Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93808 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 75045 invoked from network); 5 Jun 2016 09:36:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Jun 2016 09:36:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.49 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.218.49 mail-oi0-f49.google.com Received: from [209.85.218.49] ([209.85.218.49:33429] helo=mail-oi0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 03/D3-55579-E82F3575 for ; Sun, 05 Jun 2016 05:36:14 -0400 Received: by mail-oi0-f49.google.com with SMTP id k23so187237466oih.0 for ; Sun, 05 Jun 2016 02:36:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=k7bRlUHkMrYq48OPGBAz2Ny599MZCJUzlW+UwIGldI4=; b=NMjC8Pz3CZHA8wNKnI3/xxoO0tZhA+AdjsAca2k6chsYT03fLF4isYa6J2wIWY4+Rc kgRKyK8p86riJOFktjQmStUu9Uljqqbpi8wAfQBJf7LBpRooIKocqR+UQiRAXEaMeRej o9jbmefoAqGoYwNIDC1im7Gy6Ek0s1Ihaz0XLTq0lM1Nsf1rQbnjBigcmY+30md3bcR1 WyrclcYtsYbdcOdDPNjH+Eo19ddPcnMjzpK+X7xxqtlzMIoJwuWawBRbuX6J0aYBNpXl 56887TtEGx1Q2cVUh/YMxFP1TR++cJXSteTbkkwPFOFl0UwhTSxcUhyGPv3XtUvcsNNO mF/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=k7bRlUHkMrYq48OPGBAz2Ny599MZCJUzlW+UwIGldI4=; b=R0Tprhlzfgzt/qLbDKg2GB5wqtZF9YkLb1XLonI+T619pyvV6Y6Bd0iKZFavXZRvXx j/o7Y0N8jQr0hdabfR9+hSMcHyKdCzNZQx6ub+VN0TfCfsCTNwWWYS6w9YvIOl5ceMh6 jM9CXYSeFU2pzD2UA7QAThKLVqwmYnumwDKhaUjaB7QaCv02iU3x+wEHvhAQ1ml0AGn1 TV3Y/zk2NhlhUOls+3gQxDsItLz3t4F6ZtkytrRqx5yEQ92C6+6nTE3TgweGHMbnGteW ngadNl1ap5J9YBmWlsg6Pqymj57yOU5E183xifEksdXxR4WcehuqTZSG1mMtposyPm+6 16DQ== X-Gm-Message-State: ALyK8tIUUNphkSuqxSaYwQunAaT64Qm6443rhzlEKzpo/SKxZ4nM7yXUbDvtcYGZDXKQlTegptO+CUkgq3ngAA== X-Received: by 10.157.46.177 with SMTP id w46mr5276043ota.181.1465119371439; Sun, 05 Jun 2016 02:36:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.108.197 with HTTP; Sun, 5 Jun 2016 02:36:10 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Jun 2016 16:36:10 +0700 Message-ID: To: Scott Arciszewski Cc: Stas Malyshev , PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] Libsodium - Discussion From: pierre.php@gmail.com (Pierre Joye) On Sun, Jun 5, 2016 at 2:46 PM, Scott Arciszewski wrote: > > On Sun, Jun 5, 2016 at 2:20 AM, Pierre Joye wrote: >> >> >> On Jun 5, 2016 5:15 AM, "Stanislav Malyshev" wrote: >> > >> >> > The stated goal is "You shouldn't need a Ph.D in Applied Cryptography to >> > build a secure web application." I fully agree with this goal. I however >> > feel that current implementation, while making admirable progress >> > towards this goal, still needs some work to actually achieve it. >> >> I fully agree with you. As much as I think we need something like that, I >> think these are stopping points. >> >> I would very interested to hear from Scott about these questions and the >> low level nature of the APIs make it not as friendly or future proof as it >> could. >> >> Cheers >> Pierre > > > Hi Pierre, > > My position on the low level nature of libsodium's APIs is as follows: That > sounds like a call to action for https://wiki.php.net/rfc/php71-crypto > rather than a point of concern for adopting libsodium. > > Compare the following two snippets which accomplish the same "goal" > (anonymous public-key encryption). > > /** > * OpenSSL -- since the Diffie Hellman features in ext/openssl kind > * of suck, I'm going to use RSA to encrypt the AES key using the > * recipient's public key. > */ > > ## ENCRYPTION ## > > $message = 'Prime Numbers Rock!'; > $publicKey = openssl_pkey_get_public('file://path/to/public_key.pem'); > > $aesKey = random_bytes(32); > // Basically a poor-man's HKDF by just using HMAC > $keyE = hash_hmac('sha256', 'Encryption Key', $aesKey, true); > $keyA = hash_hmac('sha256', 'Authentication Key', $aesKey, true); > > $iv = random_bytes(16); > $ciphertext = openssl_encrypt($message, 'aes-256-ctr', $keyE, > OPENSSL_RAW_DATA, $iv); > $mac = hash_hmac('sha256', $iv . $ciphertext, $keyA, true); > > $combined = $mac . $iv . $ciphertext; > $rsaCipher = ''; > openssl_public_encrypt($aesKey, $rsaCipher, $publicKey, > OPENSSL_PKCS1_OAEP_PADDING); > $sendMe = $rsaCipher . $combined; > > ## DECRYPTION ## > > $privateKey = openssl_pkey_get_public('file://path/to/private_key.pem'); > $rsaPart = mb_substr($sendMe, 0, 256, '8bit'); // Assuming 2048-bit RSA > $aesPart = mb_substr($sendMe, 256, null, '8bit'); > $mac = mb_substr($aesPart, 0, 32, '8bit'); > $iv = mb_substr($aesPart, 32, 16, '8bit'); > $cipher = mb_substr($aesPart, 48, null, '8bit'); > > openssl_private_decrypt($rsaPart, $aesKey, $privateKey, > OPENSSL_PKCS1_OAEP_PADDING); > $keyE = hash_hmac('sha256', 'Encryption Key', $aesKey, true); > $keyA = hash_hmac('sha256', 'Authentication Key', $aesKey, true); > > $calc = hash_hmac('sha256', $iv . $cipher, $keyA, true); > if (!hash_equals($calc, $mac)) { > throw new Exception('MAC validation failure'); > } > > $decrypted = openssl_decrypt($cipher, 'aes-256-ctr', $keyE, > OPENSSL_RAW_DATA, $iv); > var_dump($decrypted); // string(19) "Prime Numbers Rock!" > > Can you count the foot-bullets in that snippet that you'd need to be a > cryptography engineer to successfully avoid? > > Demo: https://3v4l.org/nYVPf > > Here's a congruent implementation in libsodium: > > /** > * Libsodium > */ > > ## ENCRYPTION ## > > $message = 'Prime Numbers Rock!'; > $bob_public_key = "... populate here ..."; > > $nonce = random_bytes(24); > $sendMe = \Sodium\crypto_box_seal($message, $bob_public_key); > > ## DECRYPTION ## > > $bob_kp = "... populate here ..."; > $decrypted = \Sodium\crypto_box_seal_open($sendMe, $bob_kp); > var_dump($decrypted); // string(19) "Prime Numbers Rock!" > > (No demo available, as 3v4l doesn't have ext/sodium installed.) > > Libsodium already knocks it out of the park compared to OpenSSL and Mcrypt. > If we want to talk about a higher-level abstraction-- such as what's > provided by paragonie/EasyRSA + defuse/php-encryption or paragonie/halite-- > I wholeheartedly endorse that discussion. But I don't think we should try to > solve that problem with this particular RFC. > > In closing, I don't disagree that a simple crypto API is a good goal to > have. I just think the ideal you're discussing is: > > A. Out of scope, and > B. Kind of belittling to how much of an improvement libsodium is to what we > already have. > > Further reading: http://framework.zend.com/security/advisory/ZF2015-10 Also the questions about the naming, namespaces and other conventions remain unanswered. That would be a good step forward. And indeed this API, while still not ideal, is by far better than openssl for what matters. Cheers, -- Pierre @pierrejoye | http://www.libgd.org