Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96756 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38545 invoked from network); 7 Nov 2016 12:30:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Nov 2016 12:30:10 -0000 Authentication-Results: pb1.pair.com smtp.mail=inefedor@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=inefedor@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.48 as permitted sender) X-PHP-List-Original-Sender: inefedor@gmail.com X-Host-Fingerprint: 209.85.215.48 mail-lf0-f48.google.com Received: from [209.85.215.48] ([209.85.215.48:34093] helo=mail-lf0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 93/DB-33116-DC370285 for ; Mon, 07 Nov 2016 07:30:08 -0500 Received: by mail-lf0-f48.google.com with SMTP id o141so39898476lff.1 for ; Mon, 07 Nov 2016 04:30:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qX76mtLE1UanT9mQDUVPqxSzBGbzwJTe7JnqE0Llmgw=; b=YwZm7cUq5SJtl7bewURLCfcehBi4g6CyX6QYDPw7Wa+GWo9RVrCwBw7T03Gb2ZyTYM dnMv+2sWknLawLxq2pS/iis5El4YixEHRtcy9EvpJlQMqjU4kF66pNwRSUHeDFg9X5eQ Ksfa8Pcaitv/4AGV4U4fy3rzWP4MFZxfr6XYRuSUNdS61W6AHjCazCNEiXd9HFOP3GcM I4XbwyG/U/f6ZeVPYLxEvDucCoMcKkDdIBwU7gPcAdockcDTLVmcjLPNEP4ww2YSi/Tu ZHxzj2OY+e1Zn2hK7XBrlIdqDODIUgStS4mYXP1s8BTXBeAatrmOHGZbZZ8IJwdlA+5i xufQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qX76mtLE1UanT9mQDUVPqxSzBGbzwJTe7JnqE0Llmgw=; b=N4mHyIPJrRQdX74GjckuDaCrjYvlasJ8ppZfuV3EF/u17GA70fDEbXMAL2L303ewCa 1XFtjVKq43oYiGk4zUk33MTNezEOHTozQqmXm2WnbvDY2RaCemVW6/2qUwzsxmXLO6ib bHTuFq/hKPkQ6udBN++j3xiCdFkVfciuHiorAqYG9wz/f4iSDJlaPWmHvf8rby5OLjVz Tc1HsICV8KwgEPsvQ6Eb2iHWJyod1IXl4BF/F58gkLCbwvLyA4JsQagK8wS9B1/Z/9kw 58R30yRXc/toT1bcO/gbAWnFGf49swvZccg79h2DLHu3ViOjh4YLZSv4Q7dQNUZwv0t1 ineg== X-Gm-Message-State: ABUngvftO9E0KAGGW6YkrDsfgCjszgcY3LGCQWsIZDiOSxBcoMtffD0lgOnln+qJhEB0DA== X-Received: by 10.25.66.213 with SMTP id p204mr3772063lfa.110.1478521801651; Mon, 07 Nov 2016 04:30:01 -0800 (PST) Received: from [172.18.218.8] ([31.173.80.99]) by smtp.gmail.com with ESMTPSA id 5sm5141664ljf.18.2016.11.07.04.30.00 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 07 Nov 2016 04:30:00 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) X-Mailer: iPhone Mail (14A456) In-Reply-To: Date: Mon, 7 Nov 2016 15:29:59 +0300 Cc: PHP Internals Content-Transfer-Encoding: quoted-printable Message-ID: <352DE108-A96C-4375-AABF-FC4F5C37014C@gmail.com> References: To: Scott Arciszewski Subject: Re: [PHP-DEV] OpenSSL - New Defaults From: inefedor@gmail.com (Nikita Nefedov) > On 7 Nov 2016, at 03:35, Scott Arciszewski wrote: >=20 >> On Sun, Nov 6, 2016 at 2:19 PM, Jakub Zelenka wrote: >> Hi, >>=20 >> On Thu, Nov 3, 2016 at 4:11 PM, Scott Arciszewski >> wrote: >>>=20 >>> Hi, >>>=20 >>> Can we change openssl_public_encrypt() and openssl_private_decrypt() fro= m >>> defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP? >>>=20 >>> I'll create an RFC for this later. It will just prevent a lot of issues.= >>>=20 >>> To wit: >>>=20 >>> - https://framework.zend.com/security/advisory/ZF2015-10 >>> - >>>=20 >>> https://github.com/garyr/portunus/blob/89853c180c85c71baac7015cb77ff8dda= e129942/src/Portunus/Crypt/RSA/PrivateKey.php#L20 >>> - >>>=20 >>> https://github.com/NorseBlue/Sikker/blob/c158bab1e676d751e5228cb17ecf959= 3c6b94e95/src/Asymmetric/Keys/PrivateKey.php#L72 >>>=20 >>> If we can't stop PHP developers who aren't cryptographers from writing >>> their own high-level RSA implementation, we can at least make it safer b= y >>> default. >>>=20 >>=20 >> We can't change default in 7.x as it would be a BC break and in this case= a >> very hard to catch BC break as the only way how we could let user know ab= out >> that is a documentation. This is a very low level function and PKCSv1.5 i= s >> still used a lot so some apps might depend on. I think that the default i= s >> bad but I don't think that breaking both function without notice is a goo= d >> solution as users might not be able to catch it especially if it's some >> third party protocol that is not very secure but you don't have choice >> because 3rd party won't change it (that was actually the only case where I= >> used these functions in practice so it's not made up). And even worse if y= ou >> don't have tests, then it breaks just production without a warning... >>=20 >> What I would prefer instead is to deprecate calling >> openssl_(private|public)_(en|de)crypt without a padding parameter. The >> default would stay the same but user would get a deprecation message and t= he >> parameter would become required in PHP 8. We should add a note to the doc= , >> to let the user know what the safest option is. It means OAEP for >> openssl_private_decrypt and openssl_public_encrypt. In case of >> openssl_public_decrypt and openssl_private_encrypt, we support just >> PKCS1v1.5 but if we add support for PSS (would require a little bit of >> tweaking as it works on EVP level only but might add it later), we could >> easily recommend it then. >>=20 >> I have got actually very similar plan for openssl_seal and openssl_open t= hat >> have default method rc4. Again very bad default but the best way how to l= et >> user know is to deprecate it rather than choose new default and break >> compatibility. >>=20 >> Cheers >>=20 >> Jakub >>=20 >>=20 >=20 > Hi Jakub, >=20 >> We can't change default in 7.x as it would be a BC break and in this case= a very hard to catch BC break as the only way how we could let user know ab= out that is a documentation. >=20 > A sane proposal had emerged before I even received this email, via > kemmeta on Reddit: >=20 > https://www.reddit.com/r/PHP/comments/5axmn5/phpinternals_openssl_new_defa= ults_proposal/d9kx8sa/?context=3D1 >=20 > A backwards-compatible interface would default > openssl_public_encrypt() to OAEP, but openssl_private_decrypt() would > default to a new constant: OPENSSL_PKCS1_UNSPECIFIED, which when > passed would first try OAEP and, if a padding error occurred, emit an > E_DEPRECATED and fallback to PKCS1v1.5 (a.k.a. "let's pretend Daniel > Bleichenbacher's research doesn't exist" mode). >=20 > The upside is that better security would be applied opportunistically > in codebases where the PHP developer was not a cryptographer. The > downside is a performance hit unless you specify one mode or another. >=20 > A long term solution would be to not even use RSA anymore. >=20 >> I have got actually very similar plan for openssl_seal and openssl_open t= hat >> have default method rc4. Again very bad default but the best way how to l= et >> user know is to deprecate it rather than choose new default and break >> compatibility. >=20 > If your plan is to get it more in line with libsodium's > crypto_box_seal API, I'd love to see it. >=20 > Scott Arciszewski > Chief Development Officer > Paragon Initiative Enterprises >=20 > --=20 > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20 Hey, It might make even more sense to not provide a default here at all. As histo= ry shows that those methods that are considered secure today can become less= -than-desirably secure in a couple of years. Which means the same cycle of d= eprecation/changing defaults in years to come.=