On Tue, Aug 4, 2015 at 8:57 AM, Jakub Zelenka <bu...@php.net> wrote:
> Hi,
>
> On Mon, Aug 3, 2015 at 9:54 PM, Scott Arciszewski <sc...@paragonie.com>
> wrote:
>>
>> Hi,
>>
>> I would like to make it easier for PHP developers to implement
>> cryptography features in their applications. I intend to work on some
>> of these ideas and submit them for inclusion in PHP 7.1.
>>
>> Some of these might be familiar to some of you.
>>
>> 1. Pluggable Cryptography Frontend
>>
>> Work is currently underway for a PHP prototype for this idea
>> originally suggested by ircmaxell, that will basically be like PDO for
>> cryptography. Our current project name, subject to change, is PHP
>> Crypto Objects (PCO).
>>
>> The idea is that you could write code like this to add secure
>> authenticated encryption to your application without having to worry
>> about the details.
>>
>> $AES = new \PCO\Symmetric('openssl:cipher=AES-128');
>> $ciphertext = $AES->encrypt($plaintext, $someKey);
>>
>> $PKC = new \PCO\Asymmetric('libsodium');
>> $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);
>>
>> When it's finished, I'd like to turn it into a PECL extension so users
>> can play with it in PHP 7.0 and submit it for inclusion in 7.1.
>>
>> 2. Cache-timing-safe character encoding functions
>>
>> Alternatives for existing functions that should function like their
>> unsafe counterparts, but without branches or data-based index lookups.
>>
>> * hex2bin() -> hex2bin_ts()
>> * bin2hex() -> bin2hex_ts()
>> * base64_encode() -> base64_encode_ts()
>> * base64_decode() -> base64_decode_ts()
>>
>> Other formats are out of scope, unless someone can make the case that
>> we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
>> Service integration).
>>
>> 3. Other ideas (not yet committed to at all, but might be of interest
>> to others):
>>
>> * Improving the OpenSSL API, or at least the documentation
>> * Adding streaming encryption/decryption support to OpenSSL
>> * Adding AE and AEAD interfaces to OpenSSL
>> * Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
>>
>> What I need from you is guidance on what features or changes you want
>> to see in 7.1 and which can be put off until later (or never proposed
>> as an RFC at all).
>>
>> Seriously, all I need is your opinion and whether or not you'd like to
>> see any of these happen. If you have specific implementation details
>> you'd like to discuss or requests, of course those are welcome too. :D
>>
>
> I have been actually working on something similar for some time. It's
> already on PECL and it's called php-crypto:
>
> https://github.com/bukka/php-crypto
>
> I have been doing lots of changes and fixes including support for PHP 7 (it
> also supports PHP 5 using https://github.com/bukka/phpc wrapper) and php
> streams. The internal part has been almost completely rewritten since
> version 0.1.0 and I plan to release soon 0.2.0 so I will send some update
> then.
>
> I'm currently working on fixing some issues, improving tests and mainly
> documentation that is still very incomplete (just hash is partially
> documented in the main readme) so probably the best doc at the moment is
> generated api doc:
>
> https://github.com/bukka/php-crypto/blob/master/docs/Crypto.php
>
> There also are some examples in
> https://github.com/bukka/php-crypto/blob/master/examples and even more
> examples in tests where is about 70 tests:
> https://github.com/bukka/php-crypto/blob/master/tests
>
> In case you are interested in what I plan to do in the near future, it's all
> in my TODO list: https://github.com/bukka/php-crypto/blob/master/TODO.md
>
> In the long term I would like to add support for asymmetric encryption. I
> actually wrote an extension called php-rsa (
> https://github.com/bukka/php-rsa ) just to play with OpenSSL rsa.h (there is
> no doc but you can look to the tests if you are interested). However the way
> how it should be done in crypto is more about using PKEY which is much more
> flexible but it will be supported only for OpenSSL 1.0.0+.
>
> The providers (pluggable api) is a nice thing but it will require quite a
> bit of thinking to make it right from the internal PoV (address all needs of
> particular libs - especially OpenSSL) and it's quite a bit of work as well
> :) But it would be definitely nice to have and I have been thinking about it
> for some time. But the priority is a creating of a good wrapper for OpenSSL
> first and then split it to more layers.
>
> Cheers
>
> Jakub
This does not appear to authenticate ciphertexts, nor does it serve as
a gateway to Libsodium / OpenSSL.
We are, in fact, working on different projects with different goals.
> In the long term I would like to add support for asymmetric encryption. I
> actually wrote an extension called php-rsa (
> https://github.com/bukka/php-rsa ) just to play with OpenSSL rsa.h (there is
> no doc but you can look to the tests if you are interested). However the way
> how it should be done in crypto is more about using PKEY which is much more
> flexible but it will be supported only for OpenSSL 1.0.0+.
Strictly personally speaking, I'm far more interested in EdDSA and
ECDH than I am in RSA.
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
