<?php
use ParagonIE\Certainty\RemoteFetch;
// cURL boilerplate
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
// Fetch the latest CACert bundle, verify its authenticity, save it locally
$fetcher = new RemoteFetch('/path/to/certainty/data');
$latestCACertBundle = $fetcher->getLatestBundle();
curl_setopt($ch, CURLOPT_CAINFO, $latestCACertBundle->getFilePath());
Writing a Python client should be relatively straightforward, should anyone want to.
For Python specifically, there may be some value in storing the relevant PEM files into something like SigStore. That could be an easier proposal for the PyCA team to consider.
Has there been any serious discussion about incorporating the results of PQCRYPTO in your protocol so Zcash is still secure and viable (at >= 2^128 security level) after the development of practical quantum computers?
The zero-knowledge proof itself offers statistical privacy in the face of unbounded (so more powerful than quantum) attackers. So surprisingly, you are mostly fine. But you would need to take two steps to protect yourself. First, you have to use each zcash address only once.
Second, you need to use a post quantum secure means of notifying the recipient they got a transaction and of the coin commitment openings. The built in mechanism in ZCash, which posts a ciphertext to the blockchain encrypted under the recipients public key is standard off the shelf public key cryptography. It's efficient, but is of course not post quantum secure. Nothing requires that you use this mechanism, however. You can always post a garbage ciphertext and inform the recipient some other way.
Crypto 101 is a ~200 page book that is far richer in detail and examples. It also covers a lot of primitives (one-time pads, hash trees, etc.) that we eschewed for the sake of brevity.
This blog post is digestible in a few minutes. Crypto 101 can occupy a novice for a few hours. Given the hard choice of one of the two, we would encourage anyone interested to read Crypto 101 over our blog post, as they'll walk away with a much more detailed understanding .
This is an excellent point. Cryptography is not a trivial field to master.
(I've updated the title to read "Basic Cryptography for Developers" instead of "Cryptography for Developers" so as to not accidentally make someone think they know it all.)
This is very true. I've been involved in building systems involving cryptography for about a decade now, and having transitioned from the weeds (side channels, physical security) to the forest (secure systems architectures), I think I could have spent the whole time in one fairly narrow field and still not know half of it. At best, I can say that I've gained an appreciation for where the demons lie. At worst, I can say that I'm educated enough to be dangerous ;)
It's a pity that very few customers are willing to pay for the effort to exorcising all (or at least most) of those demons in the systems I've seen deployed. The product differentiator (and hence the ROI) is almost always somewhere else. The science & engineering is vastly better than it was when I enterted the field, but it still has a long way to go.
What I find frustrating, personally, about cryptography (or security in general) is that a lot of knowledge seems to be concentrated in a very specialized area, but it doesn't diffuse very far outside of there.
To try to combat this, I've been trying to help make basic security and cryptography knowledge accessible to web and mobile app developers, to hopefully result in an overall net gain for the security of many companies the world over.
Obviously I can't teach everyone everything there is to know about these areas. (For starters, I myself probably don't even know half of it. Lattice-based timing attacks? Not a clue!) But realistically if I can make a dent in the propensity for bad habits and worse design choices, it's something.
Agreed. I've started poking into security for http-based things (web sites, REST api's, etc), and it's got a mostly different knowledge base from the one I've studied. Compare, for example, the CHES[1] proceedings (a good source of interesting side-channel attacks and mitigations back when I was doing that) with something like the hackers playbook. Once you get down into the details, these fields have a lot of unique concerns. Some implementation principles (least privilege, reference monitors, etc.) may have value in both domains, but the domain specific knowledge is completely siloed as you have observed.
That said, my biggest lamentation is that most people don't seem to apply solid implementation principles to the systems they build. Witness vulnerabilities like heartbleed. It would have easily been avoided if the common buffer reuse guidelines in pretty much every implementation guide for security would have been used.
> Some implementation principles (least privilege, reference monitors, etc.) may have value in both domains, but the domain specific knowledge is completely siloed as you have observed.
Some what conversely, I've proposed a model for classifying various forms of security vulnerabilities that might be easier for developers to conceptualize:
The idea is treat it like a taxonomic model: You have general security mistakes (data-instruction confusion), which can be drilled down into vulnerability classes and then specific bugs that, either stand-alone or chained together, result in specific vulnerabilities in specific implementations.
Or maybe I'm way off base here. The feedback I've gotten has largely been positive, though.
I think we're in violent agreement. I'm a fan of the high-level approach taken by the common criteria[1], which emphasizes cataloging threats, security objectives, environmental concerns & vulnerability mitigations when designing secure systems. This seems to overlap more than a bit with your thought process based on your blog post.
The challenge is to get people with good critical thinking skills (like the kind you advocate, and embodied in proceses like the CC) and domain knowledge involved in building things. For example, I think I have a good ability to reason (I started my career in formal methods) but at present I know very little about how a browser actually treats it's inputs. So, it's quite difficult for me to reason about the application operating environment presented by a web browser running some javascript. I wouldn't trust myself to start coding a secure web site today. Hopefully the industry will foster both of these skills (a critical mindset & good domain knowledge) and put them to good use.
When PHP 7 is released later this year, PHP users will finally be able to quickly and easily leverage a CSPRNG in their projects.
random_bytes(int) - Generate a string of random bytes from the OS (e.g.. /dev/urandom)
random_int(int, int) - Generate an unbiased random integer between two integers
We wrote this library so PHP 5.x users can import this in their project and write code that takes advantage of this new PHP 7 API. Particularly random_int(), which is suitable for random string generation (e.g. random password generator).
We cannot declare the 1.0.0 stable release until the PHP team makes a design decision about how to handle errors in their version of the library. We currently throw an Exception; they might decide to return false and raise an E_WARNING error. Until the outcome is known, we're in limbo.
This library has not been subject to a paid audit by a security team, but it has been reviewed by several prominent members of the PHP community (and a few security/crypto folks outside of PHP land).
I believe it to be more secure than any other PHP implementation of these features. That said, more review and scrutiny would be greatly appreciated! :)
Agreed. It's a red flag for "expect more exploitable issues to be found around the corner" and can result in biased distributions, but it by itself does not break a RNG.
Encrypt-Then-MAC just makes sense. If the first thing you do when you receive a blob of encrypted data is check that it's authentic (in constant-time!), the attack surface is greatly reduced.
> * I shouldn't have to know what a pem is, and I shouldn't have to open() one.
Agreed, but what you're requesting is separate from the work being discussed in this blog post, and both are actually compatible.
For the PHP community, we made Certainty - https://github.com/paragonie/certainty
You can just...
Writing a Python client should be relatively straightforward, should anyone want to.For Python specifically, there may be some value in storing the relevant PEM files into something like SigStore. That could be an easier proposal for the PyCA team to consider.