Cryptography with Libsodium

By Vinícius Campitelli

According to the just-released 2021 version of OWASP Top 10 (a curated list of the most critical web application security risks out there), “Cryptographic Failures” are the 2nd most important of the many security concerns we should have as web developers. These concerns include a lot of misuses of cryptographic systems, like choosing weak algorithms, poor randomness sources, or usage of deprecated methods. That is why this is also the second article covering the main topics for cryptography: on our last issue, we covered the main theory, which sometimes is the cause of those errors mentioned above, and right now we will see how to use libsodium, a modern library with the most recommended algorithms already built-in and no weak settings available per default. It is a cross-platform tool, available to use on Windows, Mac, and Linux, and has been included in PHP’s core since 7.2. It also has bindings for Java, NodeJS, Python, Go, and several other languages. So we are safe to say it runs pretty much everywhere. The official website is libsodium.org, and you can find the full documentation there instead of the PHP.net manual as it is sometimes not complete. There is also a Quick Reference and a “Using Libsodium in PHP Projects” article on their website that helps a lot, and I strongly recommend you take a look. Before we start, here are a couple of notes: first, there are lots of constants to indicate some arguments that should be used instead of hard-coding the values, and second, both functions and constants are pretty verbose, sometimes taking up to 55 characters. But I think it’s better to express the purpose of everything instead of having to guess. Let’s begin! by Vinicius Campitelli

Read in Full

This article was originally published in the November 2021 issue of php[architect] magazine. To read the complete article please subscribe or purchase the complete issue.

Leave a comment

Use the form below to leave a comment: