Introduction to Computer Security Module G6077
AES, Salting modes, Base64, Hex
Learning objectives:
Understand the purpose of encodings: Base64 & Hex
Use OpenSSL library with PHP
Implement standard symmetric ciphers AES
Use AES with different salt modes.
Contents
Base64 3
Task 1 – base64_decode() 4
Task 2 – Information asset weak encryption 4
Hexadecimal 5
Task 3 6
Task 4 6
OpenSSL in PHP [AES, Salt modes] 7
Task 5 Salting modes 8
Task 6 Galois/Counter Mode (AES-GCM) 9
Task 7 – Implementing GCM 9
Task 8 –OpenSSL manual for more methods and their examples 9
Following are the four forms of encryption.
• Symmetric
• Asymmetric
• Hashing
• Encodings: Base64, Hex and Octal.
In this lab, we will symmetric only AES which is a standard and used on extensively in applications. We will also look at encodings which used a lot in developing secure applications.
Base64
It is abundantly used in crypto systems. If you don’t know about Base64, read the article listed below:
https://base64.guru/learn/what-is-base64
PHP use the following two methods to encode and decode data into base64 format.
base64_encode ( string $data ) : string
//encodes the given data with base64.
Apart from other uses, this encoding helps in moving the data through the transport layers. It takes about 33% more space than the original data.
base64_decode ( string $data [, bool $strict = FALSE ] ) : string
// decodes the given data
Parameters:
data: The encoded data.
strict: If the strict parameter is set to TRUE then the base64_decode() function will
return FALSE if the input contains character from outside the base64 alphabet.
Otherwise invalid characters will be silently discarded.
Return values: Returns the decoded data or FALSE on failure. The returned data
may be binary.
In this document, you will be testing all the examples and attempting some tasks. For almost all the examples and tasks, you will need to type them in Notepad++ or any other IDE of your choice. PHP script files needs to be saved in the htdocs to be able to view them in the browser. Before viewing in browser, make sure that you open the XAMP control panel and start Apache and MySQL. Make sure that files and folders in your in htdocs are organised.
Example
Implement this simple example of Base64 using PHP and note the output for the task1.
You can also do this as base64_encode()returns a string value.
Task 1 – base64_decode()
You noticed two variations of encode method in example1: proving a direct string and a variable as an argument. Now, use base64_decode()method to decode. Provide a base64 value as an argument to the method. Use the base64 value generated in the example1. Then modify the code so that a string variable pass the value to base64_decode().
Task 2 – Information asset weak encryption
Base64 is not used to safeguard important assets like password. However, it is used abundantly in crypto systems to enable transfer of encrypted data between different parts of the applications and between ciphers.
In the last week lab, you have created a complex login. If you have not completed complex login, then you will need to do that first before you attempt this task.
In this particular task, you will attempt to use Base64 to try to secure password. In Canvas lab 4 section, you are provided two .php files:
registerationFormCheck.php and registerationForm.php.
First you will need to implement in your last week php application a user registration form. This form and its check associate files needs to be in htdocs with other complex login files that you created last week. You will need to start Apache and MySQL to check that a user record can be entered into DB from a simple registration form.
Study the code of registeratinFormCheck particularly for $password and SELECT query statement.
Now, you will need to modify two files:
registerationFormCheck.php and complexLoginFormCheck.php.
Once you modify both PHP files, then you will test it. You will register a user and then will check if user can log back in. While registering, can you register a user by the name of Base64 and password Base64. In future labs, we will be using Kali Linux to crack passwords which are saved in weak encryption forms. It will be easy to recognise these values to understand results of those tools.
[Next week we will be revisiting password encryption/hashing using PHP specific methods for password hashing]
• registerationFormCheck.php
// you will need to encode the password value entered by the user
$strBase64Password = base64_encode($password);
// insert query , check Base64 variable in the Values statement
$userQuery = “INSERT INTO systemuser (Username, Password, Forename, Surname, Email) Values(‘$username’, ‘$strBase64Password’, ‘$forname’, ‘$surname’, ‘$email’)”;
• complexLoginFormCheck.php
// in this file, you will use base64_decode(), to decode the password value and assign it to a variable. The variable will then be used in the if statement to check if the entered value is the same as the decoded value.
$storedPasswordBase64 = base64_decode($userRow[‘Password’]);
if ($storedPasswordBase64 == $password)
{
echo “Hi” .$username. “!”;
echo “
Welcome to our website”;
}
else
{
echo “Wrong password”;
}
Hexadecimal
Hexadecimal numbering system is often used by programmers to simplify the binary numbering system. Since 16 is equivalent to 24, there is a linear relationship between the numbers 2 and 16. This means that one hexadecimal digit is equivalent to four binary digits. Computers use binary numbering system while humans use hexadecimal numbering system to shorten binary and make it easier to understand.
Hexadecimals are used in the following:
• To define locations in memory. Hexadecimals can characterise every byte as two hexadecimal digits only compared to eight digits when using binary.
• To define colours on web pages. Each primary colour – red, green and blue is characterised by two hexadecimal digits. The format being used is #RRGGBB. RR stands for red, GG stands for green and BB stands for blue.
• To represent Media Access Control (MAC) addresses. MAC addresses consist of 12-digit hexadecimal numbers. The format being used is either MM:MM:MM:SS:SS:SS or MMMM-MMSS-SSSS. The first 6 digits of the MAC address represent the ID of the adapter manufacturer while the last 6 digits represent the serial number of the adapter.
• To display error messages. Hexadecimals are used to define the memory location of the error. This is useful for programmers in finding and fixing errors.
Don’t forget to read the article listed below.
https://medium.com/@savas/why-do-we-use-hexadecimal-d6d80b56f026
bin2hex()
The bin2hex() function converts a string of ASCII characters to hexadecimal
values. The string can be converted back using the pack() function.
Syntax: bin2hex(string)
Test example-02 in PHP
pack()
The pack() function packs data into a binary string.
Syntax: pack(format,args+)
For complete detail check PHP manual
https://www.php.net/manual/en/function.pack.php
Test example-03 in PHP. First check in the manual, what does H represent.
“;
echo pack(“H*”,bin2hex($str)) . “
“;
?>
What does * represent with H? Change * to 3 and then check the output. Then change it to 5 or any other number and check the output.
Task 3
Your manager has asked you that a decimal value has been captured and has asked you to determine the message using PHP by pack () function. Value is:
658484656775
hex2bin ()
Syntax:
hex2bin ( string $data ) : string
Test example-04:
Task 4
First test the example listed below. Then modify the code use hex2bin ( ) instead
of pack( ).
“;
echo pack(“H*”,bin2hex($str)) . “
“;
//modify this line
?>
OpenSSL in PHP [AES, Salt modes]
PHP comes with many options to use cryptography. Their two most recommended and latest libraries are OpenSSL and Sodium. Learners should exploit Sodium library in their own time, if they have an interest in developing secure applications using PHP. In this course, I will be covering only OpenSSL to an introductory level. Manual listed below list all the functions of OpenSSL library of PHP. If you have installed XAMP from the link that I provided in the XAMP lab, it has installed OpenSSL library automatically for PHP.
OpenSSL library PHP manual that I will be referring in my notes:
https://www.php.net/manual/en/book.openssl.php
openssl_encrypt()
The openssl_encrypt() function encrypt the data.
Syntax:
string openssl_encrypt( string $data, string $method, string
$key, $options = 0, string $iv, string $tag= NULL,
string $aad, int $tag_length = 16 )
Parameters:
$data: It holds the string or data which need to be encrypted.
$method: The cipher method is adopted using openssl_get_cipher_methods() function.
$key: It holds the encryption key.
$options: It holds the bitwise disjunction of the flags OPENSSL_RAW_DATA and OPENSSL_ZERO_PADDING.
$iv: It holds the initialization vector which is not NULL.
$tag: It holds the authentication tag which is passed by reference when using AEAD cipher mode (GCM or CCM).
$aad: It holds the additional authentication data.
$tag_length: It holds the length of the authentication tag. The length of authentication tag lies between 4 to 16 for GCM mode.
Return Value: It returns the encrypted string on success or FALSE on failure.
openssl_decrypt()
The openssl_decrypt() function is used to decrypt the data.
Syntax:
string openssl_decrypt( string $data, string $method, string
$key,int $options = 0, string $iv, string $tag, string $aad)
Parameters:
$data: It holds the string or data which need to be encrypted.
$method: The cipher method is adopted using openssl_get_cipher_methods() function.
$key: It holds the encryption key.
$options: It holds the bitwise disjunction of the flags OPENSSL_RAW_DATA and OPENSSL_ZERO_PADDING.
$iv: It holds the initialization vector which is not NULL.
$tag: It holds the authentication tag using AEAD cipher mode (GCM or CCM). When authentication fails openssl_decrypt() returns FALSE.
$aad: It holds the additional authentication data.
Return Value: It returns the decrypted string on success or FALSE on failure.
Test this example-05
“;
// Store the cipher method
$ciphering = “AES-128-CTR”;
// Use OpenSSl Encryption method
$iv_length = openssl_cipher_iv_length($ciphering);
$options = 0;
// Non-NULL Initialization Vector for encryption
$encryption_iv = ‘1234567891011121’;
// Store the encryption key
$encryption_key = “G6077”;
// Use openssl_encrypt() function to encrypt the data
$encryption = openssl_encrypt($simple_string, $ciphering,
$encryption_key, $options, $encryption_iv);
// Display the encrypted string
echo “Encrypted String: ” . $encryption . “\n”;
echo “
“;
// Non-NULL Initialization Vector for decryption
$decryption_iv = ‘1234567891011121’;
// Store the decryption key
$decryption_key = “G6077”;
// Use openssl_decrypt() function to decrypt the data
$decryption=openssl_decrypt ($encryption, $ciphering,
$decryption_key, $options, $decryption_iv);
// Display the decrypted string
echo “Decrypted String: ” . $decryption;
?>
Task 5 Salting modes
What does CTR refer to in the code of example-05? If you don’t know, check lecture 4a slides 22-24. What does 128 refers to?
AES-128-CTR
Change CTR to different options and then compare the encrypted value. Is it generating the same value or different?
Task 6 Galois/Counter Mode (AES-GCM)
Login to any application like Gmail, Amazon and e-bay. Then right click and select the inspect to open Dev Console. Click Security tab to check three things in the connection settings:
• TLS – Transport Layer Security
• Asymmetric cipher. This may be elliptic curve.
• Symmetric cipher. Highly likely this will be AES-128-GCM
What is GCM? Read about it in the links listed below:
https://www.cryptosys.net/pki/manpki/pki_aesgcmauthencryption.html
https://en.wikipedia.org/wiki/Galois/Counter_Mode
Task 7 – Implementing GCM
Modify the CTR example-05 of AES to implement GCM mode with AES. Don’t
forget about specifying tag value. It can be null.
Task 8 –OpenSSL manual for more methods and their examples
Implement the following example. Note the use of new methods used in this
example. Find out more about these methods in the PHP manual
https://www.php.net/manual/en/book.openssl.php