[drupal-devel] OpenId-compatible encryption in PHP
Greetings all, I've been following the development of OpenId (http://www.danga.com/openid/), and I have a few questions regarding the practical implementation of it for Drupal. I realize that one of the goals of Drupal is that it can run on a variety of PHP installations/configurations. With that in mind, I'm wondering how common variouos encryption libraries are in the realm of PHP installations. Some of the technologies used by OpenId (or under consideration): DSA encryption (using PEM key formatting) RSA encryption (under consideration) SHA1 encryption DER encoding BASE64 encoding I'm vaguely familiar with many of these technologies, and have even used several of them. SHA1 is natively supported by PHP >= 4.3.0. BASE64 is natively supported by PHP As for RSA and DSA, I know that these key types are supported by OpenSSL. Is OpenSSL commonly supported in PHP? I know that it's fairly easy to install, but I also realize that many users don't have control over what their server supports. I suppose I'm doing a survey here to see if an OpenSSL requirement is beyond the scope of a Drupal core installation. If there are PHP-based alternatives to OpenSSL that could be bundled with (or linked to from) Drupal, please inform me about them. Thanks for your time, -Mark
On Sat, 21 May 2005, Mark wrote:
I'm vaguely familiar with many of these technologies, and have even used several of them. SHA1 is natively supported by PHP >= 4.3.0. BASE64 is natively supported by PHP
Such encodings don't really count.
As for RSA and DSA, I know that these key types are supported by OpenSSL. Is OpenSSL commonly supported in PHP?
I've checked my installs and they do support it. But they are custom builds.
I know that it's fairly easy to install, but I also realize that many users don't have control over what their server supports.
I suppose I'm doing a survey here to see if an OpenSSL requirement is beyond the scope of a Drupal core installation.
Is there any reason why it _has_ to be on core? Maybe you could re-use existing hooks and try some small patches in (if needed)? Cheers, Gerhard
Gerhard Killesreiter wrote:
On Sat, 21 May 2005, Mark wrote:
I'm vaguely familiar with many of these technologies, and have even used several of them. SHA1 is natively supported by PHP >= 4.3.0. BASE64 is natively supported by PHP
Such encodings don't really count.
Well, if SHA1 is required to implement the protocol, then a PHP version requirement of >= 4.3.0 becomes required to support it (according to PHP.net docs). This is not a problem for a Drupal 4.6+ implementation.
As for RSA and DSA, I know that these key types are supported by OpenSSL. Is OpenSSL commonly supported in PHP?
I've checked my installs and they do support it. But they are custom builds.
I know that it's fairly easy to install, but I also realize that many users don't have control over what their server supports.
I suppose I'm doing a survey here to see if an OpenSSL requirement is beyond the scope of a Drupal core installation.
Is there any reason why it _has_ to be on core? Maybe you could re-use existing hooks and try some small patches in (if needed)?
No reason in particular. I'm trying to determine the feasibility of ever having this in core. If the requirements for implementing it are so far out of the way, then I wouldn't even push for it ever going into core. Additionally, if I thought it were ever going into core, then I would seek more consensus on its implementation than I would for a contrib module. Thanks, -Mark
Well, if SHA1 is required to implement the protocol, then a PHP version requirement of >= 4.3.0 becomes required to support it (according to PHP.net docs). This is not a problem for a Drupal 4.6+ implementation.
Especially not for Drupal 4.7 with MySQL -- now we are using all options mysql_connect offers in PHP 4.3. Drupal 4.6 used opinions that are offered by PHP 4.2, so without search module you could get off with 4.2.
On Sun, 22 May 2005, Mark wrote:
Gerhard Killesreiter wrote:
On Sat, 21 May 2005, Mark wrote:
I know that it's fairly easy to install, but I also realize that many users don't have control over what their server supports.
I suppose I'm doing a survey here to see if an OpenSSL requirement is beyond the scope of a Drupal core installation.
Is there any reason why it _has_ to be on core? Maybe you could re-use existing hooks and try some small patches in (if needed)?
No reason in particular. I'm trying to determine the feasibility of ever having this in core.
I am not using the Drupal distributed authentication scheme, but there have been discussions about making it more secure. There haven't been many changes to this over the last years. Maybe it would be a good idea to replace it now.
If the requirements for implementing it are so far out of the way, then I wouldn't even push for it ever going into core. Additionally, if I thought it were ever going into core, then I would seek more consensus on its implementation than I would for a contrib module.
For now I'd check how feasible it is to make it a contrib module. It can be streamlined and put into core later. The re-worked locale module was also first a contrib module and put into core later. Cheers, Gerhard
Some of the technologies used by OpenId (or under consideration): DSA encryption (using PEM key formatting) RSA encryption (under consideration) SHA1 encryption DER encoding BASE64 encoding
I'm vaguely familiar with many of these technologies, and have even used several of them. SHA1 is natively supported by PHP >= 4.3.0. BASE64 is natively supported by PHP
You're mixing many things here. BASE64 is a way to encode binary data as ascii. It is not an encryption algorithm in any way. SHA1 is a hash function. It calculates a fixed-length checksum from a variable-length input. Other popular hashes include MD5 (what we use for passwords). I don't know DER, but googling shows it is a file format for digital certificates. RSA is a public/private key based encryption system, mostly used for signatures with a fixed length. Using it for general encryption is not as practical, but possible. DSA is also a public/private key based encryption system, but afaik it can only be used for signatures. Steven Wittens
Steven Wittens wrote:
Some of the technologies used by OpenId (or under consideration): DSA encryption (using PEM key formatting) RSA encryption (under consideration) SHA1 encryption DER encoding BASE64 encoding
I'm vaguely familiar with many of these technologies, and have even used several of them. SHA1 is natively supported by PHP >= 4.3.0. BASE64 is natively supported by PHP
You're mixing many things here.
BASE64 is a way to encode binary data as ascii. It is not an encryption algorithm in any way.
Right, it's an encoding algorithm. The list of buzzwords/acronyms is just to identify all of the basic functionality required to implement the protocol.
SHA1 is a hash function. It calculates a fixed-length checksum from a variable-length input. Other popular hashes include MD5 (what we use for passwords).
I don't know DER, but googling shows it is a file format for digital certificates.
Thanks, I'm not too familiar with DER formatting either, but it's comparable to PEM formatting for certificate keys from what I've read. PEM keys are typically base64 encoded, though.
RSA is a public/private key based encryption system, mostly used for signatures with a fixed length. Using it for general encryption is not as practical, but possible.
DSA is also a public/private key based encryption system, but afaik it can only be used for signatures.
At this point, the primary function of OpenId is authentication. There are plans for authenticating both users and servers, which is where the DSA signatures come in. Encrypting any part of the transmission will require some form of public key handshake, which is where RSA would come in. I would suspect that keys to a symmetrical encryption algorithm (3DES, Blowfish, etc.) would be transmitted using RSA, but that has not yet been fleshed out to my knowledge. Thanks for the info, -Mark
participants (4)
-
Gerhard Killesreiter -
Karoly Negyesi -
Mark -
Steven Wittens