I am now working on a php project(Internet Shop) that will possibly deal with storing locally customer credit card information.
So I was thinking among other things about encrypting php files with IonCube, especially those containing settings(encryption/decryption key, IV) for
symmetric encryption algorythm. So I'm not sure if it will add an extra layer of security or not, since it appears IonCube-encrypted
files and similar solutions can be decryped.
Thank you!
IonCube is not a suitable solution here. If you encode a file which contains something along the lines of:
<?php $SecretValue = "xyzzy"; ?>
It's still trivial to recover the secret value:
<?php require("encoded.secrets.php"); print $SecretValue; ?>
So the IonCube encoding is basically worthless here.
ionCube and Zend are fine for code protection, and even if some decompilation service produced usable code from an encoded file, this would typically do little if anything to diminish the benefits from encoding and license enforcement, and may even result in increased revenue in the longer term for the software provider.
Data hiding, however, is entirely different. Keep in mind that PHP and all of the associated library wrappers, plus the libraries themselves, are opensource and therefore easily modified. Data sent into and returned from any PHP function can be easily exposed by simple changes to the PHP internals. Want to see the database password to MySQL? Just modify the mysql_connect() wrapper or the underlying MySQL library and log the details. Some encoding systems, for example ionCube, can encrypt non-PHP files and then decrypt at runtime via closed source routines in their runtime component, which may in some cases provide some benefits over the opensource PHP routines such as mcrypt.
duskwuff is not entirely incorrect with the example cited as in some systems, ionCube for example, it is possible to protect files from being included by non-encoded files, or files encoded by a different copy of the Encoder through a mechanism called "include attack protection". None the less, storing sensitive data in variables, particularly globals is a poor approach, and it would be better to have such data returned by a function with a misleading name and that perhaps performs differently unless called in a particular way. e.g. a function called mytime() that does return the time unless called with a "magic" value.
If you're going to encode/encrypt your files, Zend Guard is supposed to be one of the best, but as others have said, if they can get to your files that's the least of your worries.
Related
I am building a small application for a real estate company which needs to store sensitive information such as bank statements, tax returns, etc. Right now i have the upload form as just a standard html upload form using php $_FILES to move the file to the desired folder. This works fine but there is no level of security to protect this sensitive information. I have two questions?
First, what is best practice (as of 2017) for storing sensitive documents like bank statements, tax returns, etc? I have tried to search for best practices online but everything im finding is 5-10 years old information or deprecated php functions. Is there specific php function I should be using/researching?
Second, are there any tutorials or books available that would help me understand secure file storage, file encryption, etc., in php?
My ultimate goal is just to make sure these files are secure and don't fall into the wrong hands. My question is specific to file uploads. I do understand that the rest of my site has to be secure as well. My question is simply about protecting files.
Thanks for any help or guidance.
First, what is best practice (as of 2017) for storing sensitive documents like bank statements, tax returns, etc?
The literal answer to this is simply to keep them ENTIRELY OFFINE (on a remote hard disk, if needing to keep them digital at all) and store them in a good quality safe with only one -or maximum two- verifiable keyholder(s).
Read https://security.stackexchange.com
Read https://crypto.stackexchange.com
Read, download and use the Defuse PHP Encryption Library. My reading up on the same topic last year persistently showed this library (and all of Defuses stuff) was very high if not market leading in this arena. This encryption library can en/decrypt files.
Also research Halite. Which is a High-level cryptography interface powered by libsodium, which can encrypt and decrypt files.
Also please read my answer here for MySQL best practise for securing data storage (string or blobs etc.).
If using a database it is paramount that the database and the file server are different servers (and depending on the value of your data they should be in very different physical locations), and the database contains an encrypted key needed for the fileserver decryption, so that if when one server is compromised, the data is still secured.
Use your own server(s). Don't use the "cloud". (To have proper online data security is not really cheap)
I have a WHMCS module and I am wondering if it's possible to encrypt it with SHA-256 or another form of uncrackable encryption.
I really know nothing about encryption but I want to ask is that possible? My plan is to encrypt it doing the following.
The top part of the script encoded with PHP > Ioncube will tell the script where to read the SHA-256 pass-phase either in a well hidden readable file or on our online servers. The rest of the script will be encrypted with three layers PHP > Ioncube > SHA-256.
Is that possible? If so would it slow the script down considerably?
First: SHA-256 is a hash algorithm, not an encryption algorithm. If you indeed know nothing about encryption, it's probably best that you either learn more about it before embarking on an encryption-heavy project, or avoid it altogether.
More generally: What you're trying to do is possible in principle, but probably a bad idea. Existing PHP loaders such as Ioncube already take appropriate steps to try to prevent source recovery; piling on additional layers of your own design is likely to make it less secure, not more so. (In particular: putting an extra decode/eval phase inside IonCube will make it trivial to recover your source code using a debugger.)
I am dealing with a concept for a project that involes absolutely critical data.
The most important part is that it needs to be stored encrypted.
An encrypted file system that is mounted from which the webserver serves the files is not enough.
The key to decrypt the data should be passed in the request URI on a secured connection along with a hash and a timestamp.
The hash, based on timestamp, key and filename validates the URI and stores it on a list, so it can only be accessed once.
The important part now is that the webserver should take the file from the disk, and serve it decrypted using they key he got from the request URI.
It should also be efficient and fast. This also requires an encryption method that does not require the whole file to be scanned. so that the file can progressively be decrypted. I think AES can do this with specified block sizes that are encrypted atomic.
So one option would be reading the source file into a php script in chunks of some megs where i decrypt using aes and print the decrypted content. The script then forgets the previous data and continues with the next chunk until eof.
If aes doesnt support that i can just encrypt chunks of defined size of the file seperately, concatenate them and do it the same when serving the files. however i would like to stick to one standard that i dont have to re invent, so i can also use standard libraries to encrypt the files.
However this will be very inefficient.
Do you know of any apache/lighttpd/nginx module or some better method?
You should open the file with nmap() and then encrypt the data on-the-fly as needed.
I don't see anything more appropriate for this than G-Wan (200 KB), which offers native C scripts and AES encryption (no external libraries needed even if C scripts can link with any existing library).
If you need to achieve the best possible performances, then this is the way to go.
You may want to look into PHP's Stream Filters ( http://php.net/stream.filters ); with a bit of glue code, you could make it read an encrypted file with the regular PHP file access functions, and it would be mostly transparent to existing code.
If you can't find a PHP module that lets you decrypt the files chunk/block-wise, you can always pre-split the file into appropriate sized blocks and encrypt each seperately.
Of course, remember that even if you're only sending out small pieces of the plaintext at a time, there's still plenty of other places that this vulnerable data can be held - particularly in the web server's output buffers. Consider the extreme case of a large-ish file being downloaded by someone stuck on a 2400 baud modem. You may very well decrypt and queue the entire file before even the first chunk's been downloaded, leaving the entire file in the clear in a buffer somewhere.
There's no off-the-shelf solution to provide what you require. And while you've provided a bit of information about the data will be retrieved, you've not given much clues as to how the data will get on to the webserver in the first place.
You're jumping through lots of hoops to try to ensure that the data is not compromised - but if you're decrypting it on the server, then there is not only a risk of the data being compromised - but also that the key will be compromised. i.e. there's more theatre than substance in the architecture.
You seem to be flexible in the algorithm used for the encryption - which implies that you have some control over the architecture - so there is some scope to resolve these problems.
The hash, based on timestamp, key and filename validates the URI and stores it on a list, so it can only be accessed once.
How does that ensure it is only accessed once? Certainly it could be used to reduce the window of opportunity for CSRF - but it does not eliminate it.
The script then forgets the previous data and continues with the next chunk until eof.
This fundamentally undermines the objective of encryption - patterns within the data will still be apparent - and this provides a machanism for leveraging brute force attacks against the data - even if the block size is relatively large. Have a look at the images here for a simple demonstration.
A far more secure approach would be to use CBC, and do the encryption/decryption on the client.
There are javascript implementations of several encryption algorthms (including AES) this page has a good toolkit. And with HTML5 / localstorage you can build a complete clientside app in HTML/javascript.
As you're starting to discover - just using a clever encryption algorithm does not make your application secure - it sounds like you need to go back and think about how you store and retrieve data before you worry about the method you use for encrypting it.
I have some PHP source code that I'm hosting with hosting company XYZ. I'm using a PHP encryption software like Zend Guard or ionCube to protect the source from being viewed by anyone (sysadmin or hacker that hacks the sysadmin).
How easy/hard is it for someone who has full access to the system (like the sysadmin or hacker that hacks the sysadmin) to decrypt the source? I don't know how encryption software work, but I'm assuming they use some key, which would have to stay on the server and is therefore accessible to a sysadmin or a hacker. If you're technically-knowledgeable about the how-to, don't hesitate to offer an explanation in your answer.
Does the use of such source encryption slow down the site? If anyone has first-hand experience or knows from someone that has first-hand experience ;)
I'm interested in the technical aspects of this, how effective encryption is.. and its disadvantages, from those who used them or considered using them
Thanks (all helpful answers/comments are up voted)
Edit: the answers so far seem to be ignoring what I'm trying to understand.. I'm trying to understand the effectiveness of encryption. I don't really have any code that needs protection from the bad guys, the above was just an example, so advice like open source it or hire a lawyer don't really address my technical curiosity.. A+ to anyone who gets the point
Encryption (or encoder) schemes try to hide your code as an encrypted file. Obviously, the code has to be decrypted at execution time, which adds useless overhead.
Some of these also insist that the host system install special routines, which the hosters intensely dislike, because they don't want to set up special configurations just for you. But the bad part is that they contain the seeds of their own undoing: to run on the target host, they must contain the decryption software. So if you use one, you deliver the very decryptor necessary to get at your code. Its only a matter of locating it; once found, your code is completely decryptable and exposed. These simply aren't safe.
Obfuscation schemes scramble the names of identifiers, remove comments and formatting. But the obfuscated code runs exactly like the original, with no overhead and no special runtime support needed. Obfuscators depend on the inherent difficulty in understanding programs in general. Programs are hard enough to understand when they are well designed, names are well chosen, and there are good comments in the code. We all hope our programs are well designed, but if the names are bad and the comments are gone, they're pretty hard to understand. Examine your own experience with other people's code.
People will say, "but anybody can inspect obfuscated code and understand it". That's true if you have a tiny application. If your application has any scale (tens of pages of code) it is extremely hard to understand what it is doing when all the variable names are scrambled. The bigger your code, the better obfuscation is at protecting it.
If you want to see examples of what one PHP obfuscator does, see our Thicket PHP Obfuscator.
Neither Zend Guard nor ionCube uses encryption, in it's mathematical sense, to protect your code. What they do, except the obfuscation already described by other answers, is encoding.
This is a process that's normally done automatically by the PHP interpreter each time your script is accessed - your PHP script is compiled into a bytecode format, that's then executed. What encoders like Zend Guard and ionCube essentially does is an equivalent process, only that it's done once, and then only the "compiled" bytecode is made available/uploaded to the server.
This means that actually recreating the very same code that you once wrote is entirely impossible. What is not impossible, and this goes for obfuscation as well, is reverse-engineering the compiled or obfuscated code to figure out what it's doing.
To summarize, I'd say that these products are very good at protecting your code - as opposed to protecting your logic.
Why exactly do you need to encrypt your source code? If you are sporting this as a safe-guard against potential hackers, then please believe when I say that if they really wanted to decrypt your source code, they would do it. It is possible with ionCube, last time I checked.
As far as performance impacts, I believe Zend is a tad bit faster than ionCube due to it not requiring any extra files. But like I said before, don't rely on encryption for anything.
If it can be executed it can be decompiled. Stick to your legal team for rights access, not encryption :) Better yet, open source your project :P
EDIT: 'Encryption' also adds heavily to execution times!
The only thing you can do against the hosting company is to have a good license and lawyer
As far as I know, PHP encoders do not actually encode you PHP code. They just change variable names and add unnecessary rubbish code, so that it becames VERY hard for anyone to find out, what the code does. The problem is that they cannot hide any password (be it the hard coded admin password, or the database connection data).
So they do not ensure that your code is safe, they just make it very hard for anyone to understand it.
I understand the mantra of "don't roll your own" when it comes to site security frameworks.
For most cases anyway.
I'm going to be collaborating on a site that integrates text-messaging into the system.
I'd like to use an existing, well-tested security framework to protect the users data, but I need it to also protect a users phone number as well.
I wouldn't want to be the one responsible for a list of users cell phone numbers getting jacked and spammed.
What suggestions can the community offer?
Note that techniques applied to passwords aren't applicable here. You can store a password salted and hashed (although the value of doing so can be disputed), but that doesn't work for phone numbers.
If someone jacks your server, they can do anything the server can. This must include recovering the phone number, but doesn't include recovering the password if it's hashed well. So the phone number is just a particular case of protecting confidential data.
If phone nos truly are the only sensitive data in the app, then you could look at walling off the part of the app that sends the texts, and asymmetrically encrypting the phone nos. In a different process (or on a different machine) run an app that has the key to decrypt phone nos. This app's interface would have maybe one function taking an encrypted no and the message to send. Keep this app simple, and test and audit the snot out of it. Either hide it from the outside world, or use authentication to prove the request really came from your main app, or both.
Neither the db nor the main part of the app is capable of decrypting phone nos (so for example you can't search on them), but they can encrypt them for addition to the db.
The general technique is called "Privilege separation", the above is just one example.
Note that phone nos would generally need to be padded with random data before encryption (like salting a hashed password). Otherwise it's possible to answer the question "is the encrypted phone number X?", without knowing the private key. That may not be a problem from the POV of spammers stealing your distribution list, but it is a problem from the POV of claiming that your phone numbers are securely stored, since it means a brute force attack becomes feasible: there are only a few billion phone nos, and it may be possible to narrow that down massively for a given user.
Sorry this doesn't directly answer your question: I don't know whether there's a PHP framework which will help implement privilege separation.
[Edit to add: in fact, it occurs to me that under the heading of 'keep the privileged app simple', you might not want to use a framework at all. It sort of depends whether you think you're more or less likely leave bugs in the small amount of code you really need, than the framework authors are to have left bugs in the much larger (but more widely used) amount of code they've written. But that's a huge over-simplification.]
Since you need to be able to retrieve the phone numbers, the only thing you can really do to protect them (beyond the normal things you would do to protecting your db) is encrypt them. This means that you need to:
Make sure the key doesn't leak when you inadvertently leak a database dump.
Make sure your system doesn't helpfully decrypt the phone numbers when someone manages to SQL inject your system.
Of course the recommendation of not rolling your own still applies, use AES or some other well respected cipher with a reasonable key length.
I’m pleased to announce the release of hole-security system for PHP
This project stands for bring to PHP the kind of security that is provided in Java by Spring Security the formerly Acegi Security System for Spring. It’s designed to be attractive to Spring Security users because the philosophy is the same. It’s an unobtrusive way to add security to a PHP site. The configuration is made using substrate IoC/DI as Spring Security use Spring IoC/DI.
An example configuration ship with the framework and can be used like this:
$context = new substrate_Context(
'./path/to/hole-security/hole-security-config.php'
);
$context->execute();
$hole_Security = $context->get('hole_FilterChainProxy' );
$hole_Security->doFilter();
Just be sure that the bootstrap code of the framework is executed before the bootstrap of the MVC of your choice.
WebSite:
http://code.google.com/p/hole-security/
Documentation:
For the moment you can use reference documentation of Spring Security where it’s apply. You can get a general idea using the Acegi Security reference documentation because hole-security use the same way of configuration, but keep in mind that it’s based on Spring Security.
License:
It’s released under Apache License Version 2.0.
Features:
hole-security brings an pluggable security system where you can adopt the security requirement of your environment. Currently there is a very simple security system because it’s on the first release but with the base foundation that it brings you could suggest or request for new features to be added to the project.
Currently Features:
In memory dao authentication as a proof of concept, you can switch to your preferred dao or implementation that get’s user data from database or wherever you store it. In futures release an PDO based implementation will be created.
Configured filters for be applied to url patterns. Url path matcher can be plugged to, currently it ship with a ant styles path matcher.
Authorization Manager can be used in your application to decide wherever or not do something, always obtaining the reference from the substrate context.
Shared Security Context accessible from any code of your application if hole_HttpSessionContextIntegrationFilter is applied. You can use this context to save information related to the session without use the session object directly.
You can use a custom login page and customize it according to the hole_AuthenticationProcessingFilter configuration, or customize hole_AuthenticationProcessingFilter according to your custom login page.
The default password encoder is plain text, without encoding. Futures releases will have implementations for MD5, Sha based, Base64 and others related encoding. You can create your own password encoder and get configured.
All the objects are loaded as required, if something like a filter it’s not used for a request would not be loaded. This increase the performance of the application
There are others features related that hole-security have.