Class Security
Security Library contains utility methods related to security
Property Summary
-
$_instance protected static
object
The crypto implementation to use.
-
$_salt protected static
string|null
The HMAC salt to use for encryption and decryption routines
-
$hashType public static
string
Default hash method. If
$type
param forSecurity::hash()
is not specified this value is used. Defaults to 'sha1'.
Method Summary
-
_checkKey() protected static
Check the encryption key for proper length.
-
constantEquals() public static
A timing attack resistant comparison that prefers native PHP implementations.
-
decrypt() public static
Decrypt a value using AES-256.
-
encrypt() public static
Encrypt a value using AES-256.
-
engine() public static
Get the crypto implementation based on the loaded extensions.
-
getSalt() public static
Gets the HMAC salt to be used for encryption/decryption routines.
-
hash() public static
Create a hash from string using given method.
-
insecureRandomBytes() public static
Like randomBytes() above, but not cryptographically secure.
-
randomBytes() public static
Get random bytes from a secure source.
-
randomString() public static
Creates a secure random string.
-
rijndael() public static deprecated
Encrypts/Decrypts a text using the given key using rijndael method.
-
salt() public static deprecated
Gets or sets the HMAC salt to be used for encryption/decryption routines.
-
setHash() public static
Sets the default hash method for the Security object. This affects all objects using Security::hash().
-
setSalt() public static
Sets the HMAC salt to be used for encryption/decryption routines.
Method Detail
_checkKey() ¶ protected static
_checkKey(string $key, string $method): void
Check the encryption key for proper length.
Parameters
-
string
$key Key to check.
-
string
$method The method the key is being checked for.
Returns
void
Throws
InvalidArgumentException
When key length is not 256 bit/32 bytes
constantEquals() ¶ public static
constantEquals(string $original, string $compare): bool
A timing attack resistant comparison that prefers native PHP implementations.
Parameters
-
string
$original The original value.
-
string
$compare The comparison value.
Returns
bool
See Also
decrypt() ¶ public static
decrypt(string $cipher, string $key, string|null $hmacSalt = null): string|false
Decrypt a value using AES-256.
Parameters
-
string
$cipher The ciphertext to decrypt.
-
string
$key The 256 bit/32 byte key to use as a cipher key.
-
string|null
$hmacSalt optional The salt to use for the HMAC process. Leave null to use Security.salt.
Returns
string|false
Throws
InvalidArgumentException
On invalid data or key.
encrypt() ¶ public static
encrypt(string $plain, string $key, string|null $hmacSalt = null): string
Encrypt a value using AES-256.
Caveat You cannot properly encrypt/decrypt data with trailing null bytes. Any trailing null bytes will be removed on decryption due to how PHP pads messages with nulls prior to encryption.
Parameters
-
string
$plain The value to encrypt.
-
string
$key The 256 bit/32 byte key to use as a cipher key.
-
string|null
$hmacSalt optional The salt to use for the HMAC process. Leave null to use Security.salt.
Returns
string
Throws
InvalidArgumentException
On invalid data or key.
engine() ¶ public static
engine(Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt|null $instance = null): Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt
Get the crypto implementation based on the loaded extensions.
You can use this method to forcibly decide between mcrypt/openssl/custom implementations.
Parameters
-
Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt|null
$instance optional The crypto instance to use.
Returns
Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt
Throws
InvalidArgumentException
When no compatible crypto extension is available.
getSalt() ¶ public static
getSalt(): string
Gets the HMAC salt to be used for encryption/decryption routines.
Returns
string
hash() ¶ public static
hash(string $string, string|null $algorithm = null, mixed $salt = false): string
Create a hash from string using given method.
Parameters
-
string
$string String to hash
-
string|null
$algorithm optional Hashing algo to use (i.e. sha1, sha256 etc.). Can be any valid algo included in list returned by hash_algos(). If no value is passed the type specified by
Security::$hashType
is used.-
mixed
$salt optional If true, automatically prepends the application's salt value to $string (Security.salt).
Returns
string
Throws
RuntimeException
Links
insecureRandomBytes() ¶ public static
insecureRandomBytes(int $length): string
Like randomBytes() above, but not cryptographically secure.
Parameters
-
int
$length The number of bytes you want.
Returns
string
See Also
randomBytes() ¶ public static
randomBytes(int $length): string
Get random bytes from a secure source.
This method will fall back to an insecure source an trigger a warning if it cannot find a secure source of random data.
Parameters
-
int
$length The number of bytes you want.
Returns
string
randomString() ¶ public static
randomString(int $length = 64): string
Creates a secure random string.
Parameters
-
int
$length optional String length. Default 64.
Returns
string
rijndael() ¶ public static
rijndael(string $text, string $key, string $operation): string
Encrypts/Decrypts a text using the given key using rijndael method.
Parameters
-
string
$text Encrypted string to decrypt, normal string to encrypt
-
string
$key Key to use as the encryption key for encrypted data.
-
string
$operation Operation to perform, encrypt or decrypt
Returns
string
Throws
InvalidArgumentException
When there are errors.
salt() ¶ public static
salt(string|null $salt = null): string
Gets or sets the HMAC salt to be used for encryption/decryption routines.
Parameters
-
string|null
$salt optional The salt to use for encryption routines. If null returns current salt.
Returns
string
setHash() ¶ public static
setHash(string $hash): void
Sets the default hash method for the Security object. This affects all objects using Security::hash().
Parameters
-
string
$hash Method to use (sha1/sha256/md5 etc.)
Returns
void
See Also
setSalt() ¶ public static
setSalt(string $salt): void
Sets the HMAC salt to be used for encryption/decryption routines.
Parameters
-
string
$salt The salt to use for encryption routines.
Returns
void