Modern cryptography in PHP 7.2 with Sodium

Recently, at ZendCon & OpenEnterprise 2018, I presented a session about the usage of Sodium in PHP 7.2. Here you can find the slides of this session.

Sodium is a powerful library for modern cryptography. It is a portable, cross-compilable, installable and packageable fork of NaCl, a famous cryptographic tool designed by Prof. D.J. Bernstein.

Sodium details

Sodium (and NaCl) is an “opinionated” library: this means the algorithms used have been selected and cannot be changed. The library uses some of the most robust algorithms available, including Elliptic-curve cryptography (ECC).

Some of the algorithms used by Sodium are:

If you need to use different algorithms, for instance for compatibility reason with existing cryptosystems, you need to look for a different library (e.g. OpenSSL).

Apart from the selection of the best algorithms available, Sodium (and NaCl) has been designed to prevent side-channel attacks. This is a very good point for security because the majority of attacks are based on issues in the implementations, rather than weaknesses in the algorithm itself.

Just to give you an idea, one of the most successful side-channel attacks in history was performed by Adi Shamir, Eran Tromer, and Dag Arne Osvik in 2006 to discover, in **65 milliseconds**, the secret key used in widely deployed software for hard-disk encryption (here is the extended article).

PHP developers can use the advantages of Sodium starting from PHP 7.2. For PHP 7.0 or 7.1, you need to install a PECL extension.

Sodium use cases

In my talk at ZendCon & OpenEnterprise, I covered the basic usage of Sodium showing six different use cases:

Encrypt/Authenticate with a shared key: This is an example of how to encrypt and/or authenticate a string using a shared-key (i.e. symmetric encryption). Sodium uses the XSalsa20 algorithm to encrypt and HMAC-SHA512 for the authentication.

Sending secret messages: This example shows how to encrypt a message in a end-to-end scenario (e.g. a user wants to send a secret message to another user). Here, Sodium uses the algorithms XSalsa20 to encrypt, Poly1305 for MAC, and XS25519 for key exchange.

Digital signature: This example shows how to generate a digital signature for a string (e.g. a message/file). Here, Sodium uses an Elliptic Curve algorithm, Ed25519.

Authenticated encryption with AES-GCM: Sodium offers authenticated encryption using the AES algorithm with Galois/Counter Mode (GCM).

Store passwords safely: This is an important topic for PHP developers. The first suggestion is to never encrypt it, always store a hash value of the password. The hash algorithm used by Sodium is Argon2i. This algorithm is resistant to side-channel attacks and GPU cracking attacks.

Derive a key from a user’s password: This example shows how to generate an encryption key starting from a user’s password (using the Argon2i algorithm). REMEMBER: __never use a user’s password as the encryption key!__

Code sample

The Sodium APIs are quite simple to use. Just to give you an idea, here’s example code on how to encrypt a message with a shared-key:

And here how to authenticate a message (without encryption):

To see more PHP code examples, see the slides from my ZendCon & OpenEnterprise 2018 talk.

The following two tabs change content below.

    Enrico Zimuel

    Enrico Zimuel is a developer since 1996. He works as Senior Software Engineer at Rogue Wave Software in the R&D department of Zend open source products. He is a core developer of Apigility, Expressive, and Zend Framework. He has been a Researcher Programmer at the Informatics Institute of the University of Amsterdam. He is a TEDx speaker and regular speaker of international PHP conferences. He is the co-founder of the PHP User Group of Torino (Italy).

    About Enrico Zimuel

    Enrico Zimuel is a developer since 1996. He works as Senior Software Engineer at Rogue Wave Software in the R&D department of Zend open source products. He is a core developer of Apigility, Expressive, and Zend Framework. He has been a Researcher Programmer at the Informatics Institute of the University of Amsterdam. He is a TEDx speaker and regular speaker of international PHP conferences. He is the co-founder of the PHP User Group of Torino (Italy).