PHP Secure Communications Web Technologies Computing Science Thompson Rivers University
Secure Comm2 Unit Topics How to create a secure connection 1. How to use a secure connection; how to authenticate a server How to use a secure connection; how to authenticate a server 2. How to use user authentication How to use user authentication 3. How to work with encrypted data How to work with encrypted data
Secure Comm3 1. How to Use a Secure Connection An introduction to secure connections How SSL authentication works How SSL authentication works How to get a digital secure certificate for your web server How to request a secure connection How to enforce the user to use a secure connection
Secure Comm4 An introduction to secure connections [Q] Is it safe to use HTTP to send a credit card number? [Q] What is the solution, then? A secure connection. But a secure connection is much slower than regular HTTP connections. You usually use secure connections only when your application passes sensitive data. [Q] How to use a secure connection then? [Q] How to trust web servers? How to trust users? There are two types of authentication. [Q] What are they? User authentication and server authentication 1.
Advanced Skills5 How SSL authentication works – how to authenticate a server HTTPS
Secure Comm6 With a regular HTTP connection, all data is sent as unencrypted plain text. [Q] What does this mean? Can a hacker read my credit card number? With a secure connection, all data is encrypted with a secrete key before it is transferred between the client and server. Secure connection protocols SSL (Secure Sockets Layer) – older TLS (Transport Layer Security) – newer; successor of SSL The URL for a secure connection starts with HTTPS instead of HTTP.
Secure Comm7 Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] What information is included in a certificate? Name of the server Name of the issuer Expiration date … [Q] How to trust a certificate? Digitally signed, i.e., encrypted by using the issuer's private key Only the issuer's public key can be used to decrypt the certificate. And the issuer should be trustworthy.
Advanced Skills8 Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] How to trust a certificate? By default, browsers accept digital secure certificates that come from trusted sources. [Q] ??? However, if the browser does not recognize the certificate as coming from a trusted source, it informs the user and lets the user view the certificate. Then the user decides. 1.
Secure Comm9 How to get a digital secure certificate for your web server [Q] From where? Trustworthy CA (Certificate Authority), and RA (Registration Authority) SSL strength 40-bit, 56-bit 128-bit 256-bit[Q] What does this mean? 1.
Secure Comm10 How to request a secure connection [Q] How? Once you establish a secure connection, you can use relative URLs (i.e., relative paths) to continue using the secure connection. [Q] Is it true? 1.
How to redirect to a secure connection [Q] If you want to make sure that a page is always viewed over a secure connection, what do you have to do? If you want to make sure that a page is always viewed over a secure connection, you can include code at the top of the page that redirects the page to a secure connection. [Q] What does this mean? How? If the user requests the page over a regular connection, the web server redirects the request to the same page but over a secure connection. [Q] How? You need to know whether the user uses http or https. <?php if (!isset($_SERVER['HTTPS'])) { $url = ' $_SERVER['HTTP_HOST']. $_SERVER['REQUEST_URI']; header("Location: ". $url); // Redirect - 302header exit; // should be before any output } // ?> Secure Comm11 Topics 1.
Secure Comm12 2. How to Use User Authentication Three types of user authentication How to store and validate a password How to use form-based authentication How to use basic authentication
Secure Comm13 Three types of user authentication [Q] How to make only authorized users access some pages? You need to begin by determining whether a client is who and what it claims to be. This process is known as User Authentication. [Q] Any good idea? Username and password
Secure Comm14 Three types of user authentication 1. Form-based authentication a login form By default, no encryption 2. Basic authentication – causes the browser to display a dialog box that gets the username and password. By default, no encryption 3. Digest authentication causes the browser to display a dialog box that gets the username and password. Encrypts the username and password before sending them [Q] Which one looks like the best? [Q] No encryption used in 1) and 2) ? 2.
Secure Comm15 How to store and validate a password For most types of authentication, you store the usernames and passwords in a database. [Q] Encrypted passwords, or unencrypted passwords? A hash function accepts a variable-size string and returns a fixed-size string known as the hash value. [Q] Always the same hash value for the same input? [Q] Is a hash function reversible? Password Encrypted password Database
Secure Comm16 // [Q] How to add an and password into a database? // $ is used as username in this example function add_user($ , $password) { global $db; // [Q] global? $hashed_password = sha1($password); // SHA-1 hash ft $query = "insert into users ( , password) values ('$ ', '$hashed_password')"; mysqli_query($db, $query); } // [Q] How to validate ?
Secure Comm17 // [Q] How to validate ? // $ is used as username in this example function is_valid_user($ , $password) { global $db; $hashed_password = sha1($password); // ? $query = "select userID from users where = '$ ' and password = '$hashed_password'"; $result = mysqli_query($db, $query); $valid = (mysqli_num_rows($result) == 1); return $valid; }
Secure Comm18 SHA1 uses only 40 bits, and this algorithm is broken. You will need to use a stronger hash function. // SHA256 hash($algo, $string)$algo: MD5, SHA256,... // example $hashed_password = hash(SHA256, $password); 2.
Advanced Skills19 How to use form-based authentication After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] What if the user does not use https?
Secure Comm20 After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] Can you make an algorithm for the controller, index.php? Start session; Include necessary functions (model); Get the action, such as login, to perform; If the user isn’t logged in, then $action = 'login' to force the user to login; Switch(action) 'login': Validate the username and password; 'show_admin_menu': … 'logout': Destroy session; 2.
Advanced Skills21 How to use basic authentication PHP script can enforce the browser to ask the user to enter username and password. [Q] Why do we need this? [Q] How?
The $_SERVER array PHP_AUTH_USERReturns the username from the dialog box or a NULL PHP_AUTH_PWReturns the password from the dialog box <?php // require_once('model/database.php'); // require_once('model/admin_db.php'); $ = $_SERVER('PHP_AUTH_USER') $password = $_SERVER('PHP_AUTH_PW'); if (!is_valid_user($eamil, $password) { header('WWW-Authenticate: Basic realm = "Admin"'); header('HTTP/ Unauthorized'); exit(); } ?> Secure Comm22 Topics 2.
Secure Comm23 3. How to Work with Encrypted Data [Q] Can we use SHA for encryption/decryption? How to encrypt and decrypt data A class for storing encrypted data – We will revisit class later. A class for storing encrypted data
How to encrypt and decrypt data MCRYPT_RIJNDAEL_128The Rijndael cipher with a 128 bit key size. MCRYPT_RIJNDAEL_192 MCRYPT_RIJNDAEL_256 There are a lot of cipher algorithms. MCRYPT_MODE_CBCCBC (Cypher Block Chaining) mode There are also other modes. mcrypt_get_iv_size($cipher, $mode)Gets the size of initialization vector (iv) used by the cipher algorithm. mcrypt_create_iv($ivs)creates the initialization vector for the specified size. mcrypt_encrypt($cipher, $key, $data, $mode, $iv) mcrypt_decrypt($cipher, $key, $data, $mode, $iv) base64_encode($data)to help the data survive going through transport layers; binary to text encoding base64_decode($data) Secure Comm24
$credit_card_no = ' '; $cipher = MCRYPT_RIJNDAEL_128; $mode = MCRYPT_MODE_CBC; // cipher block chaining $key = sha1('secretPassword', true); // true => raw_output; ??? // how to use SHA256 instead? $ivs = mcrypt_get_iv_size($cipher, $mode); $iv = mcrypt_create_iv($ivs); $data = mcrypt_encrypt($cipher, $key, $credit_card_no, $mode, $iv); $data = base64_encode($data); // to help the data survive going // through transport layers echo 'Encrypted data: '. $data. ' '; // transmit $data through the Internet $data = base64_decode($data); $credit_card_no = mcrypt_decrypt($cipher, $key, $data, $mode, $iv); echo 'Decrypted data: '. $credit_card_no. ' '; Secure Comm25 3.
Secure Comm26 A class for storing encrypted data – crypt.php <?php class Crypt { private $key, $ivs, $iv, $cipher, $mode; public function __construct() { $this->cipher = MCRYPT_RIJNAEL_128; $this->mode = MCRYPT_MODE_CBC; $this->ivs = mcrypt_get_iv_size($this->cipher, $this->mode); $this->iv = mcrypt_create_iv($this-ivs); $this->key = sha1('secreteKey', true); } public function encrypt($data) {...; // [Q] What do you have to do here? } public function decrypt($data) {...; // [Q] What do you have to do here? } ?>
require 'crypt.php'; $credit_card_no = ' '; // [Q] How to create an object of Crypt? $crypt = new Crypt(); // encrypt the data $data = $crypt->encrypt($credit_card_no); $data = $crypt->encode($data); // decrypt the data $data = $crypt->decode($data); $data = $crypt->decrypt($data); Secure Comm27 Topics 3.