Hi Dolf,
> What would be the advantage of the added functionality? Wouldn't it
> just become a wrapper around mcrypt?
>
My idea is to improve the interface of mcrypt offering a better API with
some default mechanism to prevent bad usage. For instance, secure IV
random if not provided.
That means these functionality are not just a wrapper of mcrypt.
>
> Furthermore, methods named encryptThenAuth, AuthThenEncrypt,and
> encryptAndAuth don't sound descriptive enough to me. I suppose two
> separate methods auth() and encrypt() would make more sense, where a
> developer could just determine what order he calls them himself?
>
These are the standard ways to encrypt data in a secure way. The idea
here is to offer an high level interface to encrypt information using
the best practice of the cryptography engineering.
I would like to write a documentation and a reference guide about these
topics so developers can use it with some background.
Maybe the name of these methods are the best for this aim but I think we
can find a solution for that.
>
> Lastly, a few months ago I've been busy with cryptography in php
> myself as well. And what I found was that (also because of several
> existing mcrypt wrappers) php developers have no clue what's actually
> happening when they encrypt something (what comprises of a good IV,
> can the iv be public, should you use the same iv everywhere, is ECB
> really the most secure out there? Etc...). If anything, we should not
> make it harder for developers to understand what actually happens in
> this respect.
>
Actually, my intent is to provide a simple and secure API to use
cryptography in PHP. Cryptography is a difficult topic, I know, and this
is why I would like to simplify the API and inform developers about best
practices.
I know, the aim of this proposal is very ambitious but I think we should
try to offer such tools in a framework like ZF.
>
> On Wed, Jan 4, 2012 at 5:48 PM, Evan Coury <
[hidden email]> wrote:
> On Wed, Jan 4, 2012 at 9:17 AM, Enrico Zimuel
> <
[hidden email]> wrote:
> > Hi all,
> >
> > recently, I did some presentations about cryptography in PHP
> and I did
> > not realized that ZF don't has a good API for most of the
> use cases that
> > I presented during my talks (for instance,
> >
>
http://www.slideshare.net/ZendTechnologies/cryptography-in-php-some-use-cases).
> > I think is important to offer to PHP developers a good
> cryptographic
> > tool in ZF, with a simple API, to encrypt/decrypt data
> following the
> > best practices of cryptographic engineering in order to
> build secure
> > applications.
> > I would like to improve the Zend\Crypt component of ZF2 with
> the
> > following features:
> >
> > - add the encrypt/decrypt methods to Zend\Crypt using the
> simmetric
> > algorithms of Mcrypt (Blowfish, AES, DES, 3DES, Twofish,
> etc)
> > - add the encryptThenAuth, AuthThenEncrypt, encryptAndAuth
> methods to
> > Zend\Crypt, to implement a secure encryption +
> authentication schema
> > (more info:
>
http://www.cryptopp.com/wiki/Authenticated_Encryption)
> > - add the bcrypt algorithm to Zend\Crypt using the
> crypt('$2a$',...)
> > function of PHP 5.3.0
> > - improve the randomness of Zend\Crypt\Math::rand
> >
> > Moreover, in ZF we have other components that use
> cryptography: Zend
> > \Filter\Encrypt and Zend\Filter\Decrypt. I was thinking to
> do a refactor
> > of these classes using the Zend\Crypt, what do you think?
> >
> > Comments, feedbacks?
>
>
> +1 to all of this. Absolutely. This would allow me to greatly
> simplify
> / eliminate a lot of the code in my EdpUser module and also
> help
> encourage others to use best practices for password storage.
>
> --
> Evan Coury
>
> --
> List:
[hidden email]
> Info:
http://framework.zend.com/archives> Unsubscribe:
[hidden email]
>
>
>
>
--
Enrico Zimuel
Senior PHP Engineer |
[hidden email]
Zend Framework Team |
http://framework.zend.comZend Technologies Ltd.
http://www.zend.com--
List:
[hidden email]
Info:
http://framework.zend.com/archivesUnsubscribe:
[hidden email]
Locked
