Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81012
Return-Path: <kobrasrealm@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13172 invoked from network); 23 Jan 2015 01:37:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Jan 2015 01:37:18 -0000
Authentication-Results: pb1.pair.com smtp.mail=kobrasrealm@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=kobrasrealm@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.50 as permitted sender)
X-PHP-List-Original-Sender: kobrasrealm@gmail.com
X-Host-Fingerprint: 74.125.82.50 mail-wg0-f50.google.com  
Received: from [74.125.82.50] ([74.125.82.50:37532] helo=mail-wg0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 08/BA-61273-CC5A1C45 for <internals@lists.php.net>; Thu, 22 Jan 2015 20:37:17 -0500
Received: by mail-wg0-f50.google.com with SMTP id b13so4893695wgh.9
        for <internals@lists.php.net>; Thu, 22 Jan 2015 17:37:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:date:message-id:subject:from:to:content-type;
        bh=SNWchiQJcD5jsTTSX7UXrKQt+P7eJeWX+gbauEQ5xz8=;
        b=TvMrfb7fbO7rqV04O2iVXTOHdAvspGmCBuJP7jIVcAz8znsvKrsmQ0R0YX+WLk66QR
         s88vGY/8Cb15vg13DfAq29rtFz4jSnzcm/MWFel87tz722R/TLa/W+Kn03Yabn0g2gQw
         8Ep79dhtrYgWXNgnattXKD5oTr2wNB7oylXzu2onkYxNcY4NSIunCMbpR7T/lHIz+8n2
         V7fBAVYinGgupWkmGLCqRIPdcpTPxMrdAyQ9z2KlN3OWeW+VCfM0XtBEbOKb0gBsaB9y
         GkhQXHji7MciKhq0BXb5lA8yyGuVbIJNxKOUr6ZLzM3t3EIIbw58guA8wtVDdi5IZaH1
         lR2w==
MIME-Version: 1.0
X-Received: by 10.194.200.1 with SMTP id jo1mr9059157wjc.64.1421977032837;
 Thu, 22 Jan 2015 17:37:12 -0800 (PST)
Sender: kobrasrealm@gmail.com
Received: by 10.27.32.85 with HTTP; Thu, 22 Jan 2015 17:37:12 -0800 (PST)
Date: Thu, 22 Jan 2015 20:37:12 -0500
X-Google-Sender-Auth: 7zR7bfu8V_H8QXrJ8iriwHaJdIw
Message-ID: <CAPKwhws-TLdo2_QUwunn6cGZg4sotHKooJboTSqONULGBasbyQ@mail.gmail.com>
To: "inter >> PHP internals" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b87501cebd28f050d47d364
Subject: Identify timing-safe function candidates
From: scott@arciszewski.me (Scott Arciszewski)

--047d7b87501cebd28f050d47d364
Content-Type: text/plain; charset=UTF-8

As per the conversation on this Pull Request
https://github.com/php/php-src/pull/909#issuecomment-71077928

What functions are involved in real world PHP applications (frameworks,
popular CMSes, etc) that operate on encoded encryption keys that might
benefit from having a timing-safe implementation?

So far, I can identify:

- bin2hex()
- hex2bin()
- base64_encode()
- base64_decode()
- json_encode()
- json_decode()
- parse_ini_file()

I think it would be great to compile a master list of which functions are
commonly used to store long-term encryption keys (random bytes that could
cause parse errors).

Also, would it be better to use a prefix (e.g. ts_*), a class with static
methods (e.g. TimingSafe::bin2hex()), or functions in a namespace (e.g.
\TimingSafe\bin2hex())?

Scott

P.S. At this point, I'm also withdrawing my participation of this
discussion. If you don't think it's worthwhile to fix this, that's your
decision. I've had some major life events happen and I no longer have time
to debate this. Thanks for understanding.

--047d7b87501cebd28f050d47d364--