DEV Community

loading...
Paragon Initiative Enterprises

PHP 7.2: The First Programming Language to Add Modern Cryptography to its Standard Library

paragoniescott profile image Scott Arciszewski ・1 min read

Discussion (16)

pic
Editor guide
Collapse
philippgruber profile image
Philipp Gruber

I quite like this, but couldn't they come up with a better function name than
sodium_crypto_box_keypair_from_secretkey_and_publickey()?

Collapse
inkeliz profile image
Inkeliz

I agree, this function name is so short, can be longer. :P

Collapse
my1 profile image
My1

does it REALLY need to be that long?
I mean sodium_dh_create() would work too.

Collapse
bcalik profile image
Burak Çalık

Wow, this is probably the longest function name ever.

Collapse
hengels profile image
Harald Engels

The long function name was probably chosen to increase security by obscurity (joking) :-)

Collapse
alicewonder32 profile image
Alice Wonder

Thank you so much, I wasted roughly 12 hours trying to get something to work where python signed a message that a PHP script on a different machine could properly and safely verify. I was messing around with phpecc (github project) and other stuff and was getting rather frustrated.

Saw the post on libsodium in php 7.2, built the PECL module for PHP 7.1 and the python library pysodium - and within an hour had something that actually worked with very little code.

Again, thank you so much. With the convoluted stuff I was trying, I was really afraid my app would end up being an example in the wild where cryptography went bad because the developer messed up.

Collapse
mistermantas profile image
Mantas

Damn, that is cool! Shame I don’t know what any of that meant though…

Collapse
lazzu profile image
Lasse

How about C#? That hasn't got modern cryptography built-in?

Collapse
paragoniescott profile image
Scott Arciszewski Author

No, it doesn't.

Please, everyone, look at the documentation for the language you're writing in and compare it to the established criteria of this post before you ask about it.

C# gives you NIST curves, not modern ECC (RFC 7748). C# doesn't give you a simple misuse-resistant AEAD interface like crypto_secretbox() or crypto_box() as part of the standard API. Therefore, it's not modern cryptography.

Weierstrass curves are not modern.

You can get that if you install libsodium-net by Adam Caudill. But that's not part of the language, that's a community-provided addon.

Collapse
thdev profile image
8th

8th has had built-in crypto, using AES+GCM by default, since its inception.

Collapse
my1 profile image
My1

hope it's also simple to use. having to work with objects and bla bla bla isnt needed imo.

the most simple would be just
put in message and key and it will automatically do IV, and all the other needed stuff for AESGCM.

Collapse
thdev profile image
8th

It does do all that pretty much. It's not an OOP language.

For example:

"some plaintext" "mypassword" "salt" 100 cr:genkey
cr:>encrypt cr:encrypt>

After that, you'll have an AES+GCM+256 encrypted buffer. You could also have skipped all the "mypassword"... genkey by using cr:randkey ... but then you would need to store that key somewhere.

If you choose to use CTR mode, you need to supply an IV, but the default is GCM.

Oh, and the reason there are two encrypt words there, is that one starts encryption and the other ends it. You can keep adding stuff to be encrypted, so for example you could encrypt a very large data stream on the fly if you wanted.

Thread Thread
paragoniescott profile image
Scott Arciszewski Author

Unfortunately:

  1. 8th isn't really a well-known language. It's not even in the less than 0.1% section of the server-side or client-side lists.
  2. According to your manual, you're still offering RSA for public-key encryption. (It doesn't specify which mode you're using but hopefully it isn't PKCS1v1.5.) This disqualifies 8th for being modern crypto. You want ECDH over a twist-secure Montgomery curve, preferably Curve25519 or Curve448.
Collapse
jonnyplatt profile image
Jonny Platt

Did this article get deleted somehow?

Collapse
andelafokosun profile image
andela-fokosun

The what does this mean for me part was a sweet relief, everything before it was :eyes_rolling:

Collapse
extremety1989 profile image
extremety1989

Can you make a tutorial with real exemple on php 7.2 ?, would be great !