Class Security
Security Library contains utility methods related to security
Copyright: Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
License: MIT License
Location: Cake/Utility/Security.php
Properties summary
Method Summary
-
_checkKey() protected static
Check the encryption key for proper length. -
_crypt() protected static
One way encryption using php's crypt() function. To use blowfish hashing seeSecurity::hash()
-
_salt() protected static
Generates a pseudo random salt suitable for use with php's crypt() function. The salt length should not exceed 27. The salt will be composed of [./0-9A-Za-z]{$length}.
-
cipher() public static deprecated
Runs $text through a XOR cipher. -
decrypt() public static
Decrypt a value using AES-256. -
encrypt() public static
Encrypt a value using AES-256. -
generateAuthKey() public static deprecated
Generate authorization hash. -
hash() public static
Create a hash from string using given method or fallback on next available method. -
inactiveMins() public static deprecated
Get allowed minutes of inactivity based on security level. -
randomBytes() public static
Get random bytes from a secure source. -
rijndael() public static
Encrypts/Decrypts a text using the given key using rijndael method. -
setCost() public static
Sets the cost for they blowfish hash method. -
setHash() public static
Sets the default hash method for the Security object. This affects all objects using Security::hash().
-
validateAuthKey() public static deprecated
Validate authorization hash.
Method Detail
_checkKey() protected static ¶
_checkKey( string $key , string $method )
Check the encryption key for proper length.
Parameters
- string $key
- Key to check.
- string $method
- The method the key is being checked for.
Throws
_crypt() protected static ¶
_crypt( string $password , mixed $salt = false )
One way encryption using php's crypt() function. To use blowfish hashing see Security::hash()
Parameters
- string $password
- The string to be encrypted.
- mixed $salt optional false
- false to generate a new salt or an existing salt.
Returns
The hashed string or an empty string on error.
_salt() protected static ¶
_salt( integer $length = 22 )
Generates a pseudo random salt suitable for use with php's crypt() function. The salt length should not exceed 27. The salt will be composed of [./0-9A-Za-z]{$length}.
Parameters
- integer $length optional 22
- The length of the returned salt
Returns
The generated salt
cipher() public static deprecated ¶
cipher( string $text , string $key )
Runs $text through a XOR cipher.
Note This is not a cryptographically strong method and should not be used for sensitive data. Additionally this method does not work in environments where suhosin is enabled.
Instead you should use Security::rijndael() when you need strong encryption.
Deprecated
Parameters
- string $text
- Encrypted string to decrypt, normal string to encrypt
- string $key
- Key to use
Returns
Encrypted/Decrypted string
decrypt() public static ¶
decrypt( string $cipher , string $key , string $hmacSalt = null )
Decrypt a value using AES-256.
Parameters
- string $cipher
- The ciphertext to decrypt.
- string $key
- The 256 bit/32 byte key to use as a cipher key.
- string $hmacSalt optional null
- The salt to use for the HMAC process. Leave null to use Security.salt.
Returns
Decrypted data. Any trailing null bytes will be removed.
Throws
encrypt() public static ¶
encrypt( string $plain , string $key , string $hmacSalt = null )
Encrypt a value using AES-256.
Caveat You cannot properly encrypt/decrypt data with trailing null bytes. Any trailing null bytes will be removed on decryption due to how PHP pads messages with nulls prior to encryption.
Parameters
- string $plain
- The value to encrypt.
- string $key
- The 256 bit/32 byte key to use as a cipher key.
- string $hmacSalt optional null
- The salt to use for the HMAC process. Leave null to use Security.salt.
Returns
Encrypted data.
Throws
generateAuthKey() public static deprecated ¶
generateAuthKey( )
Generate authorization hash.
Deprecated
Returns
Hash
hash() public static ¶
hash( string $string , string $type = null , mixed $salt = false )
Create a hash from string using given method or fallback on next available method.
Using Blowfish
- Creating Hashes: Do not supply a salt. Cake handles salt creation for you ensuring that each hashed password will have a unique salt.
- Comparing Hashes: Simply pass the originally hashed password as the salt.
The salt is prepended to the hash and php handles the parsing automagically.
For convenience the
BlowfishPasswordHasher
class is available for use with the AuthComponent. - Do NOT use a constant salt for blowfish!
Creating a blowfish/bcrypt hash:
$hash = Security::hash($password, 'blowfish');
Parameters
- string $string
- String to hash
- string $type optional null
- Method to use (sha1/sha256/md5/blowfish)
- mixed $salt optional false
If true, automatically prepends the application's salt value to $string (Security.salt). If you are using blowfish the salt must be false or a previously generated salt.
Returns
Hash
Link
inactiveMins() public static deprecated ¶
inactiveMins( )
Get allowed minutes of inactivity based on security level.
Deprecated
Returns
Allowed inactivity in minutes
randomBytes() public static ¶
randomBytes( integer $length )
Get random bytes from a secure source.
This method will fall back to an insecure source an trigger a warning if it cannot find a secure source of random data.
Parameters
- integer $length
- The number of bytes you want.
Returns
Random bytes in binary.
rijndael() public static ¶
rijndael( string $text , string $key , string $operation )
Encrypts/Decrypts a text using the given key using rijndael method.
Prior to 2.3.1, a fixed initialization vector was used. This was not secure. This method now uses a random iv, and will silently upgrade values when they are re-encrypted.
Parameters
- string $text
- Encrypted string to decrypt, normal string to encrypt
- string $key
- Key to use as the encryption key for encrypted data.
- string $operation
- Operation to perform, encrypt or decrypt
Returns
Encrypted/Decrypted string
setCost() public static ¶
setCost( integer $cost )
Sets the cost for they blowfish hash method.
Parameters
- integer $cost
- Valid values are 4-31
setHash() public static ¶
setHash( string $hash )
Sets the default hash method for the Security object. This affects all objects using Security::hash().
Parameters
- string $hash
- Method to use (sha1/sha256/md5/blowfish)
See
validateAuthKey() public static deprecated ¶
validateAuthKey( string $authKey )
Validate authorization hash.
Deprecated
Parameters
- string $authKey
- Authorization hash
Returns
Success