Last active
December 16, 2020 15:47
-
-
Save gravataLonga/d28941265a41b6e63344a953d1d56cff to your computer and use it in GitHub Desktop.
sodium short usage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // Symmetric Encription | |
| $msg = "ola"; | |
| $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); | |
| $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); | |
| $cypher_text = sodium_crypto_secretbox($msg, $nonce, $key); | |
| $plain_text = sodium_crypto_secretbox_open($cypher_text, $nonce, $key); | |
| echo $msg === $plain_text ? 'Success' : 'Error'; | |
| // NOTE: encryption is always authenticated, you need to store also | |
| // nonce + cypher_text | |
| // ============================================================================= | |
| // Authenticate with share-key | |
| $msg = "Hello World"; | |
| $key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); | |
| // MAC = Message Authentication Code | |
| $mac = sodium_crypto_auth($msg, $key); | |
| // Altering $mac or $msg, verification will fail | |
| echo sodium_crypto_auth_verify($mac, $msg, $key) ? 'Success' : 'Error'; | |
| // Message is not encrypt | |
| // ============================================================================= | |
| // Sending Secret Message | |
| $aliceKey = sodium_crypto_box_keypair(); | |
| $alicePublicKey = sodium_crypto_box_publickey($aliceKey); | |
| $aliceSecretKey = sodium_crypto_box_secretkey($aliceKey); | |
| $bobKey = sodium_crypto_box_keypair(); | |
| $bobPublicKey = sodium_crypto_box_publickey($bobKey); | |
| $bobSecretKey = sodium_crypto_box_secretkey($bobKey); | |
| $msg = "Hello Bob! It's alice!" | |
| $nonce = random_bytes(SODIUM_CRYPTO_BOX_NONCEBYTES); | |
| $keyEncript = $aliceSecretKey . $bobPublicKey; | |
| $cipher_text = sodium_crypto_box($msg, $nonce, $keyEncript); | |
| $keyDecrypt = $bobSecretKey . $alicePublicKey; | |
| $plain_text = sodium_crypto_box_open($cipher_text, $nonce, $keyDecrypt); | |
| echo $plain_text === $msg ? 'Success' : 'Error'; | |
| // Provides: Confidentially, Integrity and Non-repudiation | |
| // ============================================================================= | |
| // Digital Signature | |
| $keypair = sodium_crypto_sign_keypair(); | |
| $publickey = sodium_crypto_sign_publickey($keypair); | |
| $secretKey = sodium_crypto_sign_secretkey($keypair); | |
| $msg = "Message from alice"; | |
| $signedMsg = sodium_crypto_sign($msg, $secretKey); | |
| $original = sodium_crypto_sign_open($signedMsg, $publickey); | |
| echo $original === $msg ? 'Sucesso' : 'Error'; | |
| // Message is not encrypt, signedMsg includes signature + msg | |
| // ============================================================================= | |
| // Store Password | |
| $password = "Asdqwe123!"; | |
| $hash = sodium_crypto_pwhash_str( | |
| $password, | |
| SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, | |
| SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE | |
| ); // 97 bytes | |
| echo sodium_crypto_pwhash_str_verify($hash, $password) ? 'OK' : 'Error'; | |
| // ============================================================================= | |
| // Derive Key from User's Password | |
| $password = "Asdqwe123!"; | |
| $salt = random_bytes(SODIUM_CRYPTO_PWHASH_SALTBYTES); | |
| $key = sodium_crypto_pwhash( | |
| 32, | |
| $password, | |
| $salt, | |
| SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, | |
| SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE | |
| ); | |
| // NOTE: You need to store also the salt to generate the same key from password | |
| // ============================================================================= | |
| /* | |
| 0 key = hashes, prng's, key derivation | |
| 1 key = message authentication code (MAC), secret key encriptation | |
| 2 key = key exchanges, public key encriptation, digital signature, | |
| non-crypto: encoding, compression, math operation: base64, gzip, bin2hex, hash_equals | |
| */ | |
| // ============================================================================= | |
| /* | |
| 0 KEY: | |
| Short Hash (crc32, hash) => sodium_crypto_shorthash() // usage in non-crypto purpose | |
| md5, sha1, hash => sodium_crypto_generichash() // Stronger thant sha-3 faster than md5. | |
| Password Hash password_hash => sodium_crypto_pwhash_str() (argon2id >= 7.2php) | |
| */ | |
| // ============================================================================= | |
| /* | |
| 1 KEY: | |
| MAC -> Authenticate Message | |
| hash_hmac => sodium_crypto_auth | |
| hash_equals => sodium_crypto_auth_verify | |
| Secret-Key Encrption -> Encrypt and Decrypt (same key) | |
| - Don't guarantee integrity or authenticity (can't read but can change) | |
| - Add mac to do prevent that (add integrity and authenticity) | |
| ** ALWAYS: ENCRYPT THE MAC. | |
| Functions: sodium_crypto_secretbox* | |
| Functions: sodiun_crypto_aead_* (aead: Authentication Encryption Aditional Data) | |
| */ | |
| /* | |
| 2 KEY: | |
| sodium_crypto_box_* | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment