Download the PHP package charlesportwoodii/ncryptf without Composer

On this page you can find all versions of the php package charlesportwoodii/ncryptf. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package ncryptf

ncryptf PHP

Packagist Pre Release TravisCI Scrutinizer Code Quality License

ncryptf logo

A library for facilitating hashed based KDF signature authentication, and end-to-end encrypted communication with compatible API's.

HMAC+HKDF Authentication

HMAC+HKDF Authentication is an Authentication method that allows ensures the request is not tampered with in transit. This provides resiliance not only against network layer manipulation, but also man-in-the-middle attacks.

At a high level, an HMAC signature is created based upon the raw request body, the HTTP method, the URI (with query parameters, if present), and the current date. In addition to ensuring the request cannot be manipulated in transit, it also ensures that the request is timeboxed, effectively preventing replay attacks.

This library is made available through composer:

Supporting API's will return the following payload containing at minimum the following information.

After extracting the elements, we can create signed request by doing the following:

A trivial full example is shown as follows:

Note that the $date parameter should be pre-offset when calling new Authorization to prevent time skewing.

The $payload parameter in Authorization::__construct should be an JSON serializable array, however a serialized JSON string may be passed.

Version 2 HMAC Header

The Version 2 HMAC header, for API's that support it can be retrieved by calling:

Version 1 HMAC Header

For API's using version 1 of the HMAC header, call new Authorization with the optional version parameter set to 1 for the 6th parameter.

This string can be used in the Authorization Header

Date Header

The Version 1 HMAC header requires an additional X-Date header. The X-Date header can be retrieved by calling authorization.getDateString()

Verification

This library can also validate the client generated HMAC. A high level example (psuedocode) is provided below:

Encrypted Requests & Responses

This library enables clients coding in PHP 7.1+ to establish and trusted encrypted session on top of a TLS layer, while simultaniously (and independently) providing the ability authenticate and identify a client via HMAC+HKDF style authentication.

The rationale for this functionality includes but is not limited to:

  1. Necessity for extra layer of security
  2. Lack of trust in the network or TLS itself (see https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/)
  3. Need to ensure confidentiality of the Initial Key Material (IKM) provided by the server for HMAC+HKDF authentication
  4. Need to ensure confidentiality of user submitted credentials to the API for authentication

The primary reason you may want to establish an encrypted session with the API itself is to ensure confidentiality of the IKM to prevent data leakages over untrusted networks to avoid information being exposed in a Cloudflare like incident (or any man-in-the-middle attack). Encrypted sessions enable you to utilize a service like Cloudflare should a memory leak occur again with confidence that the IKM and other secure data would not be exposed.

Encrypted Request Body

Payloads can be encrypted as follows:

Note that only the v2 encryption is shown here.

Note that you need to have a pre-bootstrapped public key to encrypt data. For the v1 API, this is typically this is returned by /api/v1/server/otk.

Decrypting Responses

Responses from the server can be decrypted as follows:

V2 Encrypted Payload

Verison 2 works identical to the version 1 payload, with the exception that all components needed to decrypt the message are bundled within the payload itself, rather than broken out into separate headers. This alleviates developer concerns with needing to manage multiple headers.

The version 2 payload is described as follows. Each component is concatanated together.

Segment Length
4 byte header DE259002 in binary format 4 BYTES
Nonce 24 BYTES
The public key associated to the private key 32 BYTES
Encrypted Body X BYTES + 16 BYTE MAC
Signature Public Key 32 BYTES
Signature or raw request body 64 BYTES
Checksum of prior elements concatonated together 64 BYTES

PSR-15 Middleware

Authentication

Ncryptf supports a PSR-15 middleware via ncryptf\middleware\AbstractAuthentication, which simply needs to be extended for token extraction and user retrieval.

A simple example is shown as follows:

Secure Request Parsing

A PSR-15 middleware is provided to decrypt requests encrypted with application/vnd.ncryptf+json. Request decrypting can be performed independently of an authenticated requests and is useful in circumstances where sensative data needs to be transferred, however a HTTP 204, or a non metadata leaking response is returned.

Ideally however, this would always be coupled with an authenticated requests and a corresponding encrypted response.

In order to ensure messages can be decrypted, three components are required:

  1. A PSR-16 cache instance where your encryption keys are stored. This guide recommends using a distributed cache, such as Redis or memcache to facilitate long term storage.

  2. A ncryptf\middleware\EncryptionKeyInterface class that represents a cachable encryption key.

  3. Injection of ncryptf\middleware\RequestParser at the beginning of your dispatcher, before the request body is acted upon.

Secure Response Formatting

When coupled with an authenticated ncryptf request, ncryptf\middleware\ResponseFormatter can format a given response into an application/vnd.ncryptf+json response. The formatter currently can only process JSON payloads.

This implementation must be used with an instance of ncryptf\middleware\AbstractAuthentication, and is recommended to be used with secure requests processed by ncryptf\middleware\RequestParser to ensure full end-to-end encryption of messages.

The ncryptf\middleware\ResponseFormatter constructor takes an instance of Psr\SimpleCache\CacheInterface to store the newly generate ncryptf\middleware\EncryptionKeyInterface, and an instance of ncryptf\middleware\EncryptionKeyInterface to construct a new keypair to ensure perfect-forward secrecy.

Refer to the tests directory for full end-to-end implementation examples.


All versions of ncryptf with dependencies

PHP Build Version
Package Version
Requires php Version ^7.1 || ^7.2 || ^7.3
ext-sodium Version >=2.0.2
psr/http-server-middleware Version ^1.0
middlewares/utils Version ^2.1
psr/simple-cache Version ^1.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package charlesportwoodii/ncryptf contains the following files

Loading the files please wait ....