2017-08-17 | By: Enrico Zimuel PHP 7.2 will be released later this year (2017). This version contains some interesting additions, including two new security features: support of the Argon2 password hash algorithm, and the ext/sodium extension wrapping the libsodium library. With these new features, PHP is the first programming language to adopt modern cryptography in its standard library. In this article, we demonstrate the usage of the Argon2 password hash algorithm. Installation of PHP 7.2If you are reading this article
before the general availability of 7.2, you need to compile PHP to use that version. You can download the source code from the PHP downloads site. Today, 17 August 2017, the most recent available version is 7.2.0 Beta 3 (file Before compiling PHP, you need to install the argon2 library. If you are using a Debian/Ubuntu Linux distribution, you can run the following command:
To compile PHP, you need to extract the previous source code in a folder and run the following commands:
This will install PHP 7.2 as the default PHP on your system. If you do not want to change the default PHP, you can omit the execution of the last command Argon2Argon2 is a password-based key derivation function winner of the Password Hashing Competition in July 2015. This function is an evolution of the bcrypt and scrypt algorithms. Argon2 provides security against brute force attacks using a predefined memory size, CPU time, and a degree of parallelism to prevent GPU attacks. It uses 3 parameters that control the memory requirements, the execution time, and the parallelism level. There are two main versions of this algorithm: Argon2i and Argon2d. Argon2i is the safest against side-channel attacks, while Argon2d provides the highest resistance against GPU cracking attacks. Argon2d is not suitable for password hashing and should not be used. PHP 7.2 adds Argon2i support to its Password Hashing Functions. Usage of Argon2i in PHPArgon2 support in PHP was proposed by Charles R. Portwood II in via an RFC. The implemented algorithm in PHP is Argon2i (v1.3), and it can be provided via the
The second parameter ( As an example:
The
This string contains sub-string of parts, separated by dollar (
The first part is the algorithm name ( The fourth parameter is the random salt value, encoded in Base64. This value is generated by The fifth and last parameter of the string contains the hash value, encoded in Base64. The hash size is 32 bytes. PHP provides a function named password_get_info($hash) to get information about the hash generated by
The default
parameters for the algorithm are a These values can be changed using the
Regarding the default option values, we suggest to change it according to the use cases and CPU + RAM available. From the PHP RFC:
ConclusionIn this article we demonstrated usager of the Argon2 password hash algorithm with PHP 7.2. The Argon2 algorithm is the state of the art for password protection and it can be now used in PHP without installing additional extensions. This is a very nice security
feature that will improve the security of PHP applications that store user passwords. In a future article, we will cover the |