Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

Similar presentations


Presentation on theme: "PHP Secure Communications Web Technologies Computing Science Thompson Rivers University."— Presentation transcript:

1 PHP Secure Communications Web Technologies Computing Science Thompson Rivers University

2 Secure Comm2 Unit Topics How to create a secure connection 1. How to use a secure connection; how to authenticate a server How to use a secure connection; how to authenticate a server 2. How to use user authentication How to use user authentication 3. How to work with encrypted data How to work with encrypted data

3 Secure Comm3 1. How to Use a Secure Connection An introduction to secure connections How SSL authentication works How SSL authentication works How to get a digital secure certificate for your web server How to request a secure connection How to enforce the user to use a secure connection

4 Secure Comm4 An introduction to secure connections [Q] Is it safe to use HTTP to send a credit card number? [Q] What is the solution, then? A secure connection. But a secure connection is much slower than regular HTTP connections. You usually use secure connections only when your application passes sensitive data. [Q] How to use a secure connection then? [Q] How to trust web servers? How to trust users? There are two types of authentication. [Q] What are they? User authentication and server authentication 1.

5 Advanced Skills5 How SSL authentication works – how to authenticate a server HTTPS

6 Secure Comm6 With a regular HTTP connection, all data is sent as unencrypted plain text. [Q] What does this mean? Can a hacker read my credit card number? With a secure connection, all data is encrypted with a secrete key before it is transferred between the client and server. Secure connection protocols SSL (Secure Sockets Layer) – older TLS (Transport Layer Security) – newer; successor of SSL The URL for a secure connection starts with HTTPS instead of HTTP.

7 Secure Comm7 Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] What information is included in a certificate? Name of the server Name of the issuer Expiration date … [Q] How to trust a certificate? Digitally signed, i.e., encrypted by using the issuer's private key Only the issuer's public key can be used to decrypt the certificate. And the issuer should be trustworthy.

8 Advanced Skills8 Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] How to trust a certificate? By default, browsers accept digital secure certificates that come from trusted sources. [Q] ??? However, if the browser does not recognize the certificate as coming from a trusted source, it informs the user and lets the user view the certificate. Then the user decides. 1.

9 Secure Comm9 How to get a digital secure certificate for your web server [Q] From where? Trustworthy CA (Certificate Authority), and RA (Registration Authority) www.verisign.com www.thawte.com www.geotrust.com www.instantssl.com www.entrust.com SSL strength 40-bit, 56-bit 128-bit 256-bit[Q] What does this mean? 1.

10 Secure Comm10 How to request a secure connection [Q] How? Once you establish a secure connection, you can use relative URLs (i.e., relative paths) to continue using the secure connection. [Q] Is it true? 1.

11 How to redirect to a secure connection [Q] If you want to make sure that a page is always viewed over a secure connection, what do you have to do? If you want to make sure that a page is always viewed over a secure connection, you can include code at the top of the page that redirects the page to a secure connection. [Q] What does this mean? How? If the user requests the page over a regular connection, the web server redirects the request to the same page but over a secure connection. [Q] How? You need to know whether the user uses http or https. <?php if (!isset($_SERVER['HTTPS'])) { $url = 'https://'. $_SERVER['HTTP_HOST']. $_SERVER['REQUEST_URI']; header("Location: ". $url); // Redirect - 302header exit; // should be before any output } // ?> Secure Comm11 Topics 1.

12 Secure Comm12 2. How to Use User Authentication Three types of user authentication How to store and validate a password How to use form-based authentication How to use basic authentication

13 Secure Comm13 Three types of user authentication [Q] How to make only authorized users access some pages? You need to begin by determining whether a client is who and what it claims to be. This process is known as User Authentication. [Q] Any good idea? Username and password

14 Secure Comm14 Three types of user authentication 1. Form-based authentication a login form By default, no encryption 2. Basic authentication – causes the browser to display a dialog box that gets the username and password. By default, no encryption 3. Digest authentication causes the browser to display a dialog box that gets the username and password. Encrypts the username and password before sending them [Q] Which one looks like the best? [Q] No encryption used in 1) and 2) ? 2.

15 Secure Comm15 How to store and validate a password For most types of authentication, you store the usernames and passwords in a database. [Q] Encrypted passwords, or unencrypted passwords? A hash function accepts a variable-size string and returns a fixed-size string known as the hash value. [Q] Always the same hash value for the same input? [Q] Is a hash function reversible? Password Encrypted password Database

16 Secure Comm16 // [Q] How to add an email and password into a database? // $email is used as username in this example function add_user($email, $password) { global $db; // [Q] global? $hashed_password = sha1($password); // SHA-1 hash ft $query = "insert into users (email, password) values ('$email', '$hashed_password')"; mysqli_query($db, $query); } // [Q] How to validate ?

17 Secure Comm17 // [Q] How to validate ? // $email is used as username in this example function is_valid_user($email, $password) { global $db; $hashed_password = sha1($password); // ? $query = "select userID from users where email = '$email' and password = '$hashed_password'"; $result = mysqli_query($db, $query); $valid = (mysqli_num_rows($result) == 1); return $valid; }

18 Secure Comm18 SHA1 uses only 40 bits, and this algorithm is broken. You will need to use a stronger hash function. // SHA256 hash($algo, $string)$algo: MD5, SHA256,... // example $hashed_password = hash(SHA256, $password); 2.

19 Advanced Skills19 How to use form-based authentication After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] What if the user does not use https?

20 Secure Comm20 After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] Can you make an algorithm for the controller, index.php? Start session; Include necessary functions (model); Get the action, such as login, to perform; If the user isn’t logged in, then $action = 'login' to force the user to login; Switch(action) 'login': Validate the username and password; 'show_admin_menu': … 'logout': Destroy session; 2.

21 Advanced Skills21 How to use basic authentication PHP script can enforce the browser to ask the user to enter username and password. [Q] Why do we need this? [Q] How?

22 The $_SERVER array PHP_AUTH_USERReturns the username from the dialog box or a NULL PHP_AUTH_PWReturns the password from the dialog box <?php // require_once('model/database.php'); // require_once('model/admin_db.php'); $email = $_SERVER('PHP_AUTH_USER') $password = $_SERVER('PHP_AUTH_PW'); if (!is_valid_user($eamil, $password) { header('WWW-Authenticate: Basic realm = "Admin"'); header('HTTP/1.0 401 Unauthorized'); exit(); } ?> Secure Comm22 Topics 2.

23 Secure Comm23 3. How to Work with Encrypted Data [Q] Can we use SHA for encryption/decryption? How to encrypt and decrypt data A class for storing encrypted data – We will revisit class later. A class for storing encrypted data

24 How to encrypt and decrypt data MCRYPT_RIJNDAEL_128The Rijndael cipher with a 128 bit key size. MCRYPT_RIJNDAEL_192 MCRYPT_RIJNDAEL_256 There are a lot of cipher algorithms. MCRYPT_MODE_CBCCBC (Cypher Block Chaining) mode There are also other modes. mcrypt_get_iv_size($cipher, $mode)Gets the size of initialization vector (iv) used by the cipher algorithm. mcrypt_create_iv($ivs)creates the initialization vector for the specified size. mcrypt_encrypt($cipher, $key, $data, $mode, $iv) mcrypt_decrypt($cipher, $key, $data, $mode, $iv) base64_encode($data)to help the data survive going through transport layers; binary to text encoding base64_decode($data) Secure Comm24

25 $credit_card_no = '4111 1111 1111 1111'; $cipher = MCRYPT_RIJNDAEL_128; $mode = MCRYPT_MODE_CBC; // cipher block chaining $key = sha1('secretPassword', true); // true => raw_output; ??? // how to use SHA256 instead? $ivs = mcrypt_get_iv_size($cipher, $mode); $iv = mcrypt_create_iv($ivs); $data = mcrypt_encrypt($cipher, $key, $credit_card_no, $mode, $iv); $data = base64_encode($data); // to help the data survive going // through transport layers echo 'Encrypted data: '. $data. ' '; // transmit $data through the Internet $data = base64_decode($data); $credit_card_no = mcrypt_decrypt($cipher, $key, $data, $mode, $iv); echo 'Decrypted data: '. $credit_card_no. ' '; Secure Comm25 3.

26 Secure Comm26 A class for storing encrypted data – crypt.php <?php class Crypt { private $key, $ivs, $iv, $cipher, $mode; public function __construct() { $this->cipher = MCRYPT_RIJNAEL_128; $this->mode = MCRYPT_MODE_CBC; $this->ivs = mcrypt_get_iv_size($this->cipher, $this->mode); $this->iv = mcrypt_create_iv($this-ivs); $this->key = sha1('secreteKey', true); } public function encrypt($data) {...; // [Q] What do you have to do here? } public function decrypt($data) {...; // [Q] What do you have to do here? } ?>

27 require 'crypt.php'; $credit_card_no = '4111111111111111'; // [Q] How to create an object of Crypt? $crypt = new Crypt(); // encrypt the data $data = $crypt->encrypt($credit_card_no); $data = $crypt->encode($data); // decrypt the data $data = $crypt->decode($data); $data = $crypt->decrypt($data); Secure Comm27 Topics 3.


Download ppt "PHP Secure Communications Web Technologies Computing Science Thompson Rivers University."

Similar presentations


Ads by Google