Professional Documents
Culture Documents
April 2012
Issue 2
PaaS
with
IN THIS ISSUE
Editorial: The Difficult Second Issue
Event: PHP Summit UK 2012
Architecture: Stefan Priebsch
flying colours
Interview: Colin Hayhurst on running a PaaS startup
StackBlazes co-founder shares his experiences
PaaS: the cloud on-ramp for PHP developers
AppFogs Lucas Carlson on cloud deployment
Cryptography in PHP
Zends Enrico Zimuel on securing your data
www.webandphp.com
Introducing the
difficult second issue
Contents
Interview
Colin Hayhurst,
co-founder of StackBlaze
Louis Goddard
www.webandphp.com
Event
Architecture
10
Feature
12
Feature
Cryptography in PHP
Enrico Zimuel
16
Louis Goddard
Editor
The Interview:
Colin Hayhurst
Colin Hayhurst is the co-founder of StackBlaze, a PaaS startup based in the UK.
We asked him what challenges face the would-be PHP entrepreneur in todays
risky economic climate, what he thinks of PHP 5.4, and why running a cloud
outfit is one of the most difficult jobs around.
by Louis Goddard
www.webandphp.com
80s. We even had an interactive graphical user interface from the start; on an IBM PC, that made us pretty
radical. Indeed at that time and for a few years, many
prospective customers thought we were crazy. But
gradually, over time, and with persistence we came
to be the worldwide industry standard, in our niche.
Later we took that expertise and technology into other
areas and established new products and markets in
the space, oil and automotive industries. Luckily for
me along the way I got to work on some incredible
projects, most notably the International Space Station
and the CERN Large Hadron Collider.
I actually studied and trained as a Chartered Engineer and started my career as a design engineer in
manufacturing engineering. But since software had
been my main interest as a young teenager I chose
deliberately to get more involved in software opportunities in engineering. Because FORTRAN was, and
remains, the best language for high-performance scientific computing, that became my main language of
choice until I stepped back from full-time programming
as I focussed on running four product teams and growing a company.
From 2005 to 2011, I was helping a large number of
mostly software startups with a variety of things like
investment readiness, mentoring, business models
and recruitment.
How did you meet your co-founder, James Cunningham?
We met a fantastic hacking event called Young Rewired State, where James was presenting to a distinguished panel of judges: he actually won the top prize
presented by the editor of Wired. I was there to see
my eldest son present, so it turned out to be a lucky
coincidence that we met. We kept in touch and, along
the way, discovered that we were both looking to do
a software startup. This led to discussions about the
www.webandphp.com
the performance of dedicated servers but at a pricelevel closer to that of shared servers.
The way StackBlaze works is that your application
runs on multiple servers and is automatically load-balanced across these servers based on the resources
needed by your application and others. StackBlaze
leases dedicated severs from one of Europes biggest
data centres and we then use our own grid network
technology to load-balance demand so that your application gets the resources it needs.
StackBlaze requires little specialist knowledge, and
you certainly dont need to rely on a systems administrator to sort out your hosting.
How can you compete with the plethora of hosting solutions out there, particularly more established PaaS solutions like AppFog?
Clearly we are not competing directly with shared
nor dedicated hosting providers since we provide the
performance of the latter at the price of the former.
Equally, we are not competing directly with the large
providers such as Amazon and Rackspace, who require more specialist knowledge and a deeper pocket.
So our direct competitors are recent startups like ourselves, such as AppFog or PagodaBox. What differentiates StackBlaze from these companies is that our
service is truly elastic with load-balancing being completely automatic. Also, since competitor services are
invariably built on top of Amazon Web Services, they
must charge a premium on top of the costs they pay
to Amazon. Since StackBlaze runs directly on top of
better price/performance data centre servers, we can
pass this advantage on to our customers.
What can we expect to see in StackBlaze in the
future?
We went live publicly at the start of March and were
pleased to quickly get a good set of initial customers
www.webandphp.com
Bio
Colin is a co-founder of StackBlaze, providers of
truly elastic PHP web hosting. A software and
startup addict at heart, he was previously cofounding CTO, then CEO of a software company,
which successfully exited to a NASDAQ company.
Sebastian
Bergmann
Object-Oriented Programming
(OOP) in PHP I: Fundamentals
Object-Oriented Programming
(OOP) in PHP II: Advanced Topics
Arne
Blankerts
Stefan
Priebsch
Design Patterns I:
The Most Important Standards
Design Patterns II: Integrating
Sophisticated Patterns
Frameworks: The Basics in
Three Hours
Why the Tower of Pisa is Leaning
by Louis Goddard
www.webandphp.com
www.webandphp.com
by Stefan Priebsch
www.webandphp.com
be an issue at all, at least, as long as the climate does not change significantly.
Supply is not the only thing that matters, by the way: where does used water go, for example? Creating our own soakaway might be a good idea at first
glance, but it has a limited capacity. Or we might pollute the drinking water in
our own well. We thus realise that we just cannot just build a house in some
remote location unless we are willing to generate our own energy, dig our
own well and hope that some means of mobile internet access is available.
While a self-supporting building might be quite appealing, as soon as technical problems occur, or we are short of wind, sun, or whatever we create
energy from, a large central energy supply and redundant distribution network
suddenly comes in very handy.
Software is far less tangible than buildings. Nobody will sue you for trying to
create a bloated, oversized or completely inappropriate architecture, even if
that could really help in some cases. But if you submit blueprints to your local
building authority, they will be put on public display for feedback. Even if all of
this seems like a big hassle, it is, in fact, a rather efficient sanity check.
Beyond all those technical issues there is another thing to keep in mind:
a building should fit nicely into its environment. You just cannot put a postmodern skyscraper into a traditional Bavarian village. Well, in all honesty, you
could, but you would certainly have to expect a lot of trouble.
Software architects must be able to see the big picture. This includes being
aware of neighbours, suppliers, outlets, and, most importantly, taking important non-functional requirements into account.
Stefan Priebsch unites expert knowledge with an extraordinary sense of when to use which tool.
His specialities are object-oriented development and software architecture. As an internationallyacclaimed author and speaker he thrills auditoriums and likes to share his tremendous practical
experience.
by Lucas Carlson
www.webandphp.com
www.webandphp.com
Open source
When looking to adopt a PaaS solution, you will want
to make sure that you arent locked in to a solution that
restricts a developers choice of frameworks, application infrastructure services and deployment clouds.
One way to avoid vendor lock-in is to look at open
source offerings, which will ensure that you will not be
www.webandphp.com
locked into a single framework, single set of application services or a single cloud.
One example of such a solution is Cloud Foundry.
Cloud Foundry handles Application Life Cycle Management extremely well for many languages including
PHP, Ruby, Node, Java, Python, Erlang and more. It is
also open source on GitHub, which means that the
open source community can add features, languages, technologies and services faster than any closed
source option. This matters because your can run
Cloud Foundry on your laptop for development and
then push to production.
Once you combine a PaaS service (like phpfog.com
or AppFog) with Cloud Foundry, you have the ability
to abstract the PaaS even further and provide a vastly
streamlined interface and command line. Even though
AppFog will provide all of the Cloud Foundry functionality, the AppFog PaaS will extend the Cloud Foundry
abilities further.
Conclusion
There is nothing that compares to the simplicity and
velocity of building applications for PaaS deployment.
The practices are already causing reverberations
throughout the industry companies are becoming faster, deploying faster and more frequently, and
meeting customer demand more efficiently. It may not
be magic, but it sure is easy!
Lucas Carlson is the CEO of AppFog, which he founded in September 2010. Before AppFog, Lucas led the development of MOG, a
music-based Web 2.0 social networking application, with Ruby on
Rails and MySQL. At MOG, he wrote the majority of the code base,
created an architecture that could scale as the community grew,
and hired, led and cultivated a technical team. MOG.com is currently one of
the five most popular Ruby on Rails sites on the web. Lucas has authored over
a dozen Ruby libraries, including the Ruby Cookbook, and contributed to various others including Rails and RedCloth. Lucas participates in industry groups
and speaking engagements on a regular basis around the country.
About
Publisher
Software & Support Media Ltd
Editorial Office Address
86-88 Great Suffolk Street,
London SE1 0BE
www.sandsmedia.com
Editor: Louis Goddard (louisg@sandsmedia.com)
Authors: Colin Hayhurst, Stefan Priebsch, Lucas Carlson,
Enrico Zimuel
Creative Director: Jens Mainz
Layout: Tobias Dorn, Petra Rth
Sales:
Cindy Ng
+44 (0)20 7401 4837
cindyn@sandsmedia.com
Contents copyright 2012 Software & Support Media Ltd.
All rights reserved. No part of this publication may be reproduced, redistributed, posted online or reused by any means in
any form, including print, electronic, photocopy, internal network,
Web or any other method, without prior written permission of
Software & Support Media Ltd.
The views expressed are solely those of the authors and do
not reflect the views or position of their firm, any of their
clients, or Publisher. Regarding the information, Publisher disclaims all warranties as to the accuracy, completeness, or adequacy of any information, and is not responsible for any errors,
omissions, inadequacies, misuse, or the consequences of using any information provided by Publisher. Rights of disposal of
rewarded articles belong to Publisher. All mentioned trademarks
and service marks are copyrighted by their respective owners.
April 2012
Issue 2
PaaS
with
IN THIS ISSUE
Editorial: The Difficult Second Issue
Event: PHP Summit UK 2012
Architecture: Stefan Priebsch
flying colours
Interview: Colin Hayhurst on running a PaaS startup
StackBlazes co-founder shares his experiences
PaaS: the cloud on-ramp for PHP developers
AppFogs Lucas Carlson on cloud deployment
Cryptography in PHP
Zends Enrico Zimuel on securing your data
www.webandphp.com
www.webandphp.com
Zends Enrico Zimuel on securing your data
Cryptography
in PHP
Now available on
Android
and iOS devices!
AppFogs Lucas Carlson on cloud deployment
PaaS: the cloud on-ramp for PHP developers
www.webandphp.com
Cryptography in PHP
The mantra of any good security engineer is: Security is a not a product,
but a process. Its more than designing strong cryptography into a system;
its designing the entire system such that all security measures, including
cryptography, work together. Bruce Schneier
by Enrico Zimuel
www.webandphp.com
www.webandphp.com
tain the private key from the public key. The public
key and the private key are related by a mathematical
property, the integer factorisation problem [3]. The
integer factorisation or prime factorisation is the decomposition of a composite number into smaller nontrivial divisors, which when multiplied together equal
the original integer. When the numbers are very
large, no efficient, non-quantum integer factorisation algorithm is known; an effort concluded in 2009
by several researchers factored a 232-digit number
(RSA-768) utilising hundreds of machines over a span
of two years.
But, even if symmetric ciphers have the problem of
sharing the key, they are the most widely used algorithms to encrypt data. The main reason is because
they are very fast, compared with the asymmetric
algorithms. If we have problems sharing the key we
can use the asymmetric algorithms to encrypt a session key used by a symmetric algorithm to encrypt the
data. This is the hybrid method, using asymmetric and
symmetric algorithms, and its very common in the
implementation of cryptographic systems (one of the
most famous protocols that uses this technique is the
OpenPGP standard, RFC 4880 [4]).
Hash functions
The algorithms shown so far are able to protect sensitive information by transforming the plaintext into a
ciphertext. If we want to protect data against an accidental or intentional change, we can use a special
family of algorithms: hash functions. Hash functions
take an arbitrary block of data and return a fixed-size bit
string, the hash value (sometimes called the message
digest or simply digest). These functions are used in
different computer science fields. For instance, they
are used with the hash table data structure to calculate
the key of a value. In cryptography, a hash function has
four main or significant properties:
Of course, using standard algorithms we can reduce the risk of attacks, but
we cannot remove it. If you want to design a secure system, you should never
stop studying and keep updated with the last news about computer security.
This is particularly true for web applications where the possible attacks can
come from one or millions of people.
PHP has not been considered enterprise ready for many years, but now
it is. Companies around the world use PHP as a language to build web applications that are used by millions of people, and security is a crucial aspect of
these applications. Cryptography can help with secure design and PHP offers
many way to use it.
Cryptography in PHP
PHP offers different implementations of the most important cryptographic
algorithms. In particular, PHP has the following cryptographic extensions:
Hash
Mcrypt
OpenSSL
Visit today!
www.webandphp.com
webdev360.com
www.webandphp.com
full example in PHP of how to use AES-256 with encrypt-then-authenticate schema. Listing 1 shows an
example using a PHP class.
The encrypt() method of the AES class has the following parameters: $data is the plaintext, $key is the
secret key and $iv is the initialisation vector (optional).
If we dont pass the $iv parameter encrypt() will generate a random value using the mcrypt_create_iv() function of Mcrypt. This function generates a random IV
Listing 1
class AES {
/**
* Encrypt
*
* @param string $data
* @param string $key
* @param string $iv
* @return string
*/
public static function encrypt($data, $key, $iv = null)
{
if (empty($iv)) {
$iv = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
}
// generate a 256 bit key from $key
$hashKey = hash('sha256', $key, true);
// PKCS #7 padding
$pad = 16 - (strlen($data) % 16);
$data .= str_repeat(chr($pad), $pad);
$encrypted = mcrypt_encrypt(
MCRYPT_RIJNDAEL_128,
$hashKey,
$data,
MCRYPT_MODE_CBC,
$iv
);
// HMAC using md5($key) as key
$hmac = hash_hmac('sha256', MCRYPT_RIJNDAEL_128 . $iv . $encrypted,
www.webandphp.com
md5($key));
return base64_encode($iv) . $hmac . base64_encode($encrypted);
}
/**
* Decrypt
*
* @param string $data
* @param string $key
* @return string
*/
public static function decrypt($data, $key)
{
$iv
= base64_decode(substr($data, 0, 24));
$hmac = substr($data, 24, 64);
$encrypted = base64_decode(substr($data, 88));
$hmacNew = hash_hmac('sha256', MCRYPT_RIJNDAEL_128 . $iv . $encrypted,
md5($key));
if (!self::compareString($hmacNew, $hmac)) {
return false;
}
$hashKey = hash('sha256', $key, true);
$plaintext = mcrypt_decrypt(
MCRYPT_RIJNDAEL_128,
$hashKey,
$encrypted,
MCRYPT_MODE_CBC,
$iv
);
www.webandphp.com
Where $salt is a random string, $data is the information that we want to protect (for instance, a users
password) and $workload is a parameter of the bcrypt
algorithm which we will come back to later.
Bcrypt is wasdesigned by Niels Provos and David
Mazires and was presented at USENIX in 1999 [13].
The algorithm is an adaptive hash function based on
the Blowfish symmetric cipher. Besides incorporating
a salt to protect against rainbow table attacks, bcrypt is
an adaptive hash: over time, it can be made slower and
slower so it remains resistant to specific brute-force
search attacks against the hash and the salt.
Earlier we mentioned a $workload parameter. This is
the cost of the algorithm, an integer value that specifies the workload. A greater value in $workload means
more work for the algorithm, which means more computational time and consequently more security. The
$workload parameter of the PHP crypt() function is an
integer value from 10 to 31.
The question is: which value to use for the $workload? The answer depends on the speed of the CPU
that you are going to use. For instance, running the
bcrypt PHP implementation on my laptop, an Intel Core
2 at 2.1Ghz, the computational speed is as follows:
$workload
time in seconds
10
0.1
11
0.2
12
0.4
13
0.7
14
1.5
15
3.0
16
6.0
17
12
18
24.3
19
48.7
20
97.3
21
194.3
...
...
My suggestion is to use a $workload value that guarantees at least one second of computation, meaning
in my case the value 14. If you have to test 100 million
passwords and each test runs in 1 second you need
to wait more than 3 years (and 100 million is a small
number for a real brute-force attack).
To check if a value ($value) is correct against a bcrypt
hash value ($hash), we can use the following test:
if ($hash==crypt($value,$hash)) {
echo 'The value is correct';
} else {
echo 'The value is not correct!';
}
www.webandphp.com
www.webandphp.com
References
Conclusion
In this article, we introduced the use of cryptography
in PHP. We showed how to encrypt and decrypt sensitive data using symmetric and asymmetric algorithms.
Moreover, we discussed hash functions and how to
use the bcrypt algorithm to safely store users passwords. We showed that cryptography doesnt necessarily mean security and that it is always better to use
standard algorithms like AES, SHA or RSA. If we build
software that is reasonably secure today, in the next
few months or years it probably wont be. Computer
security is always evolving, especially in the field of
web applications, and you should always stay on the
alert.