Yesterday we released the 2.1.0 (and 2.0.7) version of Zend Framework. I'm excited about this release because we introduced new features and we fixed more than 150 bugs. Some of the new features includes:
- new Zend\Permissions\Rbac component, that offer a new approach to build an authorization schema, more oriented to roles and their permissions rather than objects (resources as in Zend\Permissions\Acl);
- new Zend\Test component, providing the ability to perform functional or integration testing;
- new Zend\Crypt\Password\Apache component to encrypt/decrypt password in Apache format (htpasswd);
- Apache password adapter for ZendAuthentication, based on the new component Zend\Crypt\Password\Apache;
- scrypt algorithm support provided by Zend\Crypt\Key\Derivation\Scrypt
- new Oracle and IBM DB2 adapters for Zend\Db;
- new FirePHP, ChromePHP, MongoDB, and FingersCrossed adapters for Zend\Log;
- new MongoDB adapter for Zend\Session
Here the official release announcment.
This new release of Zend Framework contains interesting new features related to security and cryptography. I mentioned the new Zend\Permissions\Rbac component that can facilitate the implementation of a classic authorization system. Below I reported a simple use case:
use Zend\Permissions\Rbac\Rbac;
use Zend\Permissions\Rbac\Role;
$rbac = new Rbac();
$foo = new Role('foo');
$foo->addPermission('bar');
var_dump($foo->hasPermission('bar')); // true
$rbac->addRole($foo);
$rbac->isGranted('foo', 'bar'); // true
$rbac->isGranted('foo', 'baz'); // false
$rbac->getRole('foo')->addPermission('baz');
$rbac->isGranted('foo', 'baz'); // true
I'm confident this component will simplify most of the existing use cases of web applications where tipically we have users, roles and permissions.
Regarding the new cryptographic features, we implemented the scrypt algorithm and, as far I know, this is the first open source implementation of scrypt in pure PHP (we also supported the PHP scrypt module provided by Dominic Black).
The scrypt algorithm provides the most secure way, so far, to generate a key from a user's password. It uses a new idea to prevent brute force attacks consuming CPU time and high memory space (Sequential Memory-Hard Functions). This algorithm has been proposed as Internet Draft on 2012-09-17 by the IETF. The usage of the Zend\Crypt\Key\Derivation\Scrypt component is very simple, here an example:
use Zend\Crypt\Key\Derivation\Scrypt;
use Zend\Math\Rand;
$pass = 'password';
$salt = Rand::getBytes(strlen($pass), true);
$key = Scrypt::calc($pass, $salt, 2048, 2, 1, 64);
printf ("Original password: %sn", $pass);
printf ("Derived key (hex): %sn", bin2hex($key));
In this example, the parameters of Scrypt::calc are: $pass the input password, $salt the salt of the algorithm, 2048 is the CPU cost, 2 is the memory cost, 1 is the paralization cost and 64 is the length of the output hash to be generated.
More information on the scrypt implementation of ZF2 can be found here.
In ZF 2.1.0 we also released a new component Zend\Crypt\Password\Apache. This component supports all the Apache password formats (htpasswd).
The password formats supported by Apache are reported here. We can use this component to generate or verify a user's password using a simple API, here an example:
use Zend\Crypt\Password\Apache;
$apache = new Apache();
$password = 'password';
$formats = array('crypt', 'sha1', 'md5', 'digest');
foreach ($formats as $format) {
$apache->setFormat($format);
if ($format === 'digest') {
$apache->setUserName('enrico');
$apache->setAuthName('test');
}
$hash = $apache->create($password);
$result = $apache->verify($password, $hash) ? 'OK' : 'FAILED';
printf ("%s output: %s (%s)n", $format, $hash, $result);
}
A possible output for that script is as follow:
crypt output: hHbcSkUv7q7kI (OK)
sha1 output: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= (OK)
md5 output: $apr1$3HKJdb5X$VNpmjgqNEKQ5S4JXlI8pW/ (OK)
digest output: 7f14e93e793186c46fc3e078cd777da9 (OK)
We used the Apache password component to implement a new adapter for Zend\Authentication. It's the ApacheResolver that can be found under the namespace Zend\Authentication\Adapter\Http. Using this component we can easly provide user's authentication using the password file produced by Apache (e.g. using the htpasswd command).
As you can see the number of functionalities of Zend Framework 2 is growing very fast and the security components too. We are exiting to offer such set of security features to the PHP community. If you want to have more information about all the security aspects covered by ZF2 I suggest to watch the recorded video of my webinar "Building Secure Web Applications with ZF2".