Class Security
Security Library contains utility methods related to security
Properties summary
-
$_instanceprotected staticobjectThe crypto implementation to use. -
$_saltprotected staticstringThe HMAC salt to use for encryption and decryption routines -
$hashTypepublic staticstringDefault hash method. If
$typeparam forSecurity::hash()is not specified this value is used. Defaults to 'sha1'.
Method Summary
-
_checkKey() protected static
Check the encryption key for proper length. -
constantEquals() public static
A timing attack resistant comparison that prefers native PHP implementations. -
decrypt() public static
Decrypt a value using AES-256. -
encrypt() public static
Encrypt a value using AES-256. -
engine() public static
Get the crypto implementation based on the loaded extensions. -
getSalt() public static
Gets the HMAC salt to be used for encryption/decryption routines.
-
hash() public static
Create a hash from string using given method. -
insecureRandomBytes() public static
Like randomBytes() above, but not cryptographically secure. -
randomBytes() public static
Get random bytes from a secure source. -
randomString() public static
Creates a secure random string. -
rijndael() public static deprecated
Encrypts/Decrypts a text using the given key using rijndael method. -
salt() public static deprecated
Gets or sets the HMAC salt to be used for encryption/decryption routines.
-
setHash() public static
Sets the default hash method for the Security object. This affects all objects using Security::hash().
-
setSalt() public static
Sets the HMAC salt to be used for encryption/decryption routines.
Method Detail
_checkKey() protected static ¶
_checkKey( string $key , string $method )
Check the encryption key for proper length.
Parameters
- string $key
- Key to check.
- string $method
- The method the key is being checked for.
Throws
When key length is not 256 bit/32 bytes
constantEquals() public static ¶
constantEquals( string $original , string $compare )
A timing attack resistant comparison that prefers native PHP implementations.
Parameters
- string $original
- The original value.
- string $compare
- The comparison value.
Returns
See
Since
decrypt() public static ¶
decrypt( string $cipher , string $key , string|null $hmacSalt = null )
Decrypt a value using AES-256.
Parameters
- string $cipher
- The ciphertext to decrypt.
- string $key
- The 256 bit/32 byte key to use as a cipher key.
- string|null $hmacSalt optional null
- The salt to use for the HMAC process. Leave null to use Security.salt.
Returns
Decrypted data. Any trailing null bytes will be removed.
Throws
On invalid data or key.
encrypt() public static ¶
encrypt( string $plain , string $key , string|null $hmacSalt = null )
Encrypt a value using AES-256.
Caveat You cannot properly encrypt/decrypt data with trailing null bytes. Any trailing null bytes will be removed on decryption due to how PHP pads messages with nulls prior to encryption.
Parameters
- string $plain
- The value to encrypt.
- string $key
- The 256 bit/32 byte key to use as a cipher key.
- string|null $hmacSalt optional null
- The salt to use for the HMAC process. Leave null to use Security.salt.
Returns
Encrypted data.
Throws
On invalid data or key.
engine() public static ¶
engine( Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt|null $instance = null )
Get the crypto implementation based on the loaded extensions.
You can use this method to forcibly decide between mcrypt/openssl/custom implementations.
Parameters
- Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt|null $instance optional null
- The crypto instance to use.
Returns
Crypto instance.
Throws
When no compatible crypto extension is available.
getSalt() public static ¶
getSalt( )
Gets the HMAC salt to be used for encryption/decryption routines.
Returns
The currently configured salt
hash() public static ¶
hash( string $string , string|null $algorithm = null , mixed $salt = false )
Create a hash from string using given method.
Parameters
- string $string
- String to hash
- string|null $algorithm optional null
Hashing algo to use (i.e. sha1, sha256 etc.). Can be any valid algo included in list returned by hash_algos(). If no value is passed the type specified by
Security::$hashTypeis used.- mixed $salt optional false
If true, automatically prepends the application's salt value to $string (Security.salt).
Returns
Hash
Throws
Link
insecureRandomBytes() public static ¶
insecureRandomBytes( integer $length )
Like randomBytes() above, but not cryptographically secure.
Parameters
- integer $length
- The number of bytes you want.
Returns
Random bytes in binary.
See
randomBytes() public static ¶
randomBytes( integer $length )
Get random bytes from a secure source.
This method will fall back to an insecure source an trigger a warning if it cannot find a secure source of random data.
Parameters
- integer $length
- The number of bytes you want.
Returns
Random bytes in binary.
randomString() public static ¶
randomString( integer $length = 64 )
Creates a secure random string.
Parameters
- integer $length optional 64
- String length. Default 64.
Returns
Since
rijndael() public static deprecated ¶
rijndael( string $text , string $key , string $operation )
Encrypts/Decrypts a text using the given key using rijndael method.
Deprecated
3.6.3 This method relies on functions provided by mcrypt extension which has been deprecated in PHP 7.1 and removed in PHP 7.2. There's no 1:1 replacement for this method. Upgrade your code to use Security::encrypt()/Security::decrypt() with OpenSsl engine instead.
Parameters
- string $text
- Encrypted string to decrypt, normal string to encrypt
- string $key
- Key to use as the encryption key for encrypted data.
- string $operation
- Operation to perform, encrypt or decrypt
Returns
Encrypted/Decrypted string.
Throws
When there are errors.
salt() public static deprecated ¶
salt( string|null $salt = null )
Gets or sets the HMAC salt to be used for encryption/decryption routines.
Deprecated
Parameters
- string|null $salt optional null
- The salt to use for encryption routines. If null returns current salt.
Returns
The currently configured salt