This is an old revision of the document!
PHP RFC: Your Title Here
- Version: 0.9
- Date: 2013-03-13 (use today's date here)
- Author: Scott Arciszewski, scott@arciszewski.me
- Status: Under Diiscussion
- First Published at: http://wiki.php.net/rfc/timing_safe_encoding
Introduction
Cryptography libraries written in PHP often store encryption keys in an alternate encoding (Base-16 or Base-64, as specified in RFC 4648). However, the way these functions are trivially implemented open the door to possible cache-timing attacks which could be used to steal encryption keys, even if the encryption is well-implemented.
Proposal
A number of functions that already exist will have a timing-safe alternative exposed to PHP developers.
- `bin2hex` -> `bin2hex_ts`
- `hex2bin` -> `hex2bin_ts`
- `base64_encode` -> `base64_encode_ts`
- `base64_decode` -> `base64_decode_ts`
Backward Incompatible Changes
None! :)
Proposed PHP Version(s)
This proposal targets the 7.0 release of PHP.
Proposed Voting Choices
As this is not a significant change, a 50%+1 majority vote ought to be sufficient.
Patches and Tests
An incomplete patch is being developed in [https://github.com/php/php-src/pull/1036](Pull Request 1036).
References
* [It's All About Time](http://blog.ircmaxell.com/2014/11/its-all-about-time.html) by Anthony Ferrara