Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87586
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74753 invoked from network); 3 Aug 2015 20:54:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Aug 2015 20:54:15 -0000
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.220.170 cause and error)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.220.170 mail-qk0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:35809] helo=mail-qk0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 68/91-65350-5F4DFB55 for <internals@lists.php.net>; Mon, 03 Aug 2015 16:54:13 -0400
Received: by qkbm65 with SMTP id m65so55413138qkb.2
        for <internals@lists.php.net>; Mon, 03 Aug 2015 13:54:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=alb7za1vYTeO3uj0Upi8RtLnoyOQiQ8v7o54CfHTUGE=;
        b=T1NnP4B0+50TBM8sutwXw/5u3S8V/8g87wLRhzy/KGbtqdUqrn63NbSgZsrzxozkH0
         1As8f25NZ6JDiYgUYn82bIUc4bv32qDX0M2UUKC1TerK3asF3a/jJ7ZCGhqK7qCbL5wA
         DPANW5dyjVmVHnEp1tfAUuTaXjaBjj+MMMHwT/n5DHF7Q1P7r9SZPtK0vTyRUa5ThkJn
         W/hpTJnwwLSTuW/+v60mcYBR4GaFZWpRFTXrHp3ljFGxqMvzYwedRoo5V5Dwz+O7BESH
         RAiqKByRXSZggsHoVP8DKyMfJRQI8xsQogCOSuRhoIqypn83L2yAwSIyfA716hXIbvA+
         EHoQ==
X-Gm-Message-State: ALoCoQk7OHc0L+lZha4DRffa8nmBKCSOdUhyOWV4FehLzvwDiBORwLaWwE84stjA2IYyqQiQwyw9
MIME-Version: 1.0
X-Received: by 10.55.17.152 with SMTP id 24mr10748qkr.39.1438635249869; Mon,
 03 Aug 2015 13:54:09 -0700 (PDT)
Received: by 10.96.83.102 with HTTP; Mon, 3 Aug 2015 13:54:09 -0700 (PDT)
Date: Mon, 3 Aug 2015 16:54:09 -0400
Message-ID: <CAKws9z1fatmSR2YLaeBn0zVv-s3iwCj7OUKjW949QC0L_VndpA@mail.gmail.com>
To: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: PHP 7.1 Cryptography Projects
From: scott@paragonie.com (Scott Arciszewski)

Hi,

I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.

Some of these might be familiar to some of you.

1. Pluggable Cryptography Frontend

Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).

The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.

    $AES = new \PCO\Symmetric('openssl:cipher=AES-128');
    $ciphertext = $AES->encrypt($plaintext, $someKey);

    $PKC = new \PCO\Asymmetric('libsodium');
    $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);

When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.

2. Cache-timing-safe character encoding functions

Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.

* hex2bin() -> hex2bin_ts()
* bin2hex() -> bin2hex_ts()
* base64_encode() -> base64_encode_ts()
* base64_decode() -> base64_decode_ts()

Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).

3. Other ideas (not yet committed to at all, but might be of interest
to others):

* Improving the OpenSSL API, or at least the documentation
* Adding streaming encryption/decryption support to OpenSSL
* Adding AE and AEAD interfaces to OpenSSL
* Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR

What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).

Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D

    "With great ubiquity comes great responsibility." - Matthew Green
<https://twitter.com/matthew_d_green/status/578567678492733440>

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>