libsodium in PHP 7

About me

Vinícius Campitelli

Member of PHPSP, a PHP group based in Sao Paulo
PHP Developer at OTTera
Cybersecurity enthusiast
10+ years developing with PHP

About me

Slides & GitHub

vcampitelli

Twitter

vcampitelli

Vinícius Campitelli

Cryptography is...

... the practice and study of techniques for secure communication in the presence of third parties called adversaries

... about constructing and analyzing protocols that prevent third parties or the public from reading private messages

Wikipedia

Cryptography is...

Plaintext

→ ←

Encryption Decryption


                                    Ciphertext

42a14c854f

Symmetric Cryptography

Uses the same key for both encryption and decryption

Also known as Secret-key Cryptography

Symmetric Cryptography


                            public function encrypt($data) {
                                $iv = random_bytes(
                                    openssl_cipher_iv_length('aes-256-ctr')
                                );
                                $ciphertext = openssl_encrypt(
                                    $data,
                                    'aes-256-ctr',         // cipher
                                    '@rw97`b#1,EquJ[L2P2', // key
                                    OPENSSL_RAW_DATA,      // flags
                                    $iv                    // iv (nonce)
                                );
                                return base64_encode(
                                    $iv . $ciphertext
                                );
                            }

Simple symmetric cryptography example using OpenSSL

Here's a simple code with OpenSSL, a very known library used for secure communications. We are using this openssl_encrypt function, it's quite simple to use, as you can see.

First, you just have to known the most recommended algorithms. In this example, I chose AES as my block cipher, with a 256-bit key and the Counter mode of operation.

But coming back to our example, the next step is to generate the initialization vector using random_bytes or another random number generator, like openssl_pseudo_random_bytes. Please, do not use rand, mt_rand or other stuff like that, they are not really random and so they don't provide the necessary security we want.

Symmetric Cryptography


                            public function encrypt($data) {
                                $iv = random_bytes(
                                    openssl_cipher_iv_length('aes-256-gcm')
                                );
                                $ciphertext = openssl_encrypt(
                                    $data,
                                    'aes-256-gcm',         // cipher
                                    '@rw97`b#1,EquJ[L2P2', // key
                                    OPENSSL_RAW_DATA,      // flags
                                    $iv,                   // iv (nonce)
                                    $tag,                  // tag
                                    null,                  // aad
                                    16                     // tag length
                                );
                                return base64_encode(
                                    $iv . $tag . $ciphertext
                                );
                            }

Simple symmetric cryptography example using OpenSSL

Symmetric Cryptography


                            public function decrypt($data) {
                                $data = base64_decode($data);
                                $ivSize = openssl_cipher_iv_length('aes-256-ctr');
                                $iv = substr($data, 0, $ivSize);
                                $data = substr($data, $ivSize);

                                return openssl_decrypt(
                                    $data,
                                    'aes-256-ctr',         // cipher
                                    '@rw97`b#1,EquJ[L2P2', // key
                                    OPENSSL_RAW_DATA,      // flags
                                    $iv                    // iv (nonce)
                                );
                            }

Simple symmetric cryptography example using OpenSSL

Asymmetric Cryptography

Public key

Can be distributed to others

Private key

Must remain with the owner

Also known as Public-key Cryptography

If the first type of cryptosystems is called Symmetric Cryptography because it uses the same key for both processes, then the second second type is called asymmetric because there are two keys involved: one for encryption and another one for decryption.

They are called public and private keys for obvious reasons: the first one will normally be distributed to others and the second should never leave the owner. If someone shares the private key, for instance by accidentally committing it to Git, then the underlying system will be compromised and you need to regenerate all encrypted data with a new pair.

So that's why this is also known as "Public-key cryptography".

Asymmetric Cryptography

If you want others to communicate with you...

Public key

Used by them to write texts to you

↓
Encryption

Private key

Used by you to read those texts

↓
Decryption

Asymmetric Cryptography

If you want to communicate with others...

Public key

Used by them to verify the texts were written by you

↓
Decryption

Private key

Used by you to write texts

↓
Encryption

But if you want to communicate with others, is the other way around: you use your private key to encrypt data and the receiving party uses your public key to verify if that information was really written by you.

This is basically how HTTPS works. Ok, I'm really oversimplifying things here... but essentialy, the web server uses the private key to encrypt the information that will be sent to you, and your browser checks if their public key matches.

Of course there are several other aspects to this, like digital signatures, certificates, a certificate authority that is responsible for assuring the server's identity. All of this is called Public-key Infrastructure. But I guess you can understand what's behind the scenes.

Asymmetric Cryptography


                                public function encrypt(
                                    string $data,
                                    string $publicKeyPath
                                ): string {
                                    $public = openssl_pkey_get_public(
                                        "file://{$publicKeyPath}"
                                    );
                                    if (! openssl_public_encrypt($data, $crypted, $public)) {
                                        throw new \RuntimeException("Can't encrypt data");
                                    }
                                    return $crypted;
                                }

Simple asymmetric cryptography using OpenSSL

Asymmetric Cryptography


                                public function decrypt(
                                    string $data,
                                    string $privateKeyPath,
                                    string $passphrase = null
                                ): string {
                                    $key = openssl_pkey_get_private(
                                        "file://{$privateKeyPath}",
                                        $passphrase
                                    );
                                    if (! openssl_private_decrypt($data, $decrypted, $key)) {
                                        throw new \RuntimeException("Can't decrypt data");
                                    }
                                    return $decrypted;
                                }

Simple asymmetric cryptography using OpenSSL

Asymmetric Cryptography

But I'm sure that instead of omitting that $padding parameter in the previous codes, we always use OPENSSL_PKCS1_OAEP_PADDING, right?

Asymmetric Cryptography

After all, it's pretty obvious that the default OPENSSL_PKCS1_PADDING value uses PKCS#1 v1.5, which is vulnerable to Padding attacks

Asymmetric Cryptography

And it's common knowledge that the RSA algorithm with a 2048 bit key can't handle data blocks larger than 214 bytes

RIGHT?

Hashing

A hash function is any function that can be used to map data of arbitrary size to fixed-size values

Wikipedia

Hashing

But I already know how to use that


                            if (hash('sha512', $_POST['password']) !== $storedPassword) {
                                throw new InvalidCredentialsException();
                            }

The most common use of hashing is for storing passwords in a database. Back in the day, we just hashed it using MD5. Then, we learned that is was weak to dictionary attacks, which is when we just compute the hash for thousands or even millions of words.

So we started using salts. That's just prepending the password with some text only the system knows. But if you use the same salt to every user, than anyone with the same password will have the same hash.
So you'll start using a unique salt to each user. Maybe from a specific database field that no one knows, like the user ID or creation date. But if the attacker was in possession of a database dump, than it would just be a matter of time until he discovers which field was used.

Hashing

But do you know about Timing Attacks?

is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms

Wikipedia

Hashing

And what about Rainbow Tables?

is a precomputed table for caching the output of cryptographic hash functions

Wikipedia

libsodium

Modern library available since PHP 7.2
Fork of NaCl
Official website: libsodium.org
Full documentation: pecl libsodium
GitHub: libsodium-php

Now, we are finally ready to talk about libsodium. It is referred to as a modern library because it ships state-of-the-art algorithms with the most recommended security requirements met.
This way, we don't need to remember all those settings and parameters we need to pass to OpenSSL or whatever library we are using.
libsodium is a fork of another library called Salt, but is cross-platform and cross-languages, so we can use it on Windows, Mac and even JavaScript.
The official website is libsodium.org and you can find the full documentation there too, because the PHP.net manual is very poor, but that's okay.

Symmetric Cryptography


                            // APP_SECRET_KEY should be
                            // SODIUM_CRYPTO_BOX_SECRETKEYBYTES bytes long

                            // Generates a random nonce
                            $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

                            $ciphertext = sodium_crypto_secretbox(
                                $plaintext,
                                $nonce,
                                APP_SECRET_KEY
                            );

                            // Prefixing nonce so we can retrieve it when decrypting
                            $ciphertext = sodium_bin2hex($nonce . $ciphertext);

scripts/02-encrypt.php

Let's start with sodium_crypto_secretbox(), that is a secret-key encryption that also offers authentication, like GCM.

First, we need to generate a key. Libsodium comes with a set of predefined constants to help us with that. So, we just use SODIUM_CRYPTO_BOX_SECRETKEYBYTES, that evaluates to 32.

Then, we generate the nonce, that should be a random value that can't be reused, so we use PHP 7's random_bytes() function to do that, and we again use another constant to know how long that nonce should be: SODIUM_CRYPTO_SECRETBOX_NONCEBYTES.

Now, we just call sodium_crypto_secretbox(). It's output is binary, so we call bin2hex() to convert it to hexadecimal.

But before that, we do need to prefix the nonce, as it need to be reused later. There's no security problem when doing this.

The real beauty here is that we don't need to know what's really happening. We just need to trust the library.

But if you do want to know, it uses XSalsa20 as a stream cipher to encrypt data and Poly1305 to authenticate it.

Symmetric Cryptography


                            $ciphertext = sodium_hex2bin($ciphertext);

                            // Retrieving nonce
                            $nonce = substr(
                                $ciphertext,
                                0,
                                SODIUM_CRYPTO_SECRETBOX_NONCEBYTES
                            );
                            $ciphertext = substr(
                                $ciphertext,
                                SODIUM_CRYPTO_SECRETBOX_NONCEBYTES
                            );

                            // Decrypting
                            $plaintext = sodium_crypto_secretbox_open(
                                $ciphertext,
                                $nonce,
                                APP_SECRET_KEY
                            );

scripts/02-decrypt.php

Authentication


                            // APP_AUTH_KEY should be
                            // SODIUM_CRYPTO_AUTH_KEYBYTES bytes long

                            // Authenticates the specified ciphertext
                            $auth = sodium_bin2hex(
                                sodium_crypto_auth($ciphertext, APP_AUTH_KEY)
                            );

scripts/03-auth.php

But sometimes, we don't need to encrypt the data. We just need to make sure no one tampers with it. In other words, we need integrity.
Libsodium has this sodium_crypto_auth() function that does that. It has "crypto" in its name because it depends on a secret-key. This way, we can also guarantees authenticity. That's when we can trust the issuer for that information, because only the keeper of the secret-key (are there any Helloween fans there?) can generate this value.

The algorithm used is HMAC-SHA512-256. HMAC stands for Hash-based Message Authentication Code. As the name says by itself, a Message Authentication Code is a piece of information that authenticates a message. They also go by "tag", that we already say in those OpenSSL examples earlier.

It uses a SHA-512 function with the output truncated to look like a 256. It does that because SHA-512 is very fast in 64-bit processors.

Authentication


                            $auth = sodium_hex2bin($auth);

                            // Validates authentication data
                            if (! sodium_crypto_auth_verify(
                                $auth,
                                $ciphertext,
                                APP_AUTH_KEY
                            )) {
                                throw new RuntimeException('Authentication failed');
                            }

scripts/03-checkauth.php

Asymmetric Cryptography


                            // User #1 (Alice)
                            $aliceKeyPair = sodium_crypto_box_keypair();
                            $alicePublic = sodium_crypto_box_publickey($aliceKeyPair);
                            $aliceSecret = sodium_crypto_box_secretkey($aliceKeyPair);

                            // User #2 (Bob)
                            $bobKeyPair = sodium_crypto_box_keypair();
                            $bobPublic = sodium_crypto_box_publickey($bobKeyPair);
                            $bobSecret = sodium_crypto_box_secretkey($bobKeyPair);

scripts/src/SimpleCrypt.php

Now, if we want to create a simple chat system where two people can talk to each other, we'll use asymmetric encryption.

In the cryptography world, instead of saying "Person A" and "Person B", we can use some placeholders, like Alice, Bob and Charlie. We can also use Eve to identify someone that is eavesdropping the communication and Mallory as a malicious attacker.

So, if Alice wants to chat with Bob, first they need to generate a pair of keys. Then, each one will send the other their public key. There's a correct way of doing this, the most famous one being called Diffe-Hellman Key Exchange. There's a great Wikipedia article that illustrates how this algorithm works by mixing paints.

Asymmetric Cryptography


                            // User #1 (Alice)
                            $nonce = random_bytes(SODIUM_CRYPTO_BOX_NONCEBYTES);

                            $key = sodium_crypto_box_keypair_from_secretkey_and_publickey(
                                $aliceSecret,
                                $bobPublic
                            );

                            $encrypted = sodium_crypto_box($message, $nonce, $key);
                            $ciphertext = $nonce . $encrypted;

scripts/src/SimpleCrypt.php

Asymmetric Cryptography


                            // User #2 (Bob)
                            $nonce = substr($ciphertext, 0, SODIUM_CRYPTO_BOX_NONCEBYTES);
                            $ciphertext = substr($ciphertext, SODIUM_CRYPTO_BOX_NONCEBYTES);

                            $key = sodium_crypto_box_keypair_from_secretkey_and_publickey(
                                $bobSecret,
                                $alicePublic
                            );
                            echo sodium_crypto_box_open($encrypted, $nonce, $key);

scripts/src/SimpleCrypt.php

Storing passwords

sodium_crypto_pwhash_str(
    $password,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);
// $argon2id$v=19$m=65536,t=2,p=1$20H8uU9EFq7GO2NFPrfDyg$Om/qimxzk9/7mub1s7b ...

scripts/09-pwhash.php

Validating passwords


                            sodium_crypto_pwhash_str_verify(
                            $storedPassword,
                            $inputPassword
                        );

scripts/09-pwhash-verify.php

More examples!

Recap

Cryptography is not easy
DO NOT use your own algorithms , unless you are a competition-winner cryptologist
You CAN use OpenSSL and others libraries (like phpseclib), as long as you know what you're doing (and what they're doing too)
To be safe, always use modern and up-to-date solutions

Thanks!

Slides & GitHub

vcampitelli

Twitter

vcampitelli

Vinícius Campitelli

libsodium in PHP 7

About me

Vinícius Campitelli

About me

Slides & GitHub

Twitter

LinkedIn

Cryptography is...

Cryptography is...

Symmetric Cryptography

Symmetric Cryptography

Symmetric Cryptography

Symmetric Cryptography

Asymmetric Cryptography

Public key

Private key

Asymmetric Cryptography

Public key

Private key

Asymmetric Cryptography

Public key

Private key

Asymmetric Cryptography

Asymmetric Cryptography

Asymmetric Cryptography

Asymmetric Cryptography

Asymmetric Cryptography

RIGHT?

Hashing

Hashing

But I already know how to use that

Hashing

But do you know about Timing Attacks?

Hashing

And what about Rainbow Tables?

libsodium

Symmetric Cryptography

Symmetric Cryptography

Authentication

Authentication

Asymmetric Cryptography

Asymmetric Cryptography

Asymmetric Cryptography

Storing passwords

Validating passwords

More examples!

Recap

Thanks!

Slides & GitHub

Twitter

LinkedIn