Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

Published bySara Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "PHP Secure Communications Web Technologies Computing Science Thompson Rivers University."— Presentation transcript:

1 PHP Secure Communications Web Technologies Computing Science Thompson Rivers University

2 Secure Comm2 Unit Topics How to create a secure connection 1. How to use a secure connection; how to authenticate a server How to use a secure connection; how to authenticate a server 2. How to use user authentication How to use user authentication 3. How to work with encrypted data How to work with encrypted data

3 Secure Comm3 1. How to Use a Secure Connection An introduction to secure connections How SSL authentication works How SSL authentication works How to get a digital secure certificate for your web server How to request a secure connection How to enforce the user to use a secure connection

4 Secure Comm4 An introduction to secure connections [Q] Is it safe to use HTTP to send a credit card number? [Q] What is the solution, then? A secure connection. But a secure connection is much slower than regular HTTP connections. You usually use secure connections only when your application passes sensitive data. [Q] How to use a secure connection then? [Q] How to trust web servers? How to trust users? There are two types of authentication. [Q] What are they? User authentication and server authentication 1.

5 Advanced Skills5 How SSL authentication works – how to authenticate a server HTTPS

6 Secure Comm6 With a regular HTTP connection, all data is sent as unencrypted plain text. [Q] What does this mean? Can a hacker read my credit card number? With a secure connection, all data is encrypted with a secrete key before it is transferred between the client and server. Secure connection protocols SSL (Secure Sockets Layer) – older TLS (Transport Layer Security) – newer; successor of SSL The URL for a secure connection starts with HTTPS instead of HTTP.

7 Secure Comm7 Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] What information is included in a certificate? Name of the server Name of the issuer Expiration date … [Q] How to trust a certificate? Digitally signed, i.e., encrypted by using the issuer's private key Only the issuer's public key can be used to decrypt the certificate. And the issuer should be trustworthy.

8 Advanced Skills8 Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] How to trust a certificate? By default, browsers accept digital secure certificates that come from trusted sources. [Q] ??? However, if the browser does not recognize the certificate as coming from a trusted source, it informs the user and lets the user view the certificate. Then the user decides. 1.

9 Secure Comm9 How to get a digital secure certificate for your web server [Q] From where? Trustworthy CA (Certificate Authority), and RA (Registration Authority) www.verisign.com www.thawte.com www.geotrust.com www.instantssl.com www.entrust.com SSL strength 40-bit, 56-bit 128-bit 256-bit[Q] What does this mean? 1.

10 Secure Comm10 How to request a secure connection [Q] How? Once you establish a secure connection, you can use relative URLs (i.e., relative paths) to continue using the secure connection. [Q] Is it true? 1.

11 How to redirect to a secure connection [Q] If you want to make sure that a page is always viewed over a secure connection, what do you have to do? If you want to make sure that a page is always viewed over a secure connection, you can include code at the top of the page that redirects the page to a secure connection. [Q] What does this mean? How? If the user requests the page over a regular connection, the web server redirects the request to the same page but over a secure connection. [Q] How? You need to know whether the user uses http or https. <?php if (!isset($_SERVER['HTTPS'])) { $url = 'https://'. $_SERVER['HTTP_HOST']. $_SERVER['REQUEST_URI']; header("Location: ". $url); // Redirect - 302header exit; // should be before any output } // ?> Secure Comm11 Topics 1.

12 Secure Comm12 2. How to Use User Authentication Three types of user authentication How to store and validate a password How to use form-based authentication How to use basic authentication

13 Secure Comm13 Three types of user authentication [Q] How to make only authorized users access some pages? You need to begin by determining whether a client is who and what it claims to be. This process is known as User Authentication. [Q] Any good idea? Username and password

14 Secure Comm14 Three types of user authentication 1. Form-based authentication a login form By default, no encryption 2. Basic authentication – causes the browser to display a dialog box that gets the username and password. By default, no encryption 3. Digest authentication causes the browser to display a dialog box that gets the username and password. Encrypts the username and password before sending them [Q] Which one looks like the best? [Q] No encryption used in 1) and 2) ? 2.

15 Secure Comm15 How to store and validate a password For most types of authentication, you store the usernames and passwords in a database. [Q] Encrypted passwords, or unencrypted passwords? A hash function accepts a variable-size string and returns a fixed-size string known as the hash value. [Q] Always the same hash value for the same input? [Q] Is a hash function reversible? Password Encrypted password Database

16 Secure Comm16 // [Q] How to add an email and password into a database? // $email is used as username in this example function add_user($email, $password) { global $db; // [Q] global? $hashed_password = sha1($password); // SHA-1 hash ft $query = "insert into users (email, password) values ('$email', '$hashed_password')"; mysqli_query($db, $query); } // [Q] How to validate ?

17 Secure Comm17 // [Q] How to validate ? // $email is used as username in this example function is_valid_user($email, $password) { global $db; $hashed_password = sha1($password); // ? $query = "select userID from users where email = '$email' and password = '$hashed_password'"; $result = mysqli_query($db, $query); $valid = (mysqli_num_rows($result) == 1); return $valid; }

18 Secure Comm18 SHA1 uses only 40 bits, and this algorithm is broken. You will need to use a stronger hash function. // SHA256 hash($algo, $string)$algo: MD5, SHA256,... // example $hashed_password = hash(SHA256, $password); 2.

19 Advanced Skills19 How to use form-based authentication After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] What if the user does not use https?

20 Secure Comm20 After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] Can you make an algorithm for the controller, index.php? Start session; Include necessary functions (model); Get the action, such as login, to perform; If the user isn’t logged in, then $action = 'login' to force the user to login; Switch(action) 'login': Validate the username and password; 'show_admin_menu': … 'logout': Destroy session; 2.

21 Advanced Skills21 How to use basic authentication PHP script can enforce the browser to ask the user to enter username and password. [Q] Why do we need this? [Q] How?

22 The $_SERVER array PHP_AUTH_USERReturns the username from the dialog box or a NULL PHP_AUTH_PWReturns the password from the dialog box <?php // require_once('model/database.php'); // require_once('model/admin_db.php'); $email = $_SERVER('PHP_AUTH_USER') $password = $_SERVER('PHP_AUTH_PW'); if (!is_valid_user($eamil, $password) { header('WWW-Authenticate: Basic realm = "Admin"'); header('HTTP/1.0 401 Unauthorized'); exit(); } ?> Secure Comm22 Topics 2.

23 Secure Comm23 3. How to Work with Encrypted Data [Q] Can we use SHA for encryption/decryption? How to encrypt and decrypt data A class for storing encrypted data – We will revisit class later. A class for storing encrypted data

24 How to encrypt and decrypt data MCRYPT_RIJNDAEL_128The Rijndael cipher with a 128 bit key size. MCRYPT_RIJNDAEL_192 MCRYPT_RIJNDAEL_256 There are a lot of cipher algorithms. MCRYPT_MODE_CBCCBC (Cypher Block Chaining) mode There are also other modes. mcrypt_get_iv_size($cipher, $mode)Gets the size of initialization vector (iv) used by the cipher algorithm. mcrypt_create_iv($ivs)creates the initialization vector for the specified size. mcrypt_encrypt($cipher, $key, $data, $mode, $iv) mcrypt_decrypt($cipher, $key, $data, $mode, $iv) base64_encode($data)to help the data survive going through transport layers; binary to text encoding base64_decode($data) Secure Comm24

25 $credit_card_no = '4111 1111 1111 1111'; $cipher = MCRYPT_RIJNDAEL_128; $mode = MCRYPT_MODE_CBC; // cipher block chaining $key = sha1('secretPassword', true); // true => raw_output; ??? // how to use SHA256 instead? $ivs = mcrypt_get_iv_size($cipher, $mode); $iv = mcrypt_create_iv($ivs); $data = mcrypt_encrypt($cipher, $key, $credit_card_no, $mode, $iv); $data = base64_encode($data); // to help the data survive going // through transport layers echo 'Encrypted data: '. $data. ' '; // transmit $data through the Internet $data = base64_decode($data); $credit_card_no = mcrypt_decrypt($cipher, $key, $data, $mode, $iv); echo 'Decrypted data: '. $credit_card_no. ' '; Secure Comm25 3.

26 Secure Comm26 A class for storing encrypted data – crypt.php <?php class Crypt { private $key, $ivs, $iv, $cipher, $mode; public function __construct() { $this->cipher = MCRYPT_RIJNAEL_128; $this->mode = MCRYPT_MODE_CBC; $this->ivs = mcrypt_get_iv_size($this->cipher, $this->mode); $this->iv = mcrypt_create_iv($this-ivs); $this->key = sha1('secreteKey', true); } public function encrypt($data) {...; // [Q] What do you have to do here? } public function decrypt($data) {...; // [Q] What do you have to do here? } ?>

27 require 'crypt.php'; $credit_card_no = '4111111111111111'; // [Q] How to create an object of Crypt? $crypt = new Crypt(); // encrypt the data $data = $crypt->encrypt($credit_card_no); $data = $crypt->encode($data); // decrypt the data $data = $crypt->decode($data); $data = $crypt->decrypt($data); Secure Comm27 Topics 3.

Download ppt "PHP Secure Communications Web Technologies Computing Science Thompson Rivers University."

Similar presentations

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.

SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1.

V 1.0 OE NIK 2013 PHP+SQL 5. Password management (password hashing) Stateless HTTP, storage methods Login form 1.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.

>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Similar presentations

Ads by Google