What should every web developer know about encryption?

Question

I\'ve just landed a PHP5 gig. I won\'t be handling the parts of the application that involve super sensitive data, but I still know embarrassingly little about security and encr

Answer 1

Where to learn about security: get Schneier's book Applied Cryptography.

Answer 2

Check out the Open Web Application Security Project. They have a lot of information on the current web app security issues and what you need to do to defend against them. OWASP is putting together a Development Guide that provides a lot of good information on web apps and web services development issues.

Answer 3

The short answer

You can never be too secure

Use Salted Password Hashing for increased security

The longer answer (still not complete, though)

Security is not something to be learnt by a quick tutorial on the web. It requires in-depth knowledge of not only what vulnerabilities exist, but WHY they exist and HOW they work. One of the biggest problems (especially in open source), is that new methods are added all the time, therefore we must understand security concepts and theory.

Read books, take classes, and test the vulnerabilities yourself on a local machine. Then you'll slowly begin to grasp the concept behind how to secure a web application.

Check Out the following to start you off

1. Developer's Guide to Web Application Security
2. Web Security Testing Cookbook
3. Applied Cryptography

Answer 4

That it can be broken no matter what you do.

Answer 5

Please pay attention to following points when you store passwords,

1. Hashed password is generally more secure because you don't have to keep a secret. However, it prevents you from using other hash-based scheme in your authentication flow. For example, you can't use HTTP Digest authentication with hashed password.

2. Simple hash is prone to rainbow table attak (http://en.wikipedia.org/wiki/Rainbow_table). Please add a non-reoccuring nonce to the hash or use the nonce as the key to HMAC. The nonce needs to be stored with the passwords. I prepend it to the digest.

3. If encryption is used, make sure a random Initial Vector is used so same password will be encrypted to different ciphertexts for different user. Otherwise, you are prone to pattern matching attack. MySQL has built-in encryption command. It doesn't inject IV so never use it for passwords.

4. Save key name/version with the ciphertext so keys can be rotated. Key-rotation is required for compliance with certain standards. Encryption without key information is impossible to decrypt when you are forced to change or rotate keys.

If you follow these advices, your passwords will be safe with any encryption/hash schemes.