Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP Secure Communications

Published byEva Møller Modified over 4 years ago

Similar presentations

Presentation on theme: "PHP Secure Communications"— Presentation transcript:

1 PHP Secure Communications
Web Technologies Group Computing Science Thompson Rivers University

2 Unit Topics How to create a secure connection
How to use a secure connection; how to authenticate a server How to use user authentication How to work with encrypted data Secure Comm

3 1. How to Use a Secure Connection
An introduction to secure connections How SSL authentication works How to get a digital secure certificate for your web server How to request a secure connection How to enforce the user to use a secure connection Secure Comm

4 An introduction to secure connections
1. An introduction to secure connections [Q] Is it safe to use HTTP to send a credit card number? [Q] What is the solution, then? A secure connection. But a secure connection is much slower than regular HTTP connections. You may use secure connections only when your application passes sensitive data. [Q] How to use a secure connection then? [Q] How to trust web servers? How to trust users? There are two types of authentication. [Q] What are they? User authentication and server authentication Secure Comm

5 How SSL authentication works – how to authenticate a server
For Chrome, Developer tools -> Security tab Try HTTPS Advanced Skills

6 Secure connection protocols
With a regular HTTP connection, all data is sent as unencrypted plain text. [Q] What does this mean? Can a hacker read my credit card number? With a secure connection, all data is encrypted with a secrete key before it is transferred between the client and server. Secure connection protocols SSL (Secure Sockets Layer) – older TLS (Transport Layer Security) – newer; successor of SSL The URL for a secure connection starts with HTTPS instead of HTTP. Secure Comm

7 [Q] What information is included in a certificate?
Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] What information is included in a certificate? Name of the server Name of the issuer Expiration date [Q] How to trust a certificate? Digitally signed, i.e., encrypted by using the issuer's private key, so that nobody can change. Only the issuer's public key can be used to decrypt the certificate. And the issuer should be trustworthy. Secure Comm

8 1. Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] How to trust a certificate? By default, browsers accept digital secure certificates that come from trusted sources. [Q] ??? However, if the browser does not recognize the certificate as coming from a trusted source, it informs the user and lets the user view the certificate. Then the user decides. Can you try with eBay? Advanced Skills

9 How to get a digital secure certificate for your web server
1. How to get a digital secure certificate for your web server [Q] From where? Trustworthy CA (Certificate Authority), and RA (Registration Authority) SSL strength 40-bit, 56-bit 128-bit 256-bit [Q] What does this mean? Secure Comm

10 How to request a secure connection [Q] How?
1. How to request a secure connection [Q] How? Once you establish a secure connection, you can use relative URLs (i.e., relative paths) to continue using the secure connection. [Q] Is it true? Secure Comm

11 How to redirect to a secure connection
1. Topics How to redirect to a secure connection [Q] If you want to make sure that a page is always viewed over a secure connection, what do you have to do? If you want to make sure that a page is always viewed over a secure connection, you can include code at the top of the page that redirects the page to a secure connection. [Q] What does this mean? How? If the user requests the page over a regular connection, the web server redirects the request to the same page but over a secure connection. [Q] How? You need to know whether the user uses http or https. <?php if (!isset($_SERVER['HTTPS'])) { $url = ' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // start with /... header("Location: " . $url); // Redirect - 302 exit; // should be before any output } // ?> Secure Comm

12 2. How to Use User Authentication
Three types of user authentication How to store and validate a password How to use form-based authentication How to use basic authentication Secure Comm

13 Three types of user authentication
[Q] How to make only authorized users access some pages? You need to begin by determining whether a client is who and what it claims to be. This process is known as User Authentication. [Q] Any good idea? Username and password Secure Comm

14 Three types of user authentication
2. Three types of user authentication Form-based authentication a login form By default, no encryption Basic authentication – causes the browser to display a dialog box that gets the username and password. Digest authentication Encrypts the username and password before sending them [Q] Which one looks like the best? [Q] No encryption used in 1) and 2) ? Isn’t it a problem? Secure Comm

15 How to store and validate a password
For most types of authentication, you store the usernames and passwords in a database. [Q] Encrypted passwords, or unencrypted passwords? A hash function accepts a variable-size string and returns a fixed-size string known as the hash value. [Q] Always the same hash value for the same input? [Q] Is a hash function reversible? Password Encrypted password Database Secure Comm

16 // [Q] How to add a username and password into a database?
function add_user($username, $password) { global $db; // [Q] global? $hashed_password = sha1($password); // SHA-1 hash ft $query = "insert into Users (Username, Password) values ('$username', '$hashed_password')"; mysqli_query($db, $query); } // [Q] How to validate ? Secure Comm

17 function is_valid_user($username, $password) { global $db;
// [Q] How to validate ? function is_valid_user($username, $password) { global $db; $hashed_password = sha1($password); // ? $query = "select * from Users where Username = '$username' and Password = '$hashed_password'"; $result = mysqli_query($db, $query); $valid = (mysqli_num_rows($result) == 1); return $valid; } Secure Comm

18 2. SHA1 uses only 40 bits, and this algorithm is broken. You will need to use a stronger hash function. // SHA256 hash($algorithm, $string_to_hash) // MD5, SHA256, ... // example $hashed_password = hash(SHA256, $password); // Not 'SHA…' Secure Comm

19 How to use form-based authentication
After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] What if the user does not use https? Advanced Skills

20 [Q] Can you make an algorithm for the controller, index.php?
2. After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] Can you make an algorithm for the controller, index.php? Start session; Include necessary functions (model); Get the action, such as SignIn, to perform; If the user isn’t signed in, then $action = ‘SignIn' to force the user to sign in; Switch(action) ‘SignIn': Validate the username and password; Create session; …: ‘SignOut': Destroy session; Secure Comm

21 How to use basic authentication
PHP script can enforce the browser to ask the user to enter username and password. [Q] Why do we need this? [Q] How? Advanced Skills

22 The $_SERVER array 2. Topics
PHP_AUTH_USER Returns the username from the dialog box or a NULL PHP_AUTH_PW Returns the password from the dialog box <?php // require_once('model/database.php'); // require_once('model/admin_db.php'); $username = $_SERVER['PHP_AUTH_USER'] $password = $_SERVER['PHP_AUTH_PW']; if (!isset($username) || !is_valid_user($username, $password)) { header('WWW-Authenticate: Basic realm = "My Realm"'); header('HTTP/ Unauthorized'); exit(); } ?> Secure Comm

23 3. How to Work with Encrypted Data
[Q] Can we use SHA for encryption/decryption? How to encrypt and decrypt data A class for storing encrypted data – We will revisit class later. Secure Comm

24 Do you need to store encrypted data in a db?
How to encrypt and decrypt data MCRYPT_RIJNDAEL_128 The Rijndael cipher with a 128 bit key size. MCRYPT_RIJNDAEL_192 MCRYPT_RIJNDAEL_256 There are a lot of cipher algorithms. MCRYPT_MODE_CBC CBC (Cypher Block Chaining) mode There are also other modes. mcrypt_get_iv_size($cipher, $mode) Gets the size of initialization vector (iv) used by the cipher algorithm. mcrypt_create_iv($ivs) creates the initialization vector for the specified size. mcrypt_encrypt($cipher, $key, $data, $mode, $iv) mcrypt_decrypt($cipher, $key, $data, $mode, $iv) base64_encode($data) to help the data survive going through transport layers; binary to text encoding base64_decode($data) Secure Comm

25 3. // Both sides $cipher = MCRYPT_RIJNDAEL_128;
$mode = MCRYPT_MODE_CBC; // cipher block chaining $key = sha1('secretPassword', true); // true => raw_output; ??? // how to use SHA256 instead? // Sender $credit_card_no = ' '; $ivs = mcrypt_get_iv_size($cipher, $mode); $iv = mcrypt_create_iv($ivs); $data = mcrypt_encrypt($cipher, $key, $credit_card_no, $mode, $iv); $data = base64_encode($data); // to help the data survive going // through transport layers echo 'Encrypted data: ' . $data . '<br>'; // transmit $data through the Internet // Receiver $data = base64_decode($data); $credit_card_no = mcrypt_decrypt($cipher, $key, $data, $mode, $iv); echo 'Decrypted data: ' . $credit_card_no . '<br>'; Secure Comm

26 A class for storing encrypted data – crypt.php
class Crypt { private $key, $ivs, $iv, $cipher, $mode; public function __construct() { $this->cipher = MCRYPT_RIJNAEL_128; $this->mode = MCRYPT_MODE_CBC; $this->ivs = mcrypt_get_iv_size($this->cipher, $this->mode); $this->iv = mcrypt_create_iv($this-ivs); $this->key = sha1('secreteKey', true); } public function encrypt($data) { ...; // [Q] What do you have to do here? public function decrypt($data) { ?> Secure Comm

27 3. Topics Secure Comm require 'crypt.php';
$credit_card_no = ' '; // [Q] How to create an object of Crypt? $crypt = new Crypt(); // encrypt the data $data = $crypt->encrypt($credit_card_no); $data = $crypt->encode($data); // decrypt the data $data = $crypt->decode($data); $data = $crypt->decrypt($data); Secure Comm

Download ppt "PHP Secure Communications"

Similar presentations

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.

SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.

>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.

Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.
Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.

Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Similar presentations

Ads by Google