410 likes | 466 Views
The screencast of this presentation can be found at https://youtu.be/o3uy7dgG_n4 There is an assumption in the industry, amongst companies large and small alike, that if they store sensitive user data (and sometimes do some mild encryption) in their database, it's locked in and secured from potential attacks. People rely too heavily on their false assumptions of security, and it usually ends up costing them extensively when that is proven wrong. In this session, Jonathan will build a foundation for identity and data security that everyone dealing with sensitive data should understand. We'll break down concepts of identity security, common attack vectors and how to protect yourself, and how to harden your web application.
E N D
PHP Identity and Data Security? Jonathan LeBlanc ? Twitter: @jcleblanc ? Book: http://bit.ly/iddatasecurity?
Identity & Data Security Book? Release Date:? July 2016? ? Book Details:? http://bit.ly/iddatasecurity?
Top Passwords of 2015? 1: 123456 ? 2: password ? 3: 12345678 ? 4: qwerty ? 5: 12345 ? 6: 123456789? 7: football? 8: 1234? 9: 1234567? 10: baseball? 11: welcome? 12: 1234567890? 13: abc123? 14: 111111? 15: 1qaz2wsx? 16: dragon? 17: master? 18: monkey? 19: letmein? 20: login? 21: princess? 22: qwertyuiop? 23: solo? 24: passw0rd? 25: starwars?
Protecting Against Password Attacks? Brute Force Attacks? Calculate all key variations within a given length, then trying each one until the password is guessed. ? Protect via: Key stretching, CAPTCHA, 2FA? ? Dictionary Attacks? Use a list of predetermined words/phrase to guess password.? Protect via: Salting? ? Rainbow Tables? Use precalculated password hashes to break encryption.? Protect via: Salting?
Hashing with and without salts? //hashing identical messages with no salt? hash('mechagodzilla') = ? 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227? hash('mechagodzilla') = ? 162e0a91026a28f1f2afa11099d1fcbdd9f2e351095ebb196c90e10290ef1227? ? //hashing identical messages with random salt? hash('mechagodzilla' + '458cf2979ef27397db67077775225334') = ? f3499a916612e285612b32702114751f557a70606c32b54b92de55153d40d3b6? hash('mechagodzilla' + 'ef5b72eff781b09a0784438af742dd6e') = ? 7e29c5c48f44755598dec3549155ad66f1af4671091353be4c4d7694d71dc866? hash('mechagodzilla' + 'cc989b105a1c6a5f0fb460e29dd272f3') = ? 6dedd3dbb0639e6e00ca0bf6272c141fb741e24925cb7548491479a1df2c215e?
Considerations when using Salts? Storing Salts? Store alongside the hash? ? Salt Reuse? Salts should be be unique per password? ? Salt Length? Same size as hash? 64 bits? 128 bits??
Password Encryption Algorithms? bcrypt? Designed for password security, based on the blowfish cipher, CPU & RAM intensive.? ? PBKDF2? Comes from RSA laboratories, performs the HMAC (hash + key) over a specific number of iterations.? ? scrypt? Designed to make it costly to perform large-scale hardware attacks by requiring large amounts of memory?
Hashing with bcrypt? ? //fetch password from user creation request? $password = $_POST['password'];? ? //salt option deprecated in PHP 7.0.0+? $options = [? 'cost' => 12? ];? ? //create 60 character hash, with default unique salt, and options ? $hash = password_hash($password, PASSWORD_BCRYPT, $options);? ? //STORE HASH IN USER DATABASE RECORD? //SALT IS BUILT INTO HASH?
Login Hash Comparison with bcrypt? //fetch login request information? $username = $_POST['username'];? $password = $_POST['password'];? ? //fetch user record from database? $user = fetchDBRecord($username);? ? //verify if login attempt password matches stored user hash? if (password_verify($password, $user->hash)){? echo "password matches";? } else {? echo "password doesn't match";? }?
Hashing with PBKDF2? ? ? //fetch password from user creation request? $password = $_POST['password'];? ? //set iterations and random initialization vector? $iterations = 1000;? $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);? ? //hash password using sha256? $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);? ? //STORE HASH AND SALT IN USER DATABASE RECORD?
? Login Hash Comparison with PBKDF2? //fetch login request info and set iterations? $username = $_POST['username'];? $password = $_POST['password'];? $iterations = 1000;? ? //fetch user record from database? $user = fetchDBRecord($username);? ? //manually hash the login attempt password? $loginhash = hash_pbkdf2("sha256", $password, $user->salt, $iterations, 20);? ? //validate if hashes match? if (hash_equals ($loginhash, $user->hash)){ ? echo 'password match';? } else {? echo 'password mismatch';? }? ?
Certificate Types? Domain Validation (DV)? Certificate authority (CA) validates domain access only?
Certificate Types? Organization Validation (OV)? ? CA validates DV and basic organization information?
Certificate Types? Extended Validation (EV)? CA validates DV, OV, and legal existance of the organization?
Generate your self-signed certificate and private key? //generate private key and self-signed certificate valid for 1 year? openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt?
Configuring SSL capabilities and setting certificates on Apache server? //update httpd.conf file to enable SSL (uncomment the following)? #LoadModule ssl_module libexec/apache2/mod_ssl.so? #Include /private/etc/apache2/extra/httpd-ssl.conf? ? //update httpd-ssl.conf file for CRT location? SSLCertificateFile "/private/etc/apache2/server.crt"? ? //copy crt and private key files to above location? cp server.crt server.key /private/etc/apache2/?
Update httpd-vhosts.conf? <VirtualHost *:443>? #general virtual hosts information? DocumentRoot "/Users/jleblanc/localhost/ssltest"? ServerName ssltest? ErrorLog "/private/var/log/apache2/local.example.com-error_log"? CustomLog "/private/var/log/apache2/local.example.com-access_log" common? ? #SSL details? SSLEngine on? SSLCertificateFile "/private/etc/apache2/server.crt”? SSLCertificateKeyFile "/private/etc/apache2/server.key"? ? #SSL engine options? <FilesMatch "\.(cgi|shtml|phtml|php)$">? SSLOptions +StdEnvVars? </FilesMatch>? <Directory "/Library/WebServer/CGI-Executables">? SSLOptions +StdEnvVars? </Directory>? </VirtualHost>?
Modes of Operation? Encryption (ECB, CBC, OFB, CFB, CTR)? Data privacy and confidentiality mode. Attacker cannot obtain info on the plaintext data.? ? Authentication(CMAC)? Data authenticity mode. Receiver can validate whether cleartext came from intended sender.? ? Authenticated Encryption (CCM, GCM, KW/KWP/TKW)? Includes both data privacy and authenticity.?
Configuring and encrypting message? //set initialization data? $numbytes = 16;? $strongcrypto = true;? $mode = 'aes-256-cbc';? $message = 'my secure message';? ? //creation initialization vector and shared private key? $iv = openssl_random_pseudo_bytes($numbytes, $strongcrypto);? $key = openssl_random_pseudo_bytes($numbytes, $strongcrypto);? ? //create ciphertext with no options? $ciphertext = openssl_encrypt($message, $mode, $key, 0, $iv);?
Decrypting ciphertext? //----? // data sent to server: iv, ciphertext? // data known by server: key? //----? ? //set algorithm and mode? $mode = 'aes-256-cbc’;? ? //decrypt provided cipher? $decrypted = openssl_decrypt($ciphertext, $mode, $key, 0, $iv);?
Getting all available ciphers and modes ? //display block ciphers and modes? print_r(openssl_get_cipher_methods());?
Generating Public / Private Keys? //create private key in private.key? openssl genrsa -out private.key 2048? ? //create public key in public.pem? openssl rsa -in private.key -outform PEM -pubout -out public.pem?
Preparing Message, Encrypting, and Signing? //set public key data from files and object to send? $public_key = openssl_get_publickey(file_get_contents('public.pem'));? $data = '{"message": "my super secure message"}';? ? //encrypt object and public keys? openssl_seal($data, $encrypted, $encpub, array($public_key));? ? //encrypted data and encrypted public key? $sealed_data = base64_encode($encrypted);? $envelope = base64_encode($encpub[0]);? ? //SEND SEALED DATA AND ENVELOPE TO RECIPIENT?
Decrypting and Verifying Message? //OBTAIN SEALED DATA AND ENVELOPE FROM SENDER? ? //set private key data? $private_key = openssl_get_privatekey(file_get_contents('private.key'));? ? //decode data? $sealed_data = base64_decode($sealed_data);? $envelope = base64_decode($envelope);? ? //rypt data using private key? openssl_open($sealed_data, $plaintext, $envelope, $private_key);? ? //decrypted message available in $plaintext?
Thank You!? Jonathan LeBlanc ? Twitter: @jcleblanc ? Book: http://bit.ly/iddatasecurity?