Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.
Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).
The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.
$AES = new \PCO\Symmetric('openssl:cipher=AES-128');
$ciphertext = $AES->encrypt($plaintext, $someKey);
$PKC = new \PCO\Asymmetric('libsodium');
$offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);
When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
-
hex2bin()-> hex2bin_ts() -
bin2hex()-> bin2hex_ts() -
base64_encode()-> base64_encode_ts() -
base64_decode()-> base64_decode_ts()
Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).
Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D
"With great ubiquity comes great responsibility." - Matthew Green
https://twitter.com/matthew_d_green/status/578567678492733440
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
Scott,
Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128'); $ciphertext = $AES->encrypt($plaintext, $someKey); $PKC = new \PCO\Asymmetric('libsodium'); $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D"With great ubiquity comes great responsibility." - Matthew Greenhttps://twitter.com/matthew_d_green/status/578567678492733440
Thank you! You have my full support here (and when I get time my
contributions). I think these projects will go a long way towards
improving security in PHP.
so, Thank You!!!
Anthony
Hi!
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).
It would be nice to see full RFC (or other extensively documented
proposal) about this. I like the idea, though I wonder isn't mcrypt
essentially doing the same? It would be nice to see the description of
the added value provided over mcrypt, openssl, etc. extensions.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()
Why specifically these functions? It would be nice to hear rationale for
this.
- Improving the OpenSSL API, or at least the documentation
Improving documentation is always a worthy goal!
- Adding streaming encryption/decryption support to OpenSSL
Hm... Implementing streaming cyphers right is not trivial, and if we'd
be doing our own crypto (as opposed to providing API to existing
libraries) we need a real lot of review to be confident it's done right.
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D
I think it'd be nice to see more details on the proposal. I.e.
"improving OpenSSL API" - how? PCO - great, but what API would it offer
and how that API is better than what we have now? The idea of making
crypto easier is great, but if we want to make specific plans as of
which features we want, we need more detailed proposals I think.
--
Stas Malyshev
smalyshev@gmail.com
Hi!
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).It would be nice to see full RFC (or other extensively documented
proposal) about this. I like the idea, though I wonder isn't mcrypt
essentially doing the same? It would be nice to see the description of
the added value provided over mcrypt, openssl, etc. extensions.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Why specifically these functions? It would be nice to hear rationale for
this.
- Improving the OpenSSL API, or at least the documentation
Improving documentation is always a worthy goal!
- Adding streaming encryption/decryption support to OpenSSL
Hm... Implementing streaming cyphers right is not trivial, and if we'd
be doing our own crypto (as opposed to providing API to existing
libraries) we need a real lot of review to be confident it's done right.What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :DI think it'd be nice to see more details on the proposal. I.e.
"improving OpenSSL API" - how? PCO - great, but what API would it offer
and how that API is better than what we have now? The idea of making
crypto easier is great, but if we want to make specific plans as of
which features we want, we need more detailed proposals I think.--
Stas Malyshev
smalyshev@gmail.com
Hi Stanislav,
It would be nice to see full RFC (or other extensively documented
proposal) about this. I like the idea, though I wonder isn't mcrypt
essentially doing the same? It would be nice to see the description of
the added value provided over mcrypt, openssl, etc. extensions.
The idea here isn't too far removed from what PDO does versus mysql_,
mssql_, pgsql_*, etc. except it's probably more critical: Switch
crypto backends with almost zero refactoring; just change your
constructor.
Also, libmcrypt has been abandoned and we should look into rm -rf /ing
ext/mcrypt in a future PHP version (say, 8.0).
https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong
Why specifically these functions? It would be nice to hear rationale for
this.
Developers are, quite rationally, going to want to store their
encryption key in configuration files. (INI, JSON, XML, YAML, .env
files, etc.) In doing so, they will generally choose to encode these
functions in base-16 or base-64 for storage purposes.
Offering timing-safe encoding functions adds no negligible cost but
prevents cache-timing attacks (especially relevant if you're doing
cryptography in "the cloud" -- check out FLUSH+RELOAD attacks, for
example) that could otherwise leak your secret key.
Hm... Implementing streaming cyphers right is not trivial, and if we'd
be doing our own crypto (as opposed to providing API to existing
libraries) we need a real lot of review to be confident it's done right.
You're right. Luckily this is a road I've already traveled with
defuse/php-encryption.
https://github.com/defuse/php-encryption/pull/78
Anyone who wants to help everyone using PHP 5 while also providing
guidance and words of caution that we can reference when developing
this feature for 7.1 is invited to hammer at that PR.
I think it'd be nice to see more details on the proposal. I.e.
"improving OpenSSL API" - how? PCO - great, but what API would it offer
and how that API is better than what we have now? The idea of making
crypto easier is great, but if we want to make specific plans as of
which features we want, we need more detailed proposals I think.
Which brings me to the meat of the proposal: Although the interface I
introduced in the first post only mentions encrypt() and decrypt(),
that's actually not the whole truth. PCO\Symmetric will only ever, and
this is not negotiable, offer Authenticated Encryption modes:
- AES-CBC + HMAC-SHA256
- AES-CTR + HMAC-SHA256
- AES-GCM
- XSalsa20 + Poly1305
- Salsa20 + Poly1305
- ChaCha20 + Poly1305
openssl_encrypt() does not authenticate ciphertexts for you.
mcrypt_encrypt() does not authenticate ciphertexts for you.
\Sodium\crypto_secretbox() DOES authenticate ciphertexts for you.
If anyone is unclear on why authenticated encryption is important,
I've explained it in great detail here:
https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly
Unless your driver does this (e.g. libsodium),
\PCO\Symmetric::encrypt() will always Encrypt then MAC, and verify the
MAC (in constant time!) before decrypting, and the user never has to
concern themselves with such details. All they will know is that their
messages are encrypted, and tampering with the encrypted data throws
an exception when they try to decrypt it afterwards.
There will also be an aeadEncrypt() and aeadDecrypt() interface, which
allows you to authenticate associated data which is not encrypted.
This will all be documented in the RFC when it comes time to open it
(as well as the Github repository for the PHP extension when we get to
this point), so if anyone misses this email don't worry. :)
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
Hi!
The idea here isn't too far removed from what PDO does versus mysql_,
mssql_, pgsql_*, etc. except it's probably more critical: Switch
crypto backends with almost zero refactoring; just change your
constructor.
So my question here is - how important task is switching crypto backends
easily? Moreover, what would be the reason for me, as an app developer,
to target more than one crypto backend? I can see why I may want to
target mysql and say, SQL server - these two platforms have different
advantages, etc. But if OpenSSL works for my app, why would I need to
support any other backend? Do I have a chance of a client saying "oh, we
don't run apps using OpenSSL, only libsodium"? Abstraction is a nice
thing, but in this case I'm not sure about the added value. Of course,
if crypto library goes out of support - like mcrypt - it can be handy,
but given that each library probably will have own peculiarities, I'm
not sure abstraction would allow for clean switch anyway.
Developers are, quite rationally, going to want to store their
encryption key in configuration files. (INI, JSON, XML, YAML, .env
files, etc.) In doing so, they will generally choose to encode these
functions in base-16 or base-64 for storage purposes.
OK, that makes sense. Do current base64 decoding libs have timing
problems allowing to devise key bits? The code seems pretty simple,
though it does have a lookup there, so in theory that might influence
the timing.
Hm... Implementing streaming cyphers right is not trivial, and if we'd
be doing our own crypto (as opposed to providing API to existing
libraries) we need a real lot of review to be confident it's done right.You're right. Luckily this is a road I've already traveled with
defuse/php-encryption.
By traveled, do you mean that this library has been reviewed and
approved by professional cryptologists and crypt-analysts?
Which brings me to the meat of the proposal: Although the interface I
introduced in the first post only mentions encrypt() and decrypt(),
that's actually not the whole truth. PCO\Symmetric will only ever, and
this is not negotiable, offer Authenticated Encryption modes:
OK, that looks like added value. Doing authenticated encryption right
now is not obvious and easy to mess up.
There will also be an aeadEncrypt() and aeadDecrypt() interface, which
allows you to authenticate associated data which is not encrypted.
This also sounds good but I'm worried about data formats - encrypted
data tend to be exchanged between heterogeneous systems, so I think we
should make decoding the resulting message easy without implementing
special code (which also could have security problems).
This will all be documented in the RFC when it comes time to open it
(as well as the Github repository for the PHP extension when we get to
this point), so if anyone misses this email don't worry. :)
Thanks, that sounds good!
Stas Malyshev
smalyshev@gmail.com
Hi!
The idea here isn't too far removed from what PDO does versus mysql_,
mssql_, pgsql_*, etc. except it's probably more critical: Switch
crypto backends with almost zero refactoring; just change your
constructor.So my question here is - how important task is switching crypto backends
easily? Moreover, what would be the reason for me, as an app developer,
to target more than one crypto backend? I can see why I may want to
target mysql and say, SQL server - these two platforms have different
advantages, etc. But if OpenSSL works for my app, why would I need to
support any other backend? Do I have a chance of a client saying "oh, we
don't run apps using OpenSSL, only libsodium"? Abstraction is a nice
thing, but in this case I'm not sure about the added value. Of course,
if crypto library goes out of support - like mcrypt - it can be handy,
but given that each library probably will have own peculiarities, I'm
not sure abstraction would allow for clean switch anyway.Developers are, quite rationally, going to want to store their
encryption key in configuration files. (INI, JSON, XML, YAML, .env
files, etc.) In doing so, they will generally choose to encode these
functions in base-16 or base-64 for storage purposes.OK, that makes sense. Do current base64 decoding libs have timing
problems allowing to devise key bits? The code seems pretty simple,
though it does have a lookup there, so in theory that might influence
the timing.Hm... Implementing streaming cyphers right is not trivial, and if we'd
be doing our own crypto (as opposed to providing API to existing
libraries) we need a real lot of review to be confident it's done right.You're right. Luckily this is a road I've already traveled with
defuse/php-encryption.By traveled, do you mean that this library has been reviewed and
approved by professional cryptologists and crypt-analysts?Which brings me to the meat of the proposal: Although the interface I
introduced in the first post only mentions encrypt() and decrypt(),
that's actually not the whole truth. PCO\Symmetric will only ever, and
this is not negotiable, offer Authenticated Encryption modes:OK, that looks like added value. Doing authenticated encryption right
now is not obvious and easy to mess up.There will also be an aeadEncrypt() and aeadDecrypt() interface, which
allows you to authenticate associated data which is not encrypted.This also sounds good but I'm worried about data formats - encrypted
data tend to be exchanged between heterogeneous systems, so I think we
should make decoding the resulting message easy without implementing
special code (which also could have security problems).This will all be documented in the RFC when it comes time to open it
(as well as the Github repository for the PHP extension when we get to
this point), so if anyone misses this email don't worry. :)Thanks, that sounds good!
Stas Malyshev
smalyshev@gmail.com
Hi Stas,
By traveled, do you mean that this library has been reviewed and
approved by professional cryptologists and crypt-analysts?
This is probably my favorite question, because it's a very challenging
one to answer with adequate precision. I will, however, attempt to do
so! :)
The answer to your question is: It depends on your criteria.
I don't know who you would consider to be "professional cryptologists
and crypt-analysts", so I can't just say "yes" or "no" without
possibly being wrong.
Would you consider Taylor Hornby (the author of the library) a
professional? How about Anthony Ferrara (a board member for the
Password Hashing Contest)? I would.
If you consider the combined efforts of everyone who has contributed
to Defuse's library to account for anything at all, including myself,
then I'm going to say "Yes."
Sidenote: would you consider me a professional, in any capacity? If
not, would it matter if I took the time to document and list all of
the (cryptography related) vulnerabilities I've found and reported in
other peoples' projects, or all of the literature I've written on the
subject? Surely that counts for proof of competence in the field, even
if I'm not entrenched deep enough in academia to have published papers
or allocated time to studying cryptography primitives (e.g. block
cipher cryptanalysis)?
I'm also not sure who all Taylor has asked to examine the library or
what their findings were. I do know, if any were found, they would be
fixed immediately. Maybe others (Solar Designer, Daira Hopwood, Zooko
Wilcox-O'hearn, et al.) have looked at it and found no
vulnerabilities? I can't speak for anyone else.
However, as of today, nobody has been ponied up thousands of dollars
to hire someone else to review it line-by-line and attempt to make it
fail to encrypt/decrypt data safely. Neither myself nor Taylor are
rich, but if that's what it takes to guarantee a "yes" answer to your
question, and anyone would like to cover this expense, please let
Taylor know. He would be positively thrilled to hear it.
As for my pull request, it's probably best to discuss that on Github
with others. Schneier's Law dictates that nothing I say about the
security of my own code matters. However, I can say with reasonable
certainty that the following issues have been addressed:
- The File class only provides authenticated encryption using
AES-128-CTR with HMAC-SHA256 (facilitated by OpenSSL). - During decryption, the MAC is recalculated over the the entire file
and verified against the MAC stored at the end of the file. - MACs are compared in constant time.
- TOCTOU is mitigated during decryption by keeping MACs of each chunk
in memory and verifying each before continuing decryption, so race
conditions (i.e. overwriting or rearranging blocks in the file after
the MAC has been verified) will not allow arbitrary ciphertext
forgery.
If there is a cryptography concern not listed above, that means it
either isn't fresh on my memory (i.e. it's obvious), or it hasn't come
up and might be a source of insecurity in the current iteration of
File.php :O
With all that said, more scrutiny is always welcomed.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
Hi!
The idea here isn't too far removed from what PDO does versus mysql_,
mssql_, pgsql_*, etc. except it's probably more critical: Switch
crypto backends with almost zero refactoring; just change your
constructor.So my question here is - how important task is switching crypto backends
easily? Moreover, what would be the reason for me, as an app developer,
to target more than one crypto backend? I can see why I may want to
target mysql and say, SQL server - these two platforms have different
advantages, etc. But if OpenSSL works for my app, why would I need to
support any other backend? Do I have a chance of a client saying "oh, we
don't run apps using OpenSSL, only libsodium"? Abstraction is a nice
thing, but in this case I'm not sure about the added value. Of course,
if crypto library goes out of support - like mcrypt - it can be handy,
but given that each library probably will have own peculiarities, I'm
not sure abstraction would allow for clean switch anyway.Developers are, quite rationally, going to want to store their
encryption key in configuration files. (INI, JSON, XML, YAML, .env
files, etc.) In doing so, they will generally choose to encode these
functions in base-16 or base-64 for storage purposes.OK, that makes sense. Do current base64 decoding libs have timing
problems allowing to devise key bits? The code seems pretty simple,
though it does have a lookup there, so in theory that might influence
the timing.Hm... Implementing streaming cyphers right is not trivial, and if we'd
be doing our own crypto (as opposed to providing API to existing
libraries) we need a real lot of review to be confident it's done right.You're right. Luckily this is a road I've already traveled with
defuse/php-encryption.By traveled, do you mean that this library has been reviewed and
approved by professional cryptologists and crypt-analysts?Which brings me to the meat of the proposal: Although the interface I
introduced in the first post only mentions encrypt() and decrypt(),
that's actually not the whole truth. PCO\Symmetric will only ever, and
this is not negotiable, offer Authenticated Encryption modes:OK, that looks like added value. Doing authenticated encryption right
now is not obvious and easy to mess up.There will also be an aeadEncrypt() and aeadDecrypt() interface, which
allows you to authenticate associated data which is not encrypted.This also sounds good but I'm worried about data formats - encrypted
data tend to be exchanged between heterogeneous systems, so I think we
should make decoding the resulting message easy without implementing
special code (which also could have security problems).This will all be documented in the RFC when it comes time to open it
(as well as the Github repository for the PHP extension when we get to
this point), so if anyone misses this email don't worry. :)Thanks, that sounds good!
Stas Malyshev
smalyshev@gmail.comHi Stas,
By traveled, do you mean that this library has been reviewed and
approved by professional cryptologists and crypt-analysts?This is probably my favorite question, because it's a very challenging
one to answer with adequate precision. I will, however, attempt to do
so! :)The answer to your question is: It depends on your criteria.
I don't know who you would consider to be "professional cryptologists
and crypt-analysts", so I can't just say "yes" or "no" without
possibly being wrong.Would you consider Taylor Hornby (the author of the library) a
professional? How about Anthony Ferrara (a board member for the
Password Hashing Contest)? I would.If you consider the combined efforts of everyone who has contributed
to Defuse's library to account for anything at all, including myself,
then I'm going to say "Yes."Sidenote: would you consider me a professional, in any capacity? If
not, would it matter if I took the time to document and list all of
the (cryptography related) vulnerabilities I've found and reported in
other peoples' projects, or all of the literature I've written on the
subject? Surely that counts for proof of competence in the field, even
if I'm not entrenched deep enough in academia to have published papers
or allocated time to studying cryptography primitives (e.g. block
cipher cryptanalysis)?I'm also not sure who all Taylor has asked to examine the library or
what their findings were. I do know, if any were found, they would be
fixed immediately. Maybe others (Solar Designer, Daira Hopwood, Zooko
Wilcox-O'hearn, et al.) have looked at it and found no
vulnerabilities? I can't speak for anyone else.However, as of today, nobody has been ponied up thousands of dollars
to hire someone else to review it line-by-line and attempt to make it
fail to encrypt/decrypt data safely. Neither myself nor Taylor are
rich, but if that's what it takes to guarantee a "yes" answer to your
question, and anyone would like to cover this expense, please let
Taylor know. He would be positively thrilled to hear it.As for my pull request, it's probably best to discuss that on Github
with others. Schneier's Law dictates that nothing I say about the
security of my own code matters. However, I can say with reasonable
certainty that the following issues have been addressed:
- The File class only provides authenticated encryption using
AES-128-CTR with HMAC-SHA256 (facilitated by OpenSSL).- During decryption, the MAC is recalculated over the the entire file
and verified against the MAC stored at the end of the file.- MACs are compared in constant time.
- TOCTOU is mitigated during decryption by keeping MACs of each chunk
in memory and verifying each before continuing decryption, so race
conditions (i.e. overwriting or rearranging blocks in the file after
the MAC has been verified) will not allow arbitrary ciphertext
forgery.If there is a cryptography concern not listed above, that means it
either isn't fresh on my memory (i.e. it's obvious), or it hasn't come
up and might be a source of insecurity in the current iteration of
File.php :OWith all that said, more scrutiny is always welcomed.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises https://paragonie.com
Drat, quick correction: Point 2 of that list should read "Before
decryption, the MAC ..."
It's strictly Encrypt-then-MAC, Verify-then-Decrypt.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
All,
How about Anthony Ferrara (a board member for the
Password Hashing Contest)?
For the record, my only involvement with the PHC is as a passive
observer. I am not on the board nor have I been actively involved.
Anthony
All,
How about Anthony Ferrara (a board member for the
Password Hashing Contest)?For the record, my only involvement with the PHC is as a passive
observer. I am not on the board nor have I been actively involved.Anthony
Yeah, sorry, that was my mistake. One of many, I mean.
Sorry for any confusion.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
So my question here is - how important task is switching crypto backends
easily? Moreover, what would be the reason for me, as an app developer,
to target more than one crypto backend? I can see why I may want to
target mysql and say, SQL server - these two platforms have different
advantages, etc. But if OpenSSL works for my app, why would I need to
support any other backend? Do I have a chance of a client saying "oh, we
don't run apps using OpenSSL, only libsodium"? Abstraction is a nice
thing, but in this case I'm not sure about the added value. Of course,
if crypto library goes out of support - like mcrypt - it can be handy,
but given that each library probably will have own peculiarities, I'm
not sure abstraction would allow for clean switch anyway.
Yes, it's important if libraries are abandoned or you want to switch to
another
backend, because you finally decided you don't want to trust OpenSSL
anymore.
Regards, Niklas
- Adding streaming encryption/decryption support to OpenSSL
Hm... Implementing streaming cyphers right is not trivial, and if we'd
be doing our own crypto (as opposed to providing API to existing
libraries) we need a real lot of review to be confident it's done right.
I totally agree. Except bundling existing widely used code (if really
necessary, like what we did for blowfish for example), I would
strongly recommend to never even try to implement our own crypto
features.
Cheers,
Pierre
@pierrejoye | http://www.libgd.org
$AES = new \PCO\Symmetric('openssl:cipher=AES-128');
It would be great if you could just ask for cipher=AES-128 without
explicitly specifying the provider (openssl).
--
Lauri Kenttä
>
>
>> $AES = new \PCO\Symmetric('openssl:cipher=AES-128');
>>
>
> It would be great if you could just ask for cipher=AES-128 without
> explicitly specifying the provider (openssl).
>
>
Even better would be splitting arguments up. There's not much point to
multi-valued arguments, they're just harder to parse/memorize.
If you need a common constructor, use a configuration object instead of a
made-up string format.
Apart from that, thumbs up on this!
--
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
$AES = new \PCO\Symmetric('openssl:cipher=AES-128');It would be great if you could just ask for cipher=AES-128 without
explicitly specifying the provider (openssl).Even better would be splitting arguments up. There's not much point to
multi-valued arguments, they're just harder to parse/memorize.
If you need a common constructor, use a configuration object instead of a
made-up string format.Apart from that, thumbs up on this!
--
<hype>
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
</hype>
Hi Peter,
It's not really a "made-up string format", in the sense that it has a
precedent (PDO).
Hopefully my response to Lauri makes this design decision seem more reasonable.
Regards,
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
Hi Peter,
It's not really a "made-up string format", in the sense that it has a
precedent (PDO).
True, and that format sucks royally. It trips people up.
Combining several arguments into one string is bad design. If it was good
design, you'd see userland code using it all over the place.
Hopefully my response to Lauri makes this design decision seem more
reasonable.
No, quite the opposite.
You're arguing that this:
new \Namespace\Class(":cipher=AES-256;mode=GCM");
is easier to work with than:
new \Namespace\Class(null, 'AES-256', 'GCM');
Or possibly
$config = new \Namespace\ConfigClass();
$config->setCipher('AES-256')
->setMode('GCM');
$crypto = new \Namespace\Class($config);
Your parameter layout may be easier for you to deal with, but all the
people you're trying to help with this will be worse off for it.
PDOs constructor has only lead to more debugging, not better code (unlike
the rest of PDO).
Regards
Peter
Hi Peter,
It's not really a "made-up string format", in the sense that it has a
precedent (PDO).True, and that format sucks royally. It trips people up.
Combining several arguments into one string is bad design. If it was good
design, you'd see userland code using it all over the place.Hopefully my response to Lauri makes this design decision seem more
reasonable.No, quite the opposite.
You're arguing that this:
new \Namespace\Class(":cipher=AES-256;mode=GCM");
is easier to work with than:
new \Namespace\Class(null, 'AES-256', 'GCM');
Or possibly
$config = new \Namespace\ConfigClass();
$config->setCipher('AES-256')
->setMode('GCM');$crypto = new \Namespace\Class($config);
Your parameter layout may be easier for you to deal with, but all the people
you're trying to help with this will be worse off for it.
PDOs constructor has only lead to more debugging, not better code (unlike
the rest of PDO).Regards
Peter
Hi Peter,
I'm not particularly married to a particular constructor format. This
is a good discussion to have.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
Hi Peter,
It's not really a "made-up string format", in the sense that it has a
precedent (PDO).True, and that format sucks royally. It trips people up.
Combining several arguments into one string is bad design. If it was good
design, you'd see userland code using it all over the place.
I will fully agree that PDO's constructor format is terrible. Not only does
it lead to confusion but it thwarts any IDE's attempt to help the dev fill
the constructor arguments. I'm in favor of a format more like new \Namespace\Class(null, 'AES-256', 'GCM');
As far as the rest of the discussion goes, I am +1.
$AES = new \PCO\Symmetric('openssl:cipher=AES-128');It would be great if you could just ask for cipher=AES-128 without
explicitly specifying the provider (openssl).--
Lauri Kenttä
Hi Lauri,
That's a good suggestion that has come up before in the draft discussion.
We're still discussing the DSN string for the constructor. These are
what the options look like, currently:
- ":cipher=AES-256;mode=GCM" should use whatever driver allows
aes-256-gcm`or throw an exception if none are available - "openssl:cipher=AES-256;mode=GCM" should use specifically openssl
for aes-256-gcm, and throw an exception if openssl is not installed - "libsodium" should use libsodium (or throw an exception if it's not
installed) in the default configuration - "openssl" should use openssl in a secure, sane default
- "openssl:cipher=AES-128;mode=ECB" should throw an exception because
we do not allow secure modes - "openssl:cipher=AES-128;hash=SHA256" should use AES-128-CTR with HMAC-SHA-256
- "openssl:cipher=AES-192;mode=CBC;hash=SHA384" should use AES-192-CBC
with HMAC-SHA-384
Version and configuration information (not what is passed, but what is
used) will be stored in the first few bytes of ciphertext output.
Cheers,
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
we do not allow secure modes
I hope that was a typo... ;)
Version and configuration information (not what is passed, but what is
used) will be stored in the first few bytes of ciphertext output.
Will this information be specific to the driver or to PCO, or is it
possible to use other software for decryption? Will the API have a way
to decrypt data based on that information (that is, without passing a
DSN to the constructor)? How about producing a human-readable DSN of the
relevant and/or all used settings to solve both of these cases?
--
Lauri Kenttä
Lauri,
we do not allow secure modes
I hope that was a typo... ;)
Indeed, it was not.
The concept for this (I've been working with Scott on it) is that this
should be a high-level abstraction. And any good high level
abstraction should make assumptions for its users. One of them is that
they want to be secure.
If you want to build an insecure cipher, the primitives will still
exist (openssl/etc).
Version and configuration information (not what is passed, but what is
used) will be stored in the first few bytes of ciphertext output.Will this information be specific to the driver or to PCO, or is it possible
to use other software for decryption? Will the API have a way to decrypt
data based on that information (that is, without passing a DSN to the
constructor)? How about producing a human-readable DSN of the relevant
and/or all used settings to solve both of these cases?
Rather than human readable (since that would consume a lot of space in
the resulting ciphertext), I'd suggest a formalized open specification
of the storage formats. Similar to the headers used by TLS and other
formats. That way anyone can build to the specification, which would
be maintained along side the implementation.
So something like:
byte 0 : Version identifier
Version 1:
byte 1 : cipher identifier
byte 2 : mode identifier
byte 3 : authmode identifier
byte 4-8 : cipher-specific settings
At least that's my thoughts.
Anthony
Hi Anthony,
Am 04.08.2015 um 15:25 schrieb Anthony Ferrara:
Lauri,
we do not allow secure modes
I hope that was a typo... ;)
Indeed, it was not.
If you want to build an insecure cipher, the primitives will still
exist (openssl/etc).
The point here is the missing "in" in the original quote ;-=
Rather than human readable (since that would consume a lot of space in
the resulting ciphertext), I'd suggest a formalized open specification
of the storage formats. Similar to the headers used by TLS and other
formats. That way anyone can build to the specification, which would
be maintained along side the implementation.So something like:
byte 0 : Version identifier
Version 1:
byte 1 : cipher identifier
byte 2 : mode identifier
byte 3 : authmode identifier
byte 4-8 : cipher-specific settings
That is a very good idea to have some crypto format specification that
contains the meta data. But is this such a new idea that now format
exists already that can hold the required information? No available
format we can embrace and that has implementations already?
Greets
Dennis
Hi!
of the storage formats. Similar to the headers used by TLS and other
formats. That way anyone can build to the specification, which would
be maintained along side the implementation.
I'm not a big fan of the idea that to talk to the PHP script, I will
have now to have yet another set of client libraries in Java, Ruby,
Python, Go, C#, etc. just because I'd need to read those headers to get
to the content. And of course I will have to update all of those each
time new version, encryption protocol, option, etc. comes out.
--
Stas Malyshev
smalyshev@gmail.com
Hi!
We're still discussing the DSN string for the constructor. These are
what the options look like, currently:
I think it's better to separate the arguments. I understand why PDO
makes such strings - there can be all kinds of options, and it's hard to
configure - i.e. in ini files - if it's not a single string. However, I
think in this case it's less of a concern, and while composing this
string it's too easy to make a mistake with bad consequences.
- "openssl" should use openssl in a secure, sane default
That's kind of open-ended... Secure, sane default to do what?
Version and configuration information (not what is passed, but what is
used) will be stored in the first few bytes of ciphertext output.
That means new cyphertext format. Which makes these functions
incompatible with every other encryption/decryption functions out there
(i.e., if you talk to Java app using these functions, you'd have to
implement your own decryption routines in Java too). Is that really a
good idea?
--
Stas Malyshev
smalyshev@gmail.com
Hi,
On Mon, Aug 3, 2015 at 9:54 PM, Scott Arciszewski scott@paragonie.com
wrote:
Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128'); $ciphertext = $AES->encrypt($plaintext, $someKey); $PKC = new \PCO\Asymmetric('libsodium'); $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D
I have been actually working on something similar for some time. It's
already on PECL and it's called php-crypto:
https://github.com/bukka/php-crypto
I have been doing lots of changes and fixes including support for PHP 7 (it
also supports PHP 5 using https://github.com/bukka/phpc wrapper) and php
streams. The internal part has been almost completely rewritten since
version 0.1.0 and I plan to release soon 0.2.0 so I will send some update
then.
I'm currently working on fixing some issues, improving tests and mainly
documentation that is still very incomplete (just hash is partially
documented in the main readme) so probably the best doc at the moment is
generated api doc:
https://github.com/bukka/php-crypto/blob/master/docs/Crypto.php
There also are some examples in
https://github.com/bukka/php-crypto/blob/master/examples and even more
examples in tests where is about 70 tests:
https://github.com/bukka/php-crypto/blob/master/tests
In case you are interested in what I plan to do in the near future, it's
all in my TODO list: https://github.com/bukka/php-crypto/blob/master/TODO.md
In the long term I would like to add support for asymmetric encryption. I
actually wrote an extension called php-rsa (
https://github.com/bukka/php-rsa ) just to play with OpenSSL rsa.h (there
is no doc but you can look to the tests if you are interested). However the
way how it should be done in crypto is more about using PKEY which is much
more flexible but it will be supported only for OpenSSL 1.0.0+.
The providers (pluggable api) is a nice thing but it will require quite a
bit of thinking to make it right from the internal PoV (address all needs
of particular libs - especially OpenSSL) and it's quite a bit of work as
well :) But it would be definitely nice to have and I have been thinking
about it for some time. But the priority is a creating of a good wrapper
for OpenSSL first and then split it to more layers.
Cheers
Jakub
Hi,
On Mon, Aug 3, 2015 at 9:54 PM, Scott Arciszewski scott@paragonie.com
wrote:Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128'); $ciphertext = $AES->encrypt($plaintext, $someKey); $PKC = new \PCO\Asymmetric('libsodium'); $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :DI have been actually working on something similar for some time. It's
already on PECL and it's called php-crypto:https://github.com/bukka/php-crypto
I have been doing lots of changes and fixes including support for PHP 7 (it
also supports PHP 5 using https://github.com/bukka/phpc wrapper) and php
streams. The internal part has been almost completely rewritten since
version 0.1.0 and I plan to release soon 0.2.0 so I will send some update
then.I'm currently working on fixing some issues, improving tests and mainly
documentation that is still very incomplete (just hash is partially
documented in the main readme) so probably the best doc at the moment is
generated api doc:https://github.com/bukka/php-crypto/blob/master/docs/Crypto.php
There also are some examples in
https://github.com/bukka/php-crypto/blob/master/examples and even more
examples in tests where is about 70 tests:
https://github.com/bukka/php-crypto/blob/master/testsIn case you are interested in what I plan to do in the near future, it's all
in my TODO list: https://github.com/bukka/php-crypto/blob/master/TODO.mdIn the long term I would like to add support for asymmetric encryption. I
actually wrote an extension called php-rsa (
https://github.com/bukka/php-rsa ) just to play with OpenSSL rsa.h (there is
no doc but you can look to the tests if you are interested). However the way
how it should be done in crypto is more about using PKEY which is much more
flexible but it will be supported only for OpenSSL 1.0.0+.The providers (pluggable api) is a nice thing but it will require quite a
bit of thinking to make it right from the internal PoV (address all needs of
particular libs - especially OpenSSL) and it's quite a bit of work as well
:) But it would be definitely nice to have and I have been thinking about it
for some time. But the priority is a creating of a good wrapper for OpenSSL
first and then split it to more layers.Cheers
Jakub
This does not appear to authenticate ciphertexts, nor does it serve as
a gateway to Libsodium / OpenSSL.
We are, in fact, working on different projects with different goals.
In the long term I would like to add support for asymmetric encryption. I
actually wrote an extension called php-rsa (
https://github.com/bukka/php-rsa ) just to play with OpenSSL rsa.h (there is
no doc but you can look to the tests if you are interested). However the way
how it should be done in crypto is more about using PKEY which is much more
flexible but it will be supported only for OpenSSL 1.0.0+.
Strictly personally speaking, I'm far more interested in EdDSA and
ECDH than I am in RSA.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com
On Tue, Aug 4, 2015 at 2:13 PM, Scott Arciszewski scott@paragonie.com
wrote:
Hi,
On Mon, Aug 3, 2015 at 9:54 PM, Scott Arciszewski scott@paragonie.com
wrote:Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128'); $ciphertext = $AES->encrypt($plaintext, $someKey); $PKC = new \PCO\Asymmetric('libsodium'); $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :DI have been actually working on something similar for some time. It's
already on PECL and it's called php-crypto:https://github.com/bukka/php-crypto
I have been doing lots of changes and fixes including support for PHP 7
(it
also supports PHP 5 using https://github.com/bukka/phpc wrapper) and php
streams. The internal part has been almost completely rewritten since
version 0.1.0 and I plan to release soon 0.2.0 so I will send some update
then.I'm currently working on fixing some issues, improving tests and mainly
documentation that is still very incomplete (just hash is partially
documented in the main readme) so probably the best doc at the moment is
generated api doc:https://github.com/bukka/php-crypto/blob/master/docs/Crypto.php
There also are some examples in
https://github.com/bukka/php-crypto/blob/master/examples and even more
examples in tests where is about 70 tests:
https://github.com/bukka/php-crypto/blob/master/testsIn case you are interested in what I plan to do in the near future, it's
all
in my TODO list: https://github.com/bukka/php-crypto/blob/master/TODO.mdIn the long term I would like to add support for asymmetric encryption. I
actually wrote an extension called php-rsa (
https://github.com/bukka/php-rsa ) just to play with OpenSSL rsa.h
(there is
no doc but you can look to the tests if you are interested). However the
way
how it should be done in crypto is more about using PKEY which is much
more
flexible but it will be supported only for OpenSSL 1.0.0+.The providers (pluggable api) is a nice thing but it will require quite a
bit of thinking to make it right from the internal PoV (address all
needs of
particular libs - especially OpenSSL) and it's quite a bit of work as
well
:) But it would be definitely nice to have and I have been thinking
about it
for some time. But the priority is a creating of a good wrapper for
OpenSSL
first and then split it to more layers.Cheers
Jakub
This does not appear to authenticate ciphertexts, nor does it serve as
a gateway to Libsodium / OpenSSL.
It has a general wrapper for EVP_CIPHER including AEAD modes (gcm):
https://github.com/bukka/php-crypto/blob/master/examples/gcm.php
In addition there is a support for HMAC as well as CMAC so you can
authenticate ciphertext of course.
My primary goal is to provide such functionality so the user can use it.
Not exactly the same goal as Sodium but it definitely serves as a gateway
to OpenSSL crypto lib...
We are, in fact, working on different projects with different goals.
I said similar, not the same... :)
In the long term I would like to add support for asymmetric encryption. I
actually wrote an extension called php-rsa (
https://github.com/bukka/php-rsa ) just to play with OpenSSL rsa.h
(there is
no doc but you can look to the tests if you are interested). However the
way
how it should be done in crypto is more about using PKEY which is much
more
flexible but it will be supported only for OpenSSL 1.0.0+.Strictly personally speaking, I'm far more interested in EdDSA and
ECDH than I am in RSA.
RSA was just one of the examples of the low level api. What I was trying to
say is that I would like to use EVP_PKEY over low level apis. ECDH and
ECDSA can be of course used by EVP_PKEY interface and should be supported...
Anyway good luck with your project! ;)
Jakub
Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.
Awesome and long due work :)
Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128'); $ciphertext = $AES->encrypt($plaintext, $someKey); $PKC = new \PCO\Asymmetric('libsodium'); $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
I like the idea of a common API for all possible supported backend. I
am however really convinced about the one proposed here. That's
something we will need to really design well and userfriendly.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()
For most functions I would prefer an option.
--
Pierre
@pierrejoye | http://www.libgd.org
Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Awesome and long due work :)
Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128'); $ciphertext = $AES->encrypt($plaintext, $someKey); $PKC = new \PCO\Asymmetric('libsodium'); $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.I like the idea of a common API for all possible supported backend. I
am however really convinced about the one proposed here. That's
something we will need to really design well and userfriendly.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()For most functions I would prefer an option.
--
Pierre@pierrejoye | http://www.libgd.org
This isn't a replacement, they're alternatives. -> means related to in
this case, not "becomes" :)
Or do you mean to add a parameter to the existing functions to make
them constant time?
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises
This isn't a replacement, they're alternatives. -> means related to in
this case, not "becomes" :)Or do you mean to add a parameter to the existing functions to make
them constant time?
Yes, when it makes sense (for most it may)
--
Pierre
@pierrejoye | http://www.libgd.org
Am 3.8.2015 um 22:54 schrieb Scott Arciszewski scott@paragonie.com:
Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128');
$ciphertext = $AES->encrypt($plaintext, $someKey);$PKC = new \PCO\Asymmetric('libsodium');
$offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D"With great ubiquity comes great responsibility." - Matthew Green
https://twitter.com/matthew_d_green/status/578567678492733440Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises https://paragonie.com
Hey,
I went ahead and just made bin2hex()/hex2bin() timing safe as a first step.
See https://github.com/php/php-src/pull/1453 https://github.com/php/php-src/pull/1453
Note that it does not add extra functions, but just because performance is just about as good as before [or even better in cases of severe mispredictions].
If there’s no negative feedback, I’m going to merge that in a few days into master.
Bob
Am 3.8.2015 um 22:54 schrieb Scott Arciszewski scott@paragonie.com:
Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128');
$ciphertext = $AES->encrypt($plaintext, $someKey);$PKC = new \PCO\Asymmetric('libsodium');
$offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D"With great ubiquity comes great responsibility." - Matthew Green
https://twitter.com/matthew_d_green/status/578567678492733440Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises https://paragonie.comHey,
I went ahead and just made
bin2hex()/hex2bin() timing safe as a first step.See https://github.com/php/php-src/pull/1453 https://github.com/php/php-src/pull/1453
Note that it does not add extra functions, but just because performance is just about as good as before [or even better in cases of severe mispredictions].
Nice work :)
If there’s no negative feedback, I’m going to merge that in a few days into master.
We are in feature freeze so please hang on the push.
Also time safe functions may be trickier than it looks. We have to be
very careful by declaring one timesafe (or safe at all) so a peer
reviews are a must here. A RFC too. Let not rush and push something
possibly buggy too early.
Cheers,
Pierre
@pierrejoye | http://www.libgd.org
Am 05.08.2015 um 04:57 schrieb Pierre Joye pierre.php@gmail.com:
Am 3.8.2015 um 22:54 schrieb Scott Arciszewski scott@paragonie.com:
Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128');
$ciphertext = $AES->encrypt($plaintext, $someKey);$PKC = new \PCO\Asymmetric('libsodium');
$offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D"With great ubiquity comes great responsibility." - Matthew Green
https://twitter.com/matthew_d_green/status/578567678492733440Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises https://paragonie.comHey,
I went ahead and just made
bin2hex()/hex2bin() timing safe as a first step.See https://github.com/php/php-src/pull/1453 https://github.com/php/php-src/pull/1453
Note that it does not add extra functions, but just because performance is just about as good as before [or even better in cases of severe mispredictions].
Nice work :)
If there’s no negative feedback, I’m going to merge that in a few days into master.
We are in feature freeze so please hang on the push.
Also time safe functions may be trickier than it looks. We have to be
very careful by declaring one timesafe (or safe at all) so a peer
reviews are a must here. A RFC too. Let not rush and push something
possibly buggy too early.Cheers,
Pierre
@pierrejoye | http://www.libgd.org http://www.libgd.org/
Not sure what the point of a RFC here is. It is obviously okay to do that… the only discussion is whether it's really safe. We need people with deep understanding of these things to look at, not a generic RFC.
The pull request already provides all info needed. I don't know who to ask specifically for review? I'd rather ask a few experts than throwing this at a community where 99% of people have no deep understanding in this field.
Bob
P.s.: yes, we are in feature freeze. Not sure if a (timing) safety fix falls in the feature category.
Hi,
I would like to make it easier for PHP developers to implement
cryptography features in their applications. I intend to work on some
of these ideas and submit them for inclusion in PHP 7.1.Some of these might be familiar to some of you.
- Pluggable Cryptography Frontend
Work is currently underway for a PHP prototype for this idea
originally suggested by ircmaxell, that will basically be like PDO for
cryptography. Our current project name, subject to change, is PHP
Crypto Objects (PCO).The idea is that you could write code like this to add secure
authenticated encryption to your application without having to worry
about the details.$AES = new \PCO\Symmetric('openssl:cipher=AES-128'); $ciphertext = $AES->encrypt($plaintext, $someKey); $PKC = new \PCO\Asymmetric('libsodium'); $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);When it's finished, I'd like to turn it into a PECL extension so users
can play with it in PHP 7.0 and submit it for inclusion in 7.1.
- Cache-timing-safe character encoding functions
Alternatives for existing functions that should function like their
unsafe counterparts, but without branches or data-based index lookups.
hex2bin()-> hex2bin_ts()bin2hex()-> bin2hex_ts()base64_encode()-> base64_encode_ts()base64_decode()-> base64_decode_ts()Other formats are out of scope, unless someone can make the case that
we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
Service integration).
- Other ideas (not yet committed to at all, but might be of interest
to others):
- Improving the OpenSSL API, or at least the documentation
- Adding streaming encryption/decryption support to OpenSSL
- Adding AE and AEAD interfaces to OpenSSL
- Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
What I need from you is guidance on what features or changes you want
to see in 7.1 and which can be put off until later (or never proposed
as an RFC at all).Seriously, all I need is your opinion and whether or not you'd like to
see any of these happen. If you have specific implementation details
you'd like to discuss or requests, of course those are welcome too. :D
I wrote about something similar earlier in the year, although the timing
was probably pretty bad with all of the scalar type arguments going on.
http://marc.info/?l=php-internals&m=142365688004941&w=2
I'm obvious +1 on the concept.
There's a couple of other things I would like to see in addition to what
you have proposed.
-
AES-*-CTR native without a back-end. There is a ton of trusted reference
code for this, and (probably) removes the reliance on an extension for the
majority of PHP crypto use-cases. -
As others have said, lets try and avoid the evil DSN - we're trying to
make it easy for users to get it right here. Ideally there should be enough
metadata so a user can request a cipher without a back-end, and appropriate
back-end will be selected if available. -
I'd like to see some hashes as part of this, not everything from
ext/hash, but being able to have a hash as a stream filter would be great -
An API that makes it easy for extensions to register metadata /
implementation for a cipher/hash/whatever they provide