Let's talk about some of the open source libraries that @ParagonIE has created over the years to make it easier to make secure PHP applications.
https://paragonie.com/software
-
Show this thread
-
First, the polyfill libraries: random_compat exists so that your framework can use the newer PHP 7 CSPRNG API even if they support PHP 5. It's used by a lot of projects, including WordPress.https://github.com/paragonie/random_compat …
1 reply 2 retweets 7 likesShow this thread -
In a similar spirit, sodium_compat reimplements (most of) libsodium in pure PHP, and even supports 32-bit operating systems. Its purpose is to help projects transition toward PHP 7.2+ support.https://github.com/paragonie/sodium_compat …
1 reply 1 retweet 5 likesShow this thread -
If you need a deterministic RNG in 2014 (e.g. shared seed), you might have used srand() or mt_srand() then rand() or mt_rand() (respecitively). These days, you'll want SeedSpring, which uses AES-CTR to generate a long stream of pseudorandom bytes:https://github.com/paragonie/seedspring …
2 replies 1 retweet 3 likesShow this thread -
Replying to @CiPHPerCoder
Shall we add bindings for sodium_randombytes_deterministic()?
1 reply 0 retweets 0 likes -
-
Replying to @CiPHPerCoder
Or maybe re-add it, since the randombytes bindings used to be there. Maybe they are still available in the PECL version.
1 reply 0 retweets 0 likes -
Replying to @jedisct1
I plan on doing a RFC for PHP 7.4 to add more sodium functions, especially if the XChaCha RFC actually gains momentum.
2 replies 0 retweets 0 likes
If the XChaCha RFC gains momentum, this will become the high-level crypto_aead() API. I don’t believe in CAESAR any more.
-
-
Replying to @jedisct1
Proposal: Can we get 224-bit nonces with the crypto_aead()? :P
1 reply 0 retweets 0 likes -
Replying to @CiPHPerCoder
Technically, yes, of course. In practice, that would just be confusing. I’d rather stay compatible with the current low-level function (minus the secret nonce, maybe).
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.