Best IT Recipes

What should every web developer know about encryption?

I just landed on PHP5. I will not process parts of the application that contain hypersensitive data, but I still know what confuses a little about security and encryption methods. I know only the very basics (do not store passwords in clear text, do not allow users to run code using mail data, etc.). What do I need to know to protect my applications, and where can I learn it?

+42
php encryption
Aug 03 '09 at 18:56
source share
11 answers

Find out the difference between hashes and encryption. Encryption is usually a two-way string interpretation. I can encrypt my password and then decrypt it again to plaintext. The idea of ​​hashes is that they become one-way "encryption."

On my sites, I store passwords as hashes. Anytime a user signs up, I reuse their provided password, check it for a hash stored in the database, and confirm if they match. I cannot send them my password if they forget it, because (as a rule) I have nothing to know. Two lines can go into the same hash, which makes it impossible (as a rule) to figure out what the original line is.

This is one of the problems that is good for understanding and recognizing when to use encryption against hashes.

+27
Aug 03 '09 at 19:06
source share

Know that you do not need to write your own encryption functions. An existing, trusted library is the best way to travel if possible. Avoid cool, bleeding technologies that lack a lot of successful programmer hours and hours to work for them. Know that you do not trust the functionality that you choose until you have tested it yourself, in the first person. Stay on top of new developments that may become obsolete from your chosen function overnight. Know that only because today you use the best encryption technologies that you did not protect anything if you leave the keys in the table (for example, cleartext is not in the cache or is not stored in another table in the same database, private keys are not on the left in open state)

+17
Aug 03 '09 at 19:11
source share
  • Understand the difference between encrypting and hashing
  • Understand the cause of salt
  • Understand that HTTP is plain text.
  • Understand What HTTPS Is
  • Understand that you will never (never be able) to create more efficient hashing or encryption methods than third-party libraries and built-in libraries already do.
+15
Aug 03 '09 at 19:13
source share

This technology is not the weakest link in security.

+14
Aug 03 '09 at 19:27
source share

So that it can be broken no matter what you do.

+11
Aug 03 '09 at 19:10
source share

Short answer

You can never be too safe

Use Salted Hash for Advanced Security

Longer answer (still not complete)

Security is not something that can be learned in a quick start guide on the Internet. This requires in-depth knowledge not only about what vulnerabilities exist, but WHY they exist and HOW they work. One of the biggest problems (especially in open source) is that new methods are added all the time, so we need to understand security concepts and theory.

Read books, take classes and test them yourself on the local computer. Then you will gradually begin to understand the concept of web application security.

Follow these steps to get started.

+6
Aug 3 '09 at 19:04
source share

Where to find out about security: Get the Schneier Applied Cryptography Book.

+6
Aug 03 '09 at 19:07
source share

Pay attention to the following points when you store passwords,

  • The Hashed password is usually more secure because you do not need to keep a secret. However, this prevents the use of a different hash scheme in the authentication flow. For example, you cannot use HTTP Digest authentication with a hashed password.

  • A simple hash is prone to the atlas of the rainbow table ( http://en.wikipedia.org/wiki/Rainbow_table ). Please add non-reoccuring nonce to the hash or use nonce as the key to the HMAC. Nonce must be stored with passwords. I will add it to the digest.

  • If encryption is used, make sure that a random starting vector is used, so the same password will be encrypted for different encrypted texts for different users. Otherwise, you are prone to pattern matching attacks. MySQL has a built-in encryption command. It does not enter IV, so never use it for passwords.

  • Save the key name / version with ciphertext so that the keys can be rotated. Key rotation is required to comply with certain standards. Encryption without key information cannot be decrypted when you are forced to change or rotate keys.

If you follow these tips, your passwords will be secure with any encryption / hashing schemes.

+3
Aug 03 '09 at 19:35
source share

View the Open Web Application Security Project . They have a lot of information about current web application security issues and what you need to do to protect against them. OWASP brings together the Development Guide , which contains a lot of good information about the problems of developing web applications and web services.

+1
Aug 03 '09 at 22:29
source share

If you look at it from a PHP context, I would recommend this book:

alt text http://ecx.images-amazon.com/images/I/51sKhc8YUlL._BO2,204,203,200_PIsitb-sticker-arrow-click,TopRight,35,-76_AA240_SH20_OU01_.jpg

Pro PHP Security on Amazon

What I really like about this book is much more than just a list of security related functions in PHP. Most of it covers general security concepts and protection mechanisms. Listed here are permissions, the principle of least privileges, encryption, hashing, crossite scripting, falsification of requests to a crossite website, capturing sessions, etc., Examples of writing protected code in PHP.

Having graduated from college, I am impressed with the coverage in this book. I would consider that it is required for reading for any professional PHP developer.

+1
Aug 03 '09 at 22:46
source share

First you should familiarize yourself with these php methods:

Here you have all the extensions for cryptography in PHP.

0
Aug 03 '09 at 19:02
source share


More articles:


All Articles