Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96750
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 2710 invoked from network); 7 Nov 2016 00:35:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Nov 2016 00:35:54 -0000
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.214.44 as permitted sender)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.214.44 mail-it0-f44.google.com  
Received: from [209.85.214.44] ([209.85.214.44:37620] helo=mail-it0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EA/28-33116-86CCF185 for <internals@lists.php.net>; Sun, 06 Nov 2016 19:35:52 -0500
Received: by mail-it0-f44.google.com with SMTP id u205so91571838itc.0
        for <internals@lists.php.net>; Sun, 06 Nov 2016 16:35:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=JoUQY5gRQNzVkq80SR5GFBsn+5/sljExNVtmFrl81jM=;
        b=d4HKQ1PZtShfX90aoC3l0CN34CQijoozeGtlYArPpACBDDx1dNWtYrkTySJL+hG2fh
         PSpSeX8U3nguQlYqJ+4ODjzLCkjAnCKxI9oWwy9PJDbzh3Qgkh9muN7tkQ/cdhwP/aId
         WNxgjXVRymjn/CyaX51mdnlr/Nvt9zrakoy91DTToK9Tau92SI8+lZKshJejQotcDu22
         yt8g3HLR0nHDNNkKYqjSa6Ghd8br/h+8S1WSfMgRmk61ybIrgXPLbig6OEHfxBp3/FIV
         t17j1d+uIuvXkMfAGYyH8+ysbuwz3DATenLwEFM2FIhuSOtKfUQi1nut/+VSI5/KnU1I
         mWbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=JoUQY5gRQNzVkq80SR5GFBsn+5/sljExNVtmFrl81jM=;
        b=A6qoHZJbiFjxZNVNTh/PX+PN2cCgT9WyLP26xOMpRpUngrqaw/zCI9Y7XVtt/T9T79
         0ytk5Yw6MmUP2eILb5KHVFgzzOIgYc75e0Tx6zju/FGC9saG0WV0ic0rL42pPAPTyxE5
         do9fjLP1ZmHsd/cSLKRXxFho5jWRNfnIkmLjgy1ImXVek7eGe5SEBOMpmPnHzkYr66Ye
         CjJIV5yxoJZjKTBW3+rhONmVOJq5vhoWxf5WfqRmrJPswnMLzuww8ZgIJWytUalCMhRu
         GK4VnPPeTyGkClvXBZFYzARnFTOHwCi2H8Mn3ShT5lSqfRbOWjoHZKE3j3yevSpwjgBn
         z8PA==
X-Gm-Message-State: ABUngvePRFUemeCou26dcaQiO8xXNBrLO+rMI7fXR/fB2O/yLqTx7RexxHkX0teR2jLH6XkxwEoVSKsPicv3BA==
X-Received: by 10.157.19.124 with SMTP id q57mr2046127otq.33.1478478948782;
 Sun, 06 Nov 2016 16:35:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.37.92 with HTTP; Sun, 6 Nov 2016 16:35:48 -0800 (PST)
In-Reply-To: <CAEKnhAF-qbiaHNzenf4STYuNhde7Deep=MQB0SsnEX78QKv8og@mail.gmail.com>
References: <CAKws9z2C9cPYRWP4gAP=JiHEq2bDZT3z9v7JFRWnZiKg-QZH0Q@mail.gmail.com>
 <CAEKnhAF-qbiaHNzenf4STYuNhde7Deep=MQB0SsnEX78QKv8og@mail.gmail.com>
Date: Sun, 6 Nov 2016 19:35:48 -0500
Message-ID: <CAKws9z0+xQvUScy5a0TjOrorrPpRmCknaUfCASvWHTaqiaqfaA@mail.gmail.com>
To: Jakub Zelenka <bukka@php.net>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] OpenSSL - New Defaults
From: scott@paragonie.com (Scott Arciszewski)

On Sun, Nov 6, 2016 at 2:19 PM, Jakub Zelenka <bukka@php.net> wrote:
> Hi,
>
> On Thu, Nov 3, 2016 at 4:11 PM, Scott Arciszewski <scott@paragonie.com>
> wrote:
>>
>> Hi,
>>
>> Can we change openssl_public_encrypt() and openssl_private_decrypt() from
>> defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP?
>>
>> I'll create an RFC for this later. It will just prevent a lot of issues.
>>
>> To wit:
>>
>> - https://framework.zend.com/security/advisory/ZF2015-10
>> -
>>
>> https://github.com/garyr/portunus/blob/89853c180c85c71baac7015cb77ff8ddae129942/src/Portunus/Crypt/RSA/PrivateKey.php#L20
>> -
>>
>> https://github.com/NorseBlue/Sikker/blob/c158bab1e676d751e5228cb17ecf9593c6b94e95/src/Asymmetric/Keys/PrivateKey.php#L72
>>
>> If we can't stop PHP developers who aren't cryptographers from writing
>> their own high-level RSA implementation, we can at least make it safer by
>> default.
>>
>
> We can't change default in 7.x as it would be a BC break and in this case a
> very hard to catch BC break as the only way how we could let user know about
> that is a documentation. This is a very low level function and PKCSv1.5 is
> still used a lot so some apps might depend on. I think that the default is
> bad but I don't think that breaking both function without notice is a good
> solution as users might not be able to catch it especially if it's some
> third party protocol that is not very secure but you don't have choice
> because 3rd party won't change it (that was actually the only case where I
> used these functions in practice so it's not made up). And even worse if you
> don't have tests, then it breaks just production without a warning...
>
> What I would prefer instead is to deprecate calling
> openssl_(private|public)_(en|de)crypt without a padding parameter. The
> default would stay the same but user would get a deprecation message and the
> parameter would become required in PHP 8. We should add a note to the doc,
> to let the user know what the safest option is. It means OAEP for
> openssl_private_decrypt and openssl_public_encrypt. In case of
> openssl_public_decrypt and openssl_private_encrypt, we support just
> PKCS1v1.5 but if we add support for PSS (would require a little bit of
> tweaking as it works on EVP level only but might add it later), we could
> easily recommend it then.
>
> I have got actually very similar plan for openssl_seal and openssl_open that
> have default method rc4. Again very bad default but the best way how to let
> user know is to deprecate it rather than choose new default and break
> compatibility.
>
> Cheers
>
> Jakub
>
>

Hi Jakub,

> We can't change default in 7.x as it would be a BC break and in this case a very hard to catch BC break as the only way how we could let user know about that is a documentation.

A sane proposal had emerged before I even received this email, via
kemmeta on Reddit:

https://www.reddit.com/r/PHP/comments/5axmn5/phpinternals_openssl_new_defaults_proposal/d9kx8sa/?context=1

A backwards-compatible interface would default
openssl_public_encrypt() to OAEP, but openssl_private_decrypt() would
default to a new constant: OPENSSL_PKCS1_UNSPECIFIED, which when
passed would first try OAEP and, if a padding error occurred, emit an
E_DEPRECATED and fallback to PKCS1v1.5 (a.k.a. "let's pretend Daniel
Bleichenbacher's research doesn't exist" mode).

The upside is that better security would be applied opportunistically
in codebases where the PHP developer was not a cryptographer. The
downside is a performance hit unless you specify one mode or another.

A long term solution would be to not even use RSA anymore.

> I have got actually very similar plan for openssl_seal and openssl_open that
> have default method rc4. Again very bad default but the best way how to let
> user know is to deprecate it rather than choose new default and break
> compatibility.

If your plan is to get it more in line with libsodium's
crypto_box_seal API, I'd love to see it.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises