Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87625
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94446 invoked from network); 4 Aug 2015 19:23:00 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Aug 2015 19:23:00 -0000
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.192.54 cause and error)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.192.54 mail-qg0-f54.google.com  
Received: from [209.85.192.54] ([209.85.192.54:35656] helo=mail-qg0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5A/E2-11835-E0111C55 for <internals@lists.php.net>; Tue, 04 Aug 2015 15:22:55 -0400
Received: by qgal6 with SMTP id l6so4268324qga.2
        for <internals@lists.php.net>; Tue, 04 Aug 2015 12:22:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=FVj+uaBayXBqytXiCS9Cw/MRkU8uDfv/BtaIi7Qlu2o=;
        b=QMRNcvnwuLYU5Y/2ZwP02rl9uEs3wF7JX8Qco0xqcNAeUSmKEg2fb9KMajnTSIAZ1X
         jldFwi68+QMAsnnb1umZIrAKLgBWP0hINAI49t6Wed+MadSnNQK3yw4kHr0I4+iPW37+
         PcOJAIvEbtAHT6Rfkh0ePH/pIA/hYd12ZiuvqUBwzu6Hu5MwgZ4FeCO5plxu30fv7m8x
         edguRwU2CX0FgQQhO2EjuwXHsokzoy9Ub2DMtGjiSX0mfrN0mwU+lWCnzX6MBeJueHGG
         nKi+bIQzzLSL6CPIN3YXrdRJDEJe/dOBIWSdvEnCD05BBcKmTiNIHpFQkiGgXAI9HEZt
         k35w==
X-Gm-Message-State: ALoCoQnuSzYRF9eAvXzV6s1y/S2AJrxhNIaSud7KEl0r3C3UZV+GM12OB8AY+y/y2BoiPHEQ1+mH
MIME-Version: 1.0
X-Received: by 10.140.39.133 with SMTP id v5mr9572024qgv.34.1438716172286;
 Tue, 04 Aug 2015 12:22:52 -0700 (PDT)
Received: by 10.96.83.102 with HTTP; Tue, 4 Aug 2015 12:22:52 -0700 (PDT)
In-Reply-To: <CAEZPtU4FAeNc9zforxNaMUv6oF=MP8t-vX0ZnrQxgHyOF0rUjw@mail.gmail.com>
References: <CAKws9z1fatmSR2YLaeBn0zVv-s3iwCj7OUKjW949QC0L_VndpA@mail.gmail.com>
	<CAEZPtU4FAeNc9zforxNaMUv6oF=MP8t-vX0ZnrQxgHyOF0rUjw@mail.gmail.com>
Date: Tue, 4 Aug 2015 15:22:52 -0400
Message-ID: <CAKws9z2_iiQQ-Y=3Lp5E4mAjpFXaCpzO4-n+RFOcLuAHwRSyCg@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] PHP 7.1 Cryptography Projects
From: scott@paragonie.com (Scott Arciszewski)

On Tue, Aug 4, 2015 at 11:50 AM, Pierre Joye <pierre.php@gmail.com> wrote:
> On Tue, Aug 4, 2015 at 3:54 AM, Scott Arciszewski <scott@paragonie.com> wrote:
>> Hi,
>>
>> I would like to make it easier for PHP developers to implement
>> cryptography features in their applications. I intend to work on some
>> of these ideas and submit them for inclusion in PHP 7.1.
>
> Awesome and long due work :)
>
>> Some of these might be familiar to some of you.
>>
>> 1. Pluggable Cryptography Frontend
>>
>> Work is currently underway for a PHP prototype for this idea
>> originally suggested by ircmaxell, that will basically be like PDO for
>> cryptography. Our current project name, subject to change, is PHP
>> Crypto Objects (PCO).
>>
>> The idea is that you could write code like this to add secure
>> authenticated encryption to your application without having to worry
>> about the details.
>>
>>     $AES = new \PCO\Symmetric('openssl:cipher=AES-128');
>>     $ciphertext = $AES->encrypt($plaintext, $someKey);
>>
>>     $PKC = new \PCO\Asymmetric('libsodium');
>>     $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);
>>
>> When it's finished, I'd like to turn it into a PECL extension so users
>> can play with it in PHP 7.0 and submit it for inclusion in 7.1.
>
> I like the idea of a common API for all possible supported backend. I
> am however really convinced about the one proposed here. That's
> something we will need to really design well and userfriendly.
>
>> 2. Cache-timing-safe character encoding functions
>>
>> Alternatives for existing functions that should function like their
>> unsafe counterparts, but without branches or data-based index lookups.
>>
>> * hex2bin() -> hex2bin_ts()
>> * bin2hex() -> bin2hex_ts()
>> * base64_encode() -> base64_encode_ts()
>> * base64_decode() -> base64_decode_ts()
>
> For most functions I would prefer an option.
>
>
> --
> Pierre
>
> @pierrejoye | http://www.libgd.org

This isn't a replacement, they're alternatives. -> means related to in
this case, not "becomes" :)

Or do you mean to add a parameter to the existing functions to make
them constant time?

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises