Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91965
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98183 invoked from network); 27 Mar 2016 01:57:00 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Mar 2016 01:57:00 -0000
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.214.172 as permitted sender)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.214.172 mail-ob0-f172.google.com  
Received: from [209.85.214.172] ([209.85.214.172:36209] helo=mail-ob0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9B/43-03797-AED37F65 for <internals@lists.php.net>; Sat, 26 Mar 2016 20:56:59 -0500
Received: by mail-ob0-f172.google.com with SMTP id m7so78771327obh.3
        for <internals@lists.php.net>; Sat, 26 Mar 2016 18:56:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=NrUFI0dXCWXIeBVDbSstr2VMXSSMIbh1VXKhZUCXRbA=;
        b=OZZ0tbXOKfJJV2ZQKOknDoZP5T58bkzAYnJSo6Wzw+P9W7sUuOObZpRpkNPmL2FdSM
         sZSoBgXjTH2G9/styTQfPX+gpFM0GoCme1mPTN1SEZu2km4SUQOjnYFZMu+IdMljxdPi
         NZBw4QHe/DH45lX/IRZgstLGvAAsTsAcMGZXCy2XgaPcIbRtCxKPm2DXlytnnc7pvSam
         Vx9l2+WIemThaBIyOkHj15NRM+RFTAOqZ6Ka//hwih9auRCBO6aupDU+aAJXlMbTX+r1
         Cq2+eSP2xt1EzCVMFc6eG4RX4HLD49ptVvivKICMCxJ32OCQg1HDHt8J/WSS8l6ICMH4
         DY0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=NrUFI0dXCWXIeBVDbSstr2VMXSSMIbh1VXKhZUCXRbA=;
        b=QueXwwiSONzv8ahRvyYqYrzgB8wuWev4q/Nedfc0mVuygE04mS6PpBD9phz1+ZuFfm
         mnTthNTqQSwd3R9yfcFnchSL0YLn9ZkAtwSZA6gHj1DHJ3FDHFCPbKcFYlI9rHByUXyn
         jqEfLZo4WMAuuD/GZjLuFGhhInKtAcabRN6Bv8lw7rCiapz7RnMuo8qb8toWm6PV6aAL
         689HJ+uvpP+UATuzMruLwypka0uqtNInFuHG0e0G+gmaJojm+8/S4APMV7pnjpK9q6/o
         x1eB3DPAYcEzA2BY1KqoIaFBCY0U4tKyCDJxo+UoASBTT9N/VjV11LiKUopGjFLXD46o
         /LWw==
X-Gm-Message-State: AD7BkJKERCRU3rghO7HyfPGtWgnfY3Y9abojogojD0QQu/AySN/7BS1M5NfI/phu/BOEFCx3nkTb9nA5wIU0mg==
MIME-Version: 1.0
X-Received: by 10.182.103.167 with SMTP id fx7mr9301125obb.36.1459043815869;
 Sat, 26 Mar 2016 18:56:55 -0700 (PDT)
Received: by 10.157.14.42 with HTTP; Sat, 26 Mar 2016 18:56:55 -0700 (PDT)
In-Reply-To: <56F7398A.5050002@gmail.com>
References: <CAKws9z1bY=nLo=K8D9OQ_K0yhfNE-5SAEaDgyZnM34P3v8im9g@mail.gmail.com>
	<56F7398A.5050002@gmail.com>
Date: Sat, 26 Mar 2016 21:56:55 -0400
Message-ID: <CAKws9z2_LU1o6peYJWtDWvtQPE4nin6ChZPMG5=xWQSf7ikKtA@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e011602f85b6ca8052efe1c68
Subject: Re: [PHP-DEV] [RFC] RFC4648 encoding
From: scott@paragonie.com (Scott Arciszewski)

--089e011602f85b6ca8052efe1c68
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sat, Mar 26, 2016 at 9:38 PM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> > PHP already offers bin2hex()/hex2bin() and
> base64_encode()/base64_decode().
> > This covers part, but not all, of RFC 4648.
> >
> > I'd like to extend the coverage to include, at minimum, Base32.
>
> What's the use case for it? Is anybody using base32 now?
>
> > I'd also like to make these functions to be written to resist
> cache-timing
> > attacks (i.e. when used to encode/decode encryption keys for long-term
> > storage). Userland PoC:
> https://github.com/paragonie/constant_time_encoding
> > These modifications can either be made in-place (at a negligble cost on
> the
> > scale of nanoseconds) or they can be an alternative implementation. i.e=
.
>
> What modification needs to be done for existing one? Since encoding
> functions (unlike comparison ones) have to process every bit anyway, so
> what are timing differences for e.g. base64? Is there any existing
> research for this?
>
> >
> >     * bin2hex_ts()
> >     * base64_encode_ts()
> >     * base32_encode_ts()
>
> If you have encode functions, you should have decode too? Otherwise,
> you'd have the same issue every time the key is read.
>
> --
> Stas Malyshev
> smalyshev@gmail.com
>

=E2=80=8BGoogle Authenticator and Tor Hidden Services both use base32. I wa=
s also
going to cover the decoding functions in the RFC.=E2=80=8B

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com/>=E2=80=8B

--089e011602f85b6ca8052efe1c68--