Cryptography has been a central topic in the field of Web security. One of the aspects that concern many web masters – cryptographically crafted passwords – has just turned into a hot spot. Several beloved PHP projects are about to get nicer with cryptography.
Scott Arciszewski from Paragon Initiative Enterprises and other members of the open source community have been working on increasing the security in PHP applications. These changes are about to be implemented in popular projects such as WordPress, Laravel, and Symfony.
WordPress 4.4, Laravel 5.2 and Symfony 2.8 will soon have the built-in support for CSPRNG, or Cryptographically Secure PseudoRandom Number Generator.
What is CSPRNG and how does it work?
CSPRNG is a random number generation algorithm designed to be used for cryptographic purposes. The use of such algorithms is highly recommended because they generate true random numbers with a high level of entropy. In other words, those numbers will be much harder to crack in brute-force attacks.
Scott Arciszewski believes that the lack of a decent random number generation system in the open-sources Facebook SDK (software development kit) should inspire experts to contribute. At least that’s what inspired him. What he did first is recommend a plan for Facebook developers to improve the SDK. Then, he took 2 cryptographically safe functions, added them to PHP 7 and ported them to work on PHP 5.x.
random_compat library included in the code base of WordPress
WordPress, Laravel, and Symfony have already integrated the random_compat library in their code base. However, Joomla is a bit behind with the cryptography practices.
Arciszewski has recently told Softpedia that:
‘JCrypt is Joomla’s cryptography library and it handles a lot of things, from symmetric-key encryption to password authentication,’ adding that, ‘Their legacy password authentication (pre-bcrypt) is vulnerable to (…) a ‘magic hash’ vulnerability (…).’
Those aren’t the only issues the Joomla dev team will have to handle, which is a pity, since the Joomla platform is quite popular.
Learn more from Arciszewski’s blog post.