Scott,
On Wed, May 20, 2015 at 9:15 PM, Scott Arciszewski <sc...@paragonie.com> wrote:
> Hi Internals Team,
>
> I'm sure everyone is really focused (and excited) for PHP 7.0.0 later this
> year, and many of you might not want to discuss what 7.1.x looks like yet.
>
> The current state of cryptography in PHP is, well, abysmal. Our two main
> choices for handling symmetric cryptography are libmcrypt (collecting dust
> since 2007) and openssl, which lacks a streaming API (e.g. mcrypt_generic)
> and GCM support.
>
> While mcrypt is slowly decomposing in the corner and code is being
> desperately migrated towards openssl in case a critical vulnerability is
> discovered in the abandonware choice, the libsodium extension has been
> growing steadily. Thanks to Remi, it should soon be compatible with both
> PHP 5.x and 7.x (decided at compile-time). The libsodium library itself has
> landed in Debian 8 and Ubuntu 15.04 and adoption is expected to persist by
> the next Ubuntu LTS is released.
>
> I think now is a good time to talk about the possibility of making
> libsodium a core PHP extension, depending on where things are when we near
> the 7.1 feature freeze.
>
> I've just opened an RFC for precisely this purpose:
> https://wiki.php.net/rfc/libsodium
While I definitely do like libsodium and consider it a step in the
right direction, I am hesitant overall. The main reason is precisely
what happened with mcrypt. In that a library goes unmaintained, and
all of a sudden we're stuck using unsupported crypto.
I wonder if a PDO-style approach would be better. Where we can have
multiple pluggable backends, and provide backend-specific
functionality if needed. Targetting a high-level API, not exposing
primitives. Something like:
$enc = new SymmetricEncryption(":cipher=aes128;hash=sha256");
// Use any available backend which can do aes128+sha256 mac
var_dump($enc->encrypt("plaintext", $key));
$enc = new SymmetricEncryption("openssl:cipher=arc4;mode=ctr");
// Use any available backend which can do aes128+sha256 mac
var_dump($enc->encrypt("plaintext", $key));
The concept would be that while parts of the algorithm are
controllable by the end-user (like cipher choice, possibly mode, etc),
we would attempt to prevent insecure usages (no ECB).
If you have a need for custom encryption (web service uses a custom
format), then use primitives yourself (like openssl/mcrypt/etc).
My one issue with libsodium is that if you need NIST compliance, it
does nothing for you (considering it uses XSalsa20+ Poly1305). While
this is an advantage for some, it's a disadvantage for many.
Ideally, I'd like to see a prototype of this library built in PHP that
we can play with prior to making into a PECL extension (and ultimately
proposed for core).
I'd just rather try to get this right, rather than yet another
maybe-good-enough-for-now solution.
Anthony
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
