On Sun, Jun 5, 2016 at 2:46 PM, Scott Arciszewski <sc...@paragonie.com> wrote: > > On Sun, Jun 5, 2016 at 2:20 AM, Pierre Joye <pierre....@gmail.com> wrote: >> >> >> On Jun 5, 2016 5:15 AM, "Stanislav Malyshev" <smalys...@gmail.com> wrote: >> > >> >> > The stated goal is "You shouldn't need a Ph.D in Applied Cryptography to >> > build a secure web application." I fully agree with this goal. I however >> > feel that current implementation, while making admirable progress >> > towards this goal, still needs some work to actually achieve it. >> >> I fully agree with you. As much as I think we need something like that, I >> think these are stopping points. >> >> I would very interested to hear from Scott about these questions and the >> low level nature of the APIs make it not as friendly or future proof as it >> could. >> >> Cheers >> Pierre > > > Hi Pierre, > > My position on the low level nature of libsodium's APIs is as follows: That > sounds like a call to action for https://wiki.php.net/rfc/php71-crypto > rather than a point of concern for adopting libsodium. > > Compare the following two snippets which accomplish the same "goal" > (anonymous public-key encryption). > > <?php > /** > * OpenSSL -- since the Diffie Hellman features in ext/openssl kind > * of suck, I'm going to use RSA to encrypt the AES key using the > * recipient's public key. > */ > > ## ENCRYPTION ## > > $message = 'Prime Numbers Rock!'; > $publicKey = openssl_pkey_get_public('file://path/to/public_key.pem'); > > $aesKey = random_bytes(32); > // Basically a poor-man's HKDF by just using HMAC > $keyE = hash_hmac('sha256', 'Encryption Key', $aesKey, true); > $keyA = hash_hmac('sha256', 'Authentication Key', $aesKey, true); > > $iv = random_bytes(16); > $ciphertext = openssl_encrypt($message, 'aes-256-ctr', $keyE, > OPENSSL_RAW_DATA, $iv); > $mac = hash_hmac('sha256', $iv . $ciphertext, $keyA, true); > > $combined = $mac . $iv . $ciphertext; > $rsaCipher = ''; > openssl_public_encrypt($aesKey, $rsaCipher, $publicKey, > OPENSSL_PKCS1_OAEP_PADDING); > $sendMe = $rsaCipher . $combined; > > ## DECRYPTION ## > > $privateKey = openssl_pkey_get_public('file://path/to/private_key.pem'); > $rsaPart = mb_substr($sendMe, 0, 256, '8bit'); // Assuming 2048-bit RSA > $aesPart = mb_substr($sendMe, 256, null, '8bit'); > $mac = mb_substr($aesPart, 0, 32, '8bit'); > $iv = mb_substr($aesPart, 32, 16, '8bit'); > $cipher = mb_substr($aesPart, 48, null, '8bit'); > > openssl_private_decrypt($rsaPart, $aesKey, $privateKey, > OPENSSL_PKCS1_OAEP_PADDING); > $keyE = hash_hmac('sha256', 'Encryption Key', $aesKey, true); > $keyA = hash_hmac('sha256', 'Authentication Key', $aesKey, true); > > $calc = hash_hmac('sha256', $iv . $cipher, $keyA, true); > if (!hash_equals($calc, $mac)) { > throw new Exception('MAC validation failure'); > } > > $decrypted = openssl_decrypt($cipher, 'aes-256-ctr', $keyE, > OPENSSL_RAW_DATA, $iv); > var_dump($decrypted); // string(19) "Prime Numbers Rock!" > > Can you count the foot-bullets in that snippet that you'd need to be a > cryptography engineer to successfully avoid? > > Demo: https://3v4l.org/nYVPf > > Here's a congruent implementation in libsodium: > > <?php > /** > * Libsodium > */ > > ## ENCRYPTION ## > > $message = 'Prime Numbers Rock!'; > $bob_public_key = "... populate here ..."; > > $nonce = random_bytes(24); > $sendMe = \Sodium\crypto_box_seal($message, $bob_public_key); > > ## DECRYPTION ## > > $bob_kp = "... populate here ..."; > $decrypted = \Sodium\crypto_box_seal_open($sendMe, $bob_kp); > var_dump($decrypted); // string(19) "Prime Numbers Rock!" > > (No demo available, as 3v4l doesn't have ext/sodium installed.) > > Libsodium already knocks it out of the park compared to OpenSSL and Mcrypt. > If we want to talk about a higher-level abstraction-- such as what's > provided by paragonie/EasyRSA + defuse/php-encryption or paragonie/halite-- > I wholeheartedly endorse that discussion. But I don't think we should try to > solve that problem with this particular RFC. > > In closing, I don't disagree that a simple crypto API is a good goal to > have. I just think the ideal you're discussing is: > > A. Out of scope, and > B. Kind of belittling to how much of an improvement libsodium is to what we > already have. > > Further reading: http://framework.zend.com/security/advisory/ZF2015-10
Also the questions about the naming, namespaces and other conventions remain unanswered. That would be a good step forward. And indeed this API, while still not ideal, is by far better than openssl for what matters. Cheers, -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
