Php 7.2 Will Be The First Programming Language to Add Modern Cryptography to Its Standard Library

PHP 7.2 will be the first Programming Language to add Modern Cryptography to its Standard Library
by Janeth Kent Date: 14-02-2017 php cryptography


Last week, the voting phase closed on an RFC to add libsodium to PHP 7.2. The result was unanimous (37 in favor, 0 against).

When version 7.2 releases at the end of the year, PHP will be the first programming language to adopt modern cryptography in its standard library.

What is Modern Cryptography?

A cryptography library can be said to be modern if it meets two requirements:

  1. Uses fast primitives designed to resist side-channel cryptanalysis (e.g. timing leaks, padding oracles).
  2. Exposes a high-level API that is simple and secure-by-default.

Secure Primitives

If you implement public key encryption and digital signatures in OpenSSL and Golang, you're forced to choose between RSA and NIST ECC. Neither is a good choice.

  • Very few developers can get RSA right:
    • e = d = 1
    • Invites developers to implement RSA-ECB
    • PKCS1v1.5 padding
  • NIST's Elliptic Curve Cryptography
    • Invalid curve attacks, which gives away your secret key via the Chinese Remainder Theorem if an attacker submits (x, y) coordinates that aren't on the curve
    • In the case of ECDSA (before RFC 6979), repeated k values for ECDSA signatures gave away your secret keys
    • NIST Curves aren't rigid

Modern cryptography requires the use of secure primitives. For public key crpytography, that means the primitives outlined in RFC 7748 and RFC 8032. For symmetric cryptography, that means using authenticated encryption at all times.

NIST curves (P-256, etc.) do not qualify as modern cryptography (although their presence in a library doesn't automatically disqualify either).

Libsodium's primitives include:

  • X25519 (Elliptic Curve Diffie-Hellman over Curve25519)
  • Ed25519 (Edwards-curve Digital Signature Algorithm over Curve25519)
  • Xsalsa20poly1305 (authenticated symmetric-key encryption that performs well in software and doesn't have cache-timing vulnerabilities like software AES)
  • BLAKE2 (based on the SHA3 finalist that performs faster than MD5 in software but is more secure than SHA256)
  • Argon2 (password hashing and key derivation function)
  • SipHash-2-4 (fast hash for hash tables and similar data structures)
  • ChaCha20-Poly1305 (authenticated encryption with associated data)

But you'll likely not need to worry about these details, because it also provides a...

Simple and Secure High-Level API

To facilitate public-key encryption in libsodium, you just need the following:

// Some example variables:
$alice_ecdh_secret = 
    "\x69\xf2\x08\x41\x2d\x8d\xd5\xdb\x9d\x0c\x6d\x18\x51\x2e\x86\xf0" . 
    "\xec\x75\x66\x5a\xb8\x41\x37\x2d\x57\xb0\x42\xb2\x7e\xf8\x9d\x8c";
$bob_ecdh_public =
    "\xe8\x98\x0c\x86\xe0\x32\xf1\xeb\x29\x75\x05\x2e\x8d\x65\xbd\xdd" .
    "\x15\xc3\xb5\x96\x41\x17\x4e\xc9\x67\x8a\x53\x78\x9d\x92\xc7\x54";
$message_keypair = sodium_crypto_box_keypair_from_secretkey_and_publickey(
    $alice_ecdh_secret,
    $bob_ecdh_public
);
$plaintext = "This is a secret message for your eyes only.";
$nonce = random_bytes(24);

// And now for the actual public-key encryption step:
$ciphertext = sodium_crypto_box($plaintext, $nonce, $message_keypair);

To decrypt a message:

$received = sodium_crypto_box_open(
    $received_ciphertext, 
    $received_nonce, 
    $message_keypair
);

What does this mean for me?

If you develop in PHP and can upgrade to 7.2 when it comes out, you get to enjoy modern cryptography as a part of the language itself. It will now be possible to design software that uses Ed25519 digital signatures (e.g. for automatic security updates) without requiring users to install an optional PHP extension.

I hate PHP, there's no way it's more secure than $favoriteLanguage

This has come up a bunch in response to a tweet announcing the RFC passing. However, most of the languages that were proposed as being ahead of PHP on this issue weren't.

Here are the facts:

Go 1.8 will use X25519 and ChaCha20-Poly1305 in its TLS stack, but it doesn't offer modern application-layer cryptography in its standard library. Which means if you want to use modern TLS, you can, but if you want to encrypt data at rest, you have to either go outside the standard library or use 90's era public-key cryptography.

Most other programming languages (Ruby, Erlang, Node.js) still only offer OpenSSL, which invites developers to (mis)use RSA, encrypt using AES in ECB mode, and never authenticate their ciphertexts. Furthermore, many of these languages still use OpenSSL's userspace PRNG and don't expose a sane API for accessing the operating system's CSPRNG. (PHP solved this in 7.0.)

No matter how you feel about PHP, the reality is that PHP is the first programming language to commit to modern cryptography in its standard library, coming in version 7.2.0.

If you're a passionate language evangelist, the best thing to do now is to strive for second-to-market. I'm excited to see everyone abandon the fossils of RSA and foot-bullety ECDSA.

 
by Janeth Kent Date: 14-02-2017 php cryptography hits : 3274  
 
Janeth Kent

Janeth Kent

Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN END DEVELOPMENT.

 
 
 

Related Posts

HTTP Cookies: how they work and how to use them

Today we are going to write about the way to store data in a browser, why websites use cookies and how they work in detail. Continue reading to find out how…

The most popular Array Sorting Algorithms In PHP

There are many ways to sort an array in PHP, the easiest being to use the sort() function built into PHP. This sort function is quick but has it's limitations,…

MySQL 8.0 is now fully supported in PHP 7.4

MySQL and PHP is a love story that started long time ago. However the love story with MySQL 8.0 was a bit slower to start… but don’t worry it rules…

A roadmap to becoming a web developer in 2019

There are plenty of tutorials online, which won't cost you a cent. If you are sufficiently self-driven and interested, you have no difficulty training yourself. The point to learn coding…

10 PHP code snippets to work with dates

Here we have some set of Useful PHP Snippets, which are useful for PHP Developers. In this tutorial we'll show you the 10 PHP date snippets you can use on…

8 Free PHP Books to Read in Summer 2018

In this article, we've listed 8 free PHP books that can help you to learn new approaches to solving problems and keep your skill up to date.   Practical PHP Testing This book…

Best Websites to Learn Coding Online

You know and we know that it’s totally possible to learn to code for free... If you can teach yourself how to write code, you gain a competitive edge over your…

PHP and XMP format: Create a Panorama 360/VR viewer in PHP and A-Frame

The Extensible Metadata Platform (XMP) is an ISO standard, originally created by Adobe Systems Inc., for the creation, processing and interchange of standardized and custom metadata for digital documents and…

PHP: Basic Introduction to Namespaces

History of PHP Namespaces In PHP prior to 5.3 (2009), any class you define lived at the same global level as other classes. Class User, class Contact, class Db they're all together…

Php: How to extend the highlight_string function

PHP has a cool function that automatically highlights PHP code called highlight_string(); Theoretically this could be used to roll your own code highlighting on a site, rather than rely on…

Install Apache, MariaDB and PHP7 on Ubuntu 16.04

Ubuntu 16.04 LTS Xenial Xerus comes with PHP7 by default so you don’t have to rely on third-party PPA to get PHP7 installed. In this tutorial, we are going to…

Cuixot - Mallorca's Ham

Project: Cuixot de Porc Negre Mallorquí graphic web development SEO PHP/MYSQL, HTML, AJAX, Javascript, CSS  frontend/backoffice Pcore CMS Link: Cuixot - Productos de la raza de cerdos negros de Mallorca