rfc:php71-crypto
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
rfc:php71-crypto [2016/01/10 03:14] – created sarciszewski | rfc:php71-crypto [2017/09/22 13:28] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 12: | Line 12: | ||
===== Proposal ===== | ===== Proposal ===== | ||
+ | My proposal is to create a series of new classes (preferably in its own namespace, e.g. \Php\Crypto or simply \Cryptography): | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Users would primarily be interested in the '' | ||
+ | |||
+ | For example: | ||
+ | |||
+ | $keypair = \Php\Crypto\KeyFactory:: | ||
+ | var_dump($keypair); | ||
+ | $secret = $keypair-> | ||
+ | $public = $keypair-> | ||
+ | | ||
+ | $fips = new \Php\Crypto\Asymmetric\Crypto([ | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ]); | ||
+ | $ciphertext = $fips-> | ||
+ | 'This is a text message', | ||
+ | $public | ||
+ | ); | ||
+ | $plaintext = $fips-> | ||
+ | $ciphertext, | ||
+ | $secret | ||
+ | ); | ||
+ | var_dump($plaintext === 'This is a text message' | ||
+ | |||
+ | The '' | ||
+ | | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | The '' | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | All decryption (including unseal()) operations will throw a typed exception (e.g. '' | ||
+ | |||
+ | ===== Drivers, Configurations, | ||
+ | |||
+ | This API will act similar to PDO in the sense that it can, behind the scenes, support multiple drivers. As of the day we ship PHP 7.1.0, we MUST support at least two: | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Which driver and which primitives can be supplied at the time a Crypto object is created, but the valid choices will be limited. | ||
+ | |||
+ | * Libsodium (not configurable) | ||
+ | * Cipher: Xsalsa20 | ||
+ | * Hash/HMAC: HMAC-SHA-512/ | ||
+ | * Public keys: X25519 | ||
+ | * Signatures: Ed25519 | ||
+ | * HKDF: BLAKE2b | ||
+ | * Password-Based Key Derivation: Argon2i | ||
+ | * OpenSSL (configurable): | ||
+ | * Cipher: AES-128, AES-192, AES-256 | ||
+ | * Hash/HMAC: SHA256, SHA384, SHA512, SHA3-356, SHA3-384, SHA3-512 | ||
+ | * Public keys: ECDH over NIST P-256 | ||
+ | * Signatures: ECDSA over NIST P-256 | ||
+ | * HKDF: (See hash function above) | ||
+ | * Password-Based Key Derivation: PBKDF2-(hash function above) with 86,000 rounds | ||
+ | |||
+ | If both drivers are installed, both '' | ||
+ | |||
+ | If you only specify a driver, OpenSSL will default to: AES-256 and SHA-384. Only CTR mode is supported regardless of cipher, except for aeadEncrypt() and aeadDecrypt(), | ||
+ | |||
+ | ===== Ciphertext Message Format ===== | ||
+ | |||
+ | The first four bytes of any message are a header that indicates the version of the library and various other information. | ||
+ | |||
+ | * First byte: Major version of this interface (e.g. '' | ||
+ | * Second byte: Minor version of this interface (e.g. '' | ||
+ | * Third byte: Driver ID | ||
+ | * Fourth byte: A checksum ('' | ||
+ | |||
+ | Driver-specific metadata can follow this four-byte header, but it is not required. | ||
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
Line 21: | Line 116: | ||
==== To Existing Extensions ==== | ==== To Existing Extensions ==== | ||
- | |||
===== Unaffected PHP Functionality ===== | ===== Unaffected PHP Functionality ===== | ||
Line 28: | Line 122: | ||
===== Future Scope ===== | ===== Future Scope ===== | ||
- | |||
- | |||
===== Proposed Voting Choices ===== | ===== Proposed Voting Choices ===== |
rfc/php71-crypto.1452395659.txt.gz · Last modified: 2017/09/22 13:28 (external edit)