What should every web developer know about encryption?

Question

I\'ve just landed a PHP5 gig. I won\'t be handling the parts of the application that involve super sensitive data, but I still know embarrassingly little about security and encr

Answer 1

• Understand the difference between encrypting and hashing
• Understand the reason for salts
• Understand that HTTP is cleartext
• Understand what HTTPS is
• Understand that you will never (almost never) be able to create better hashing or encryption methods than what 3rd party libs and built-in libs already do

Answer 2

First you have to get familiarized with this php methods:

• MD5
• SHA1

Here you have all cryptography extensions in PHP.

Answer 3

Learn the difference between hashes and encryption. Encryptions are generally two-way interpretations of a string. I can encrypt my password, and then decrypt it to plaintext again. The idea behind hashes are that they become a one-way 'encryption.'

On my sites I store passwords as hashes. Anytime a user signs on, I re-hash their provided password, test it against the hash stored in the database and approve if they match. I cannot send them their password if they forget it, since (generally) there is no way for me to know.Two different strings can translate into the same hash, which makes it (generally) impossible to find out what the original string was.

This is one issue that is good to get a firm understanding of, and discern when to use encryption vs. hashes.

Answer 4

That technology is not the weakest link in security.

• Employees the weakest link in IT security
• Security's weakest link: People
• Passwords: The Weakest Link?
• Weakest Link Security
• The Weakest Link

Answer 5

Know not to write your own encryption functionality. An existing, trusted library is best way to go wherever possible. Avoid cool, bleeding edge technologies that lack many successful programmer-hours and user-hours behind them. Know not to trust the functionality you choose until you've thoroughly tested it yourself, first-person. Keep abreast of new developments which may antiquate your chosen functionality overnight. Know that just because you're using the best encryption technology available today that you've protected nothing if you leave the keys on the table (e.g., cleartext is not in a cache or stored in another table in the same database, private keys not left in the open)

Answer 6

If you're looking at it from a PHP context, I'd recommend this book:

alt text http://ecx.images-amazon.com/images/I/51sKhc8YUlL._BO2,204,203,200_PIsitb-sticker-arrow-click,TopRight,35,-76_AA240_SH20_OU01_.jpg

Pro PHP Security on Amazon

The thing I really like about this book is it covers much more than just a list of the security-related functions in PHP. A large part of it covers general web security concepts and protection mechanisms. Permissions, principle of least privilege, encryption, hashing, cross-site scripting, cross-site request forgeries, session hijacking, etc. are all covered here, with examples of writing secure code in PHP.

Having taken graduate-level security classes in college, I'm impressed with the coverage in this book. I'd consider it required reading for any professional PHP developer.