The State of Cryptography in PHP – Paragon Initiative …

With the release date for PHP 7 drawing near, let's take a look at everything good and bad about developing cryptography features in PHP, what got fixed in PHP 7, and what remains to be fixed in a future version of PHP.

The PHP programming language has come a long way throughout the lifetime of PHP 5. In the beginning, you had to implement your own ciphers and CSPRNG interfaces or install a PHP extension to offer basic security. As the language matured, it has become easier to implement secure cryptographic protocols without writing your own low-level features.

PHP 5 has several CSPRNG interfaces, but it's not immediately clear which one should be used (or even can):

To make things clear, simple, and unambiguous, PHP 7 ships with two simple functions powered by your operating system's CSRPNG.

If you'd like to give these new functions a whirl and don't have PHP 7 installed yet, Paragon Initiative Enterprises maintains a polyfill for PHP 5 projects called random_compat.

We've previously covered common uses for CSPRNGs if you need a starting point.

The PHP bindings for the Sodium cryptography library has finally reached the stable channel in PECL. To help developers get acclimated with this library, we wrote an online book about libsodium development in PHP. You can read it for free online; downloadable copies are coming soon.

There have been great leaps and bounds in the maturity of the PHP programming language, especially when it comes to cryptography features. With PHP 7.0 arriving in the coming months, we've been thinking about what we could build to make PHP 7.1 or 8.0 continue this momentum.

It's great that the PHP bindings for libsodium can be installed via pecl install libsodium (assuming you already installed the underlying library), but in future versions of PHP it would be even better if it were bundled with the rest of the language.

Three reasons:

Our Chief Development Officer has opened an RFC to add libsodium to PHP.

One of the initiatives our team has been leading is the development of a simple cryptography frontend for 7.1. Our idea is to make the interface simple and backend-agnostic (like PDO rather than MySQLi). The current draft will support OpenSSL and Libsodium and only allow authenticated encryption (Encrypt then MAC) or AEAD constructions.

The development of a prototype is currently being discussed and conducted at paragonie/pco_prototype. Everyone is welcome to join this discussion.

Although our Chief Development Officer previously opened a feature request on the PHP bug tracker for new hash functions in PHP 7, this did not get discussed in time for inclusion in 7.0. We would instead like to make it happen in PHP 7.1.

Later versions of PHP (7.1, maybe 7.2) should be updated so that password_hash() and password_verify() supports Argon2, the winner of the Password Hashing Competition. Whether or not this will be the new PASSWORD_DEFAULT algorithm remains to be decided.

Note that Argon2 is already being added to libsodium.

PHP has come a long way, and it has a long road ahead of it. Whatever challenges or opportunities await us, the development team at Paragon Initiative Enterprises will continue to do everything we can to make security as easy as PIE for software developers the world over.

Excerpt from:
The State of Cryptography in PHP - Paragon Initiative ...