Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93797
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.50 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <CAEZPtU4aSoe3rDWWFssBx95pgqXe=TXT52bGi_85X+cYmqjH0A@mail.gmail.com>
References: <CAKws9z114YcHkDaXO3o-E0JuHR10WsPzyedeF_8Q=shHDziwug@mail.gmail.com>
	<f19972fa-353f-dc6c-6184-9f1c72ad2ce7@gmail.com>
	<CAEZPtU4aSoe3rDWWFssBx95pgqXe=TXT52bGi_85X+cYmqjH0A@mail.gmail.com>
Date: Sun, 5 Jun 2016 03:46:02 -0400
Message-ID: <CAKws9z0qrT2etrx5K3xFLOEPfeV0E7Z_F5nDDc-PmYqck8++Cg@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Stas Malyshev <smalyshev@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113d5160c33d1e0534832516
Subject: Re: [PHP-DEV] [RFC] Libsodium - Discussion
From: scott@paragonie.com (Scott Arciszewski)

--001a113d5160c33d1e0534832516
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sun, Jun 5, 2016 at 2:20 AM, Pierre Joye <pierre.php@gmail.com> wrote:

>
> On Jun 5, 2016 5:15 AM, "Stanislav Malyshev" <smalyshev@gmail.com> wrote:
> >
>
> > The stated goal is "You shouldn't need a Ph.D in Applied Cryptography t=
o
> > build a secure web application." I fully agree with this goal. I howeve=
r
> > feel that current implementation, while making admirable progress
> > towards this goal, still needs some work to actually achieve it.
>
> I fully agree with you. As much as I think we need something like that, I
> think these are stopping points.
>
> I would very interested to hear from Scott about these questions and the
> low level nature of the APIs make it not as friendly or future proof as i=
t
> could.
>
> Cheers
> Pierre
>

Hi Pierre,

My position on the low level nature of libsodium's APIs is as follows:
=E2=80=8BThat sounds like a call to action for https://wiki.php.net/rfc/php=
71-crypto
rather than a point of concern for adopting libsodium.=E2=80=8B

Compare the following two snippets which accomplish the same "goal"
(anonymous public-key encryption).

    <?php
    /**
     * OpenSSL -- since the Diffie Hellman features in ext/openssl kind
     * of suck, I'm going to use RSA to encrypt the AES key using the
     * recipient's public key.
     */

    ## ENCRYPTION ##

    $message =3D 'Prime Numbers Rock!';
    $publicKey =3D openssl_pkey_get_public('file://path/to/public_key.pem')=
;

    $aesKey =3D random_bytes(32);
    // Basically a poor-man's HKDF by just using HMAC
        $keyE =3D hash_hmac('sha256', 'Encryption Key', $aesKey, true);
        $keyA =3D hash_hmac('sha256', 'Authentication Key', $aesKey, true);

    $iv =3D random_bytes(16);
    $ciphertext =3D openssl_encrypt($message, 'aes-256-ctr', $keyE,
OPENSSL_RAW_DATA, $iv);
    $mac =3D hash_hmac('sha256', $iv . $ciphertext, $keyA, true);

    $combined =3D $mac . $iv . $ciphertext;
    $rsaCipher =3D '';
    openssl_public_encrypt($aesKey, $rsaCipher, $publicKey,
OPENSSL_PKCS1_OAEP_PADDING);
    $sendMe =3D $rsaCipher . $combined;

    ## DECRYPTION ##

    $privateKey =3D openssl_pkey_get_public('file://path/to/private_key.pem=
');
    $rsaPart =3D mb_substr($sendMe, 0, 256, '8bit'); // Assuming 2048-bit R=
SA
    $aesPart =3D mb_substr($sendMe, 256, null, '8bit');
    $mac =3D mb_substr($aesPart, 0, 32, '8bit');
    $iv =3D mb_substr($aesPart, 32, 16, '8bit');
    $cipher =3D mb_substr($aesPart, 48, null, '8bit');

    openssl_private_decrypt($rsaPart, $aesKey, $privateKey,
OPENSSL_PKCS1_OAEP_PADDING);
    $keyE =3D hash_hmac('sha256', 'Encryption Key', $aesKey, true);
    $keyA =3D hash_hmac('sha256', 'Authentication Key', $aesKey, true);

    $calc =3D hash_hmac('sha256', $iv . $cipher, $keyA, true);
    if (!hash_equals($calc, $mac)) {
        throw new Exception('MAC validation failure');
    }

    $decrypted =3D openssl_decrypt($cipher, 'aes-256-ctr', $keyE,
OPENSSL_RAW_DATA, $iv);
    var_dump($decrypted); // string(19) "Prime Numbers Rock!"

=E2=80=8BCan you count the foot-bullets in that snippet that you'd need to =
be a
cryptography engineer to successfully avoid?

Demo: https://3v4l.org/nYVPf

Here's a congruent implementation in libsodium:=E2=80=8B

=E2=80=8B    <?php
    /**
     * Libsodium
     */

    ## ENCRYPTION ##

    $message =3D 'Prime Numbers Rock!';
    $bob_public_key =3D "... populate here ...";
    =E2=80=8B
    $nonce =3D random_bytes(24);
    $sendMe =3D \Sodium\crypto_box_seal($message, $bob_public_key);

=E2=80=8B    ## DECRYPTION ##=E2=80=8B

=E2=80=8B    =E2=80=8B$bob_kp =3D "... populate here ...";
    $decrypted =3D \Sodium\crypto_box_seal_open($sendMe, $bob_kp);
    var_dump($decrypted); // string(19) "Prime Numbers Rock!"

(No demo available, as 3v4l doesn't have ext/sodium installed.)

=E2=80=8BLibsodium already =E2=80=8Bknocks it out of the park compared to O=
penSSL and
Mcrypt. If we want to talk about a higher-level abstraction-- such as
what's provided by paragonie/EasyRSA + defuse/php-encryption or
paragonie/halite-- I wholeheartedly endorse that discussion. But I don't
think we should try to solve that problem with this particular RFC.

In closing, I don't disagree that a simple crypto API is a good goal to
have. I just think the ideal you're discussing is:

A. Out of scope, and
B. Kind of belittling to how much of an improvement libsodium is to what we
already have.

Further reading: http://framework.zend.com/security/advisory/ZF2015-10

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com/>
=E2=80=8B

--001a113d5160c33d1e0534832516--