I do crypto/appsec/development for Paragon Initiative Enterprises.
Last week, the voting phase closed on an RFC to add libsodium to PHP 7.2. The result was unanimous (37 in favor, 0 against).
When version 7.2 releases at the end of the year, PHP will be the first programming language to adopt modern cryptography in its standard library.
A cryptography library can be said to be modern if it meets two requirements:
If you implement public key encryption and digital signatures in OpenSSL and Golang, you're forced to choose between RSA and NIST ECC. Neither is a good choice.
Modern cryptography requires the use of secure primitives. For public key crpytography, that means the primitives outlined in RFC 7748 and RFC 8032. For symmetric cryptography, that means using authenticated encryption at all times.
NIST curves (P-256, etc.) do not qualify as modern cryptography (although their presence in a library doesn't automatically disqualify either).
Libsodium's primitives include:
But you'll likely not need to worry about these details, because it also provides a...
To facilitate public-key encryption in libsodium, you just need the following:
// Some example variables: $alice_ecdh_secret = "\x69\xf2\x08\x41\x2d\x8d\xd5\xdb\x9d\x0c\x6d\x18\x51\x2e\x86\xf0" . "\xec\x75\x66\x5a\xb8\x41\x37\x2d\x57\xb0\x42\xb2\x7e\xf8\x9d\x8c"; $bob_ecdh_public = "\xe8\x98\x0c\x86\xe0\x32\xf1\xeb\x29\x75\x05\x2e\x8d\x65\xbd\xdd" . "\x15\xc3\xb5\x96\x41\x17\x4e\xc9\x67\x8a\x53\x78\x9d\x92\xc7\x54"; $message_keypair = sodium_crypto_box_keypair_from_secretkey_and_publickey( $alice_ecdh_secret, $bob_ecdh_public ); $plaintext = "This is a secret message for your eyes only."; $nonce = random_bytes(24); // And now for the actual public-key encryption step: $ciphertext = sodium_crypto_box($plaintext, $nonce, $message_keypair);
To decrypt a message:
$received = sodium_crypto_box_open( $received_ciphertext, $received_nonce, $message_keypair );
If you develop in PHP and can upgrade to 7.2 when it comes out, you get to enjoy modern cryptography as a part of the language itself. It will now be possible to design software that uses Ed25519 digital signatures (e.g. for automatic security updates) without requiring users to install an optional PHP extension.
This has come up a bunch in response to my tweet announcing the RFC passing. However, most of the languages that were proposed as being ahead of PHP on this issue weren't.
Here are the facts:
Go 1.8 will use X25519 and ChaCha20-Poly1305 in its TLS stack, but it doesn't offer modern application-layer cryptography in its standard library. Which means if you want to use modern TLS, you can, but if you want to encrypt data at rest, you have to either go outside the standard library or use 90's era public-key cryptography.
Most other programming languages (Ruby, Erlang, Node.js) still only offer OpenSSL, which invites developers to (mis)use RSA, encrypt using AES in ECB mode, and never authenticate their ciphertexts. Furthermore, many of these languages still use OpenSSL's userspace PRNG and don't expose a sane API for accessing the operating system's CSPRNG. (PHP solved this in 7.0.)
No matter how you feel about PHP, the reality is that PHP is the first programming language to commit to modern cryptography in its standard library, coming in version 7.2.0.
If you're a passionate language evangelist, the best thing to do now is to strive for second-to-market. I'm excited to see everyone abandon the fossils of RSA and foot-bullety ECDSA.