Post on 17-Jan-2016
PHP Secure Communications
Web Technologies
Computing ScienceThompson Rivers University
Secure Comm 2
Unit Topics
How to create a secure connection1. How to use a secure connection; how to authenticate a server
2. How to use user authentication
3. How to work with encrypted data
Secure Comm 3
1. How to Use a Secure Connection
An introduction to secure connections How SSL authentication works How to get a digital secure certificate for your web server How to request a secure connection How to enforce the user to use a secure connection
Secure Comm 4
An introduction to secure connections
[Q] Is it safe to use HTTP to send a credit card number? [Q] What is the solution, then? A secure connection. But a secure connection is much slower than regular HTTP
connections. You usually use secure connections only when your application passes sensitive data.
[Q] How to use a secure connection then? [Q] How to trust web servers? How to trust users?
There are two types of authentication. [Q] What are they? User authentication and server authentication
1.
Advanced Skills 5
How SSL authentication works – how to authenticate a server
HTTPS
Secure Comm 6
With a regular HTTP connection, all data is sent as unencrypted plain text. [Q] What does this mean? Can a hacker read my credit card number?
With a secure connection, all data is encrypted with a secrete key before it is transferred between the client and server.
Secure connection protocols SSL (Secure Sockets Layer) – older TLS (Transport Layer Security) – newer; successor of SSL
The URL for a secure connection starts with HTTPS instead of HTTP.
Secure Comm 7
Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser.
[Q] What information is included in a certificate? Name of the server Name of the issuer Expiration date …
[Q] How to trust a certificate? Digitally signed, i.e., encrypted by using the
issuer's private key Only the issuer's public key can be used to
decrypt the certificate. And the issuer should be trustworthy.
Advanced Skills 8
Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] How to trust a certificate?
By default, browsers accept digital secure certificates that come from trusted sources. [Q] ??? However, if the browser does not recognize the certificate as coming from a trusted source, it informs the user and lets the user view the certificate. Then the user decides.
1.
Secure Comm 9
How to get a digital secure certificate for your web server
[Q] From where? Trustworthy CA (Certificate Authority), and RA (Registration Authority) www.verisign.com www.thawte.com www.geotrust.com www.instantssl.com www.entrust.com
SSL strength 40-bit, 56-bit 128-bit 256-bit [Q] What does this mean?
1.
Secure Comm 10
How to request a secure connection
[Q] How? Once you establish a secure connection, you can use relative URLs
(i.e., relative paths) to continue using the secure connection. [Q] Is it true?
1.
How to redirect to a secure connection
[Q] If you want to make sure that a page is always viewed over a secure connection, what do you have to do?
If you want to make sure that a page is always viewed over a secure connection, you can include code at the top of the page that redirects the page to a secure connection. [Q] What does this mean? How?
If the user requests the page over a regular connection, the web server redirects the request to the same page but over a secure connection.
[Q] How? You need to know whether the user uses http or https.<?php
if (!isset($_SERVER['HTTPS'])) {
$url = 'https://' . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI'];
header("Location: " . $url); // Redirect - 302
exit; // should be before any output
} //
?>
Secure Comm 11
Topics
1.
Secure Comm 12
2. How to Use User Authentication
Three types of user authentication How to store and validate a password How to use form-based authentication How to use basic authentication
Secure Comm 13
Three types of user authentication
[Q] How to make only authorized users access some pages? You need to begin by determining whether a client is who and what it
claims to be. This process is known as User Authentication. [Q] Any good idea?
Username and password
Secure Comm 14
Three types of user authentication1. Form-based authentication
a login form By default, no encryption
2. Basic authentication – causes the browser to display a dialog box that gets the username and
password. By default, no encryption
3. Digest authentication causes the browser to display a dialog box that gets the username and
password. Encrypts the username and password before sending them
[Q] Which one looks like the best? [Q] No encryption used in 1) and 2) ?
2.
Secure Comm 15
How to store and validate a password
For most types of authentication, you store the usernames and passwords in a database.
[Q] Encrypted passwords, or unencrypted passwords? A hash function accepts a variable-size string and returns a fixed-size
string known as the hash value. [Q] Always the same hash value for the same input? [Q] Is a hash function reversible?
Password Encryptedpassword Database
Secure Comm 16
// [Q] How to add an email and password into a database?
// $email is used as username in this example
function add_user($email, $password) {
global $db; // [Q] global?
$hashed_password = sha1($password); // SHA-1 hash ft
$query = "insert into users (email, password) values ('$email', '$hashed_password')";
mysqli_query($db, $query);
}
// [Q] How to validate ?
Secure Comm 17
// [Q] How to validate ?
// $email is used as username in this example
function is_valid_user($email, $password) {
global $db;
$hashed_password = sha1($password); // ?
$query = "select userID
from users
where email = '$email'
and password = '$hashed_password'";
$result = mysqli_query($db, $query);
$valid = (mysqli_num_rows($result) == 1);
return $valid;
}
Secure Comm 18
SHA1 uses only 40 bits, and this algorithm is broken. You will need to use a stronger hash function.
// SHA256
hash($algo, $string) $algo: MD5, SHA256, ...
// example
$hashed_password = hash(SHA256, $password);
2.
Advanced Skills 19
How to use form-based authentication
After the user authentication, you will need to move to a protected page. It is also a good idea to use a session.
[Q] What if the user does not use https?
Secure Comm 20
After the user authentication, you will need to move to a protected page. It is also a good idea to use a session.
[Q] Can you make an algorithm for the controller, index.php? Start session; Include necessary functions (model); Get the action, such as login, to perform; If the user isn’t logged in, then $action = 'login' to force the user to login; Switch(action)
'login':
Validate the username and password;
'show_admin_menu':
…
'logout':
Destroy session;
2.
Advanced Skills 21
How to use basic authentication
PHP script can enforce the browser to ask the user to enter username and password.
[Q] Why do we need this? [Q] How?
The $_SERVER arrayPHP_AUTH_USER Returns the username from the
dialog box or a NULL
PHP_AUTH_PW Returns the password from the dialog box
<?php
// require_once('model/database.php');
// require_once('model/admin_db.php');
$email = $_SERVER('PHP_AUTH_USER')
$password = $_SERVER('PHP_AUTH_PW');
if (!is_valid_user($eamil, $password) {
header('WWW-Authenticate: Basic realm = "Admin"');
header('HTTP/1.0 401 Unauthorized');
exit();
}
?>
Secure Comm 22
Topics
2.
Secure Comm 23
3. How to Work with Encrypted Data
[Q] Can we use SHA for encryption/decryption?
How to encrypt and decrypt data A class for storing encrypted data – We will revisit class later.
How to encrypt and decrypt dataMCRYPT_RIJNDAEL_128 The Rijndael cipher with a 128 bit key size.
MCRYPT_RIJNDAEL_192
MCRYPT_RIJNDAEL_256
There are a lot of cipher algorithms.
MCRYPT_MODE_CBC CBC (Cypher Block Chaining) mode
There are also other modes.
mcrypt_get_iv_size($cipher, $mode) Gets the size of initialization vector (iv) used by the cipher algorithm.
mcrypt_create_iv($ivs) creates the initialization vector for the specified size.
mcrypt_encrypt($cipher, $key, $data, $mode, $iv)
mcrypt_decrypt($cipher, $key, $data, $mode, $iv)
base64_encode($data) to help the data survive going through
transport layers; binary to text encoding
base64_decode($data)
Secure Comm 24
$credit_card_no = '4111 1111 1111 1111';
$cipher = MCRYPT_RIJNDAEL_128;
$mode = MCRYPT_MODE_CBC; // cipher block chaining
$key = sha1('secretPassword', true); // true => raw_output; ???
// how to use SHA256 instead?
$ivs = mcrypt_get_iv_size($cipher, $mode);
$iv = mcrypt_create_iv($ivs);
$data = mcrypt_encrypt($cipher, $key, $credit_card_no, $mode, $iv);
$data = base64_encode($data); // to help the data survive going
// through transport layers
echo 'Encrypted data: ' . $data . '<br>';
// transmit $data through the Internet
$data = base64_decode($data);
$credit_card_no = mcrypt_decrypt($cipher, $key, $data, $mode, $iv);
echo 'Decrypted data: ' . $credit_card_no . '<br>';
Secure Comm 25
3.
Secure Comm 26
A class for storing encrypted data – crypt.php<?php
class Crypt {
private $key, $ivs, $iv, $cipher, $mode;
public function __construct() {
$this->cipher = MCRYPT_RIJNAEL_128;
$this->mode = MCRYPT_MODE_CBC;
$this->ivs = mcrypt_get_iv_size($this->cipher, $this->mode);
$this->iv = mcrypt_create_iv($this-ivs);
$this->key = sha1('secreteKey', true);
}
public function encrypt($data) {
...; // [Q] What do you have to do here?
}
public function decrypt($data) {
...; // [Q] What do you have to do here?
}
}
?>
require 'crypt.php';
$credit_card_no = '4111111111111111';
// [Q] How to create an object of Crypt?
$crypt = new Crypt();
// encrypt the data
$data = $crypt->encrypt($credit_card_no);
$data = $crypt->encode($data);
// decrypt the data
$data = $crypt->decode($data);
$data = $crypt->decrypt($data);
Secure Comm 27
Topics
3.