 16, 13
  • 54. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there alternative solutions? 26Thursday, May 16, 13
  • 55. AVOID ENCRYPTION AT ALL COSTS! Clarification:Avoid keeping any data that you need to encrypt. Before deciding to keep any of this information, ask yourself why you need it. Is the risk of potentially leaking this information worth the reward? Are there alternative solutions? Example: Credit card companies usually offer a token solution. 26Thursday, May 16, 13
  • 57. Symmetric vs Asymmetric Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand 27Thursday, May 16, 13
  • 58. Symmetric vs Asymmetric Symmetric Only one shared key Same key encrypts and decrypts Easiest to understand Asymmetric Two keys (Public & Private) Encryption/Decryption Public key encrypts Private key decrypts Signing/Verifying Private key signs Public key verifies 27Thursday, May 16, 13
  • 59. Common Asymmetric Uses SSH Keys HTTPS / SSL PGP: Pretty Good Privacy Email Files Really any message 28Thursday, May 16, 13
  • 60. Keys, Ciphers, Modes, and Initialization Vectors Oh My! 29Thursday, May 16, 13
  • 61. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) 29Thursday, May 16, 13
  • 62. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers 29Thursday, May 16, 13
  • 63. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) 29Thursday, May 16, 13
  • 64. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes 29Thursday, May 16, 13
  • 65. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) 29Thursday, May 16, 13
  • 66. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) 29Thursday, May 16, 13
  • 67. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) 29Thursday, May 16, 13
  • 68. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors 29Thursday, May 16, 13
  • 69. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors • Similar to SALT in hashing (It’s not a secret) 29Thursday, May 16, 13
  • 70. Keys, Ciphers, Modes, and Initialization Vectors Oh My! • Keys, should be easy to understand (KEEP IT SECRET) • Ciphers • Deterministic algorithm (Ex: 3DES, Blowfish,TwoFish) • Modes • Determines how the key stream is used (never cross them) • Avoid ECB (Electronic Code Book) • (Use CBC or CFB, Cipher Block Chaining / Cipher FeedBack) • InitializationVectors • Similar to SALT in hashing (It’s not a secret) • Must be random per encrypted text 29Thursday, May 16, 13
  • 71. Example: Encrypt using crypt $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $message = ‘My Credit Card Number is 4123123412341234’; $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM); $cipher = mcrypt_encrypt( MCRYPT_BLOWFISH, $crypt_key, $message, MCRYPT_MODE_CBC, $iv ); 30Thursday, May 16, 13
  • 72. HMAC: Hash-based Message Authentication Code Using a separate key, this will give us a signature letting us know that the data has not been tampered with. When Encrypting: Always encrypt first, and then get signature of the CipherText. Store it with your InitializationVector and CipherText. When Decrypting: Always verify signature first, and then decrypt if matched. 31Thursday, May 16, 13
  • 73. Example: Using HMAC $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $hmac = hash_hmac(‘sha512’, $cipher_text, $hmac_key); //Store it with your encrypted data $encrypted = base64_encode($iv . $cipher . $hmac); 32Thursday, May 16, 13
  • 74. Example: Decrypt using HMAC and crypt $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $encrypted = base64_decode($encrypted); $iv = substr($encrypted, 0, $iv_size); $hmac = substr($encrypted, -64); $cipher = substr($encrypted, $iv_size, -64); if ($hmac != hash_hmac(‘sha512’, $cipher, $hmac_key)) { return false; } $message = mcrypt_decrypt( MCRYPT_BLOWFISH, $crypt_key, $cipher, MCRYPT_MODE_CBC, $iv ); 33Thursday, May 16, 13
  • 75. Use a Library http://phpseclib.sourceforge.net/ They’ve done the hard parts, save yourself the headache and just use it. It’s even PHP4+ compatible, so no excuses. 34Thursday, May 16, 13
  • 77. Example: Using phpseclib $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $message = ‘My Credit Card Number is 4123123412341234’; require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $des = new Crypt_DES(); $des->setKey($crypt_key); $cipher = $des->encrypt($message); $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $hmac = bin2hex($hash->hash($cipher)); 35Thursday, May 16, 13
  • 78. Example: Using phpseclib $crypt_key = ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’; $hmac_key = ‘yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy’; $message = ‘My Credit Card Number is 4123123412341234’; require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $des = new Crypt_DES(); $des->setKey($crypt_key); $cipher = $des->encrypt($message); $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $hmac = bin2hex($hash->hash($cipher)); require ‘Crypt/DES.php’; require ‘Crypt/Hash.php’; $hash = new Crypt_Hash(‘sha512’); $hash->setKey($hmac_key); $verify_hmac = bin2hex($hash->hash($ciph if ($verify_hmac == $hmac) { $des = new Crypt_DES(); $des->setKey($crypt_key); $message = $des->decrypt($cipher); } 35Thursday, May 16, 13
  • 79. Encryption !== Protection Data obtained through SQL Injection attacks or other non system penetration attacks should be relatively secure. For us to encrypt/decrypt, we must have access to the key. Therefore, any breach of system security, will disclose the key to the attacker, leaving ALL encryption useless. Apache environment variable, memory, config files, password entered during system startup, do not keep the key private. 36Thursday, May 16, 13
  • 80. AVOID ENCRYPTION AT ALL COSTS! There is no such thing as 100% secure. 37Thursday, May 16, 13
  • 81. Other Things To Consider 38Thursday, May 16, 13
  • 82. Other Things To Consider •Encrypt / decrypt on a separate server. 38Thursday, May 16, 13
  • 83. Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. 38Thursday, May 16, 13
  • 84. Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. 38Thursday, May 16, 13
  • 85. Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. 38Thursday, May 16, 13
  • 86. Other Things To Consider •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. •Think about restricting requests per second 38Thursday, May 16, 13
  • 87. Other Things To Consider Paranoid about password safety? Consider encrypting the hash. Renders SQL-Injection and rainbow tables/brute force useless. •Encrypt / decrypt on a separate server. •More overhead and complexity. •Any server breach can still decrypt data. •With enough thought and monitoring, you can kill the decryption server to limit the damage done. •Think about restricting requests per second 38Thursday, May 16, 13
  • 88. Credits I’ve learned a lot while preparing this presentation. Thanks especially to Anthony Ferrara (@ircmaxell) http://blog.ircmaxell.com 39Thursday, May 16, 13
  • 90. JOHN CONGDON PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
  • 91. JOHN CONGDON •twitter: @johncongdon PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
  • 92. JOHN CONGDON •twitter: @johncongdon •email: john@johncongdon.com PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13
  • 93. JOHN CONGDON •twitter: @johncongdon •email: john@johncongdon.com •irc: freednode.net (#sdphp) PLEASE RATE ON JOIND.IN https://joind.in/8179 41Thursday, May 16, 13