Class Security
Security Library contains utility methods related to security
Property Summary
-
$_instance protected static
object
The crypto implementation to use.
-
$_salt protected static
string|null
The HMAC salt to use for encryption and decryption routines
-
$hashType public static
string
Default hash method. If
$type
param forSecurity::hash()
is not specified this value is used. Defaults to 'sha1'.
Method Summary
-
_checkKey() protected static
Check the encryption key for proper length.
-
constantEquals() public static
A timing attack resistant comparison that prefers native PHP implementations.
-
decrypt() public static
Decrypt a value using AES-256.
-
encrypt() public static
Encrypt a value using AES-256.
-
engine() public static
Get the crypto implementation based on the loaded extensions.
-
getSalt() public static
Gets the HMAC salt to be used for encryption/decryption routines.
-
hash() public static
Create a hash from string using given method.
-
insecureRandomBytes() public static
Like randomBytes() above, but not cryptographically secure.
-
randomBytes() public static
Get random bytes from a secure source.
-
randomString() public static
Creates a secure random string.
-
setHash() public static
Sets the default hash method for the Security object. This affects all objects using Security::hash().
-
setSalt() public static
Sets the HMAC salt to be used for encryption/decryption routines.
Method Detail
_checkKey() ¶ protected static
_checkKey(string $key, string $method): void
Check the encryption key for proper length.
Parameters
-
string
$key Key to check.
-
string
$method The method the key is being checked for.
Returns
void
Throws
InvalidArgumentException
When key length is not 256 bit/32 bytes
constantEquals() ¶ public static
constantEquals(mixed $original, mixed $compare): bool
A timing attack resistant comparison that prefers native PHP implementations.
Parameters
-
mixed
$original The original value.
-
mixed
$compare The comparison value.
Returns
bool
decrypt() ¶ public static
decrypt(string $cipher, string $key, string|null $hmacSalt = null): string|null
Decrypt a value using AES-256.
Parameters
-
string
$cipher The ciphertext to decrypt.
-
string
$key The 256 bit/32 byte key to use as a cipher key.
-
string|null
$hmacSalt optional The salt to use for the HMAC process. Leave null to use value of Security::getSalt().
Returns
string|null
Throws
InvalidArgumentException
On invalid data or key.
encrypt() ¶ public static
encrypt(string $plain, string $key, string|null $hmacSalt = null): string
Encrypt a value using AES-256.
Caveat You cannot properly encrypt/decrypt data with trailing null bytes. Any trailing null bytes will be removed on decryption due to how PHP pads messages with nulls prior to encryption.
Parameters
-
string
$plain The value to encrypt.
-
string
$key The 256 bit/32 byte key to use as a cipher key.
-
string|null
$hmacSalt optional The salt to use for the HMAC process. Leave null to use value of Security::getSalt().
Returns
string
Throws
InvalidArgumentException
On invalid data or key.
engine() ¶ public static
engine(Cake\Utility\Crypto\OpenSsl|null $instance = null): Cake\Utility\Crypto\OpenSsl
Get the crypto implementation based on the loaded extensions.
You can use this method to forcibly decide between openssl/custom implementations.
Parameters
-
Cake\Utility\Crypto\OpenSsl|null
$instance optional The crypto instance to use.
Returns
Cake\Utility\Crypto\OpenSsl
Throws
InvalidArgumentException
When no compatible crypto extension is available.
getSalt() ¶ public static
getSalt(): string
Gets the HMAC salt to be used for encryption/decryption routines.
Returns
string
hash() ¶ public static
hash(string $string, string|null $algorithm = null, mixed $salt = false): string
Create a hash from string using given method.
Parameters
-
string
$string String to hash
-
string|null
$algorithm optional Hashing algo to use (i.e. sha1, sha256 etc.). Can be any valid algo included in list returned by hash_algos(). If no value is passed the type specified by
Security::$hashType
is used.-
mixed
$salt optional If true, automatically prepends the value returned by Security::getSalt() to $string.
Returns
string
Throws
RuntimeException
Links
insecureRandomBytes() ¶ public static
insecureRandomBytes(int $length): string
Like randomBytes() above, but not cryptographically secure.
Parameters
-
int
$length The number of bytes you want.
Returns
string
See Also
randomBytes() ¶ public static
randomBytes(int $length): string
Get random bytes from a secure source.
This method will fall back to an insecure source an trigger a warning if it cannot find a secure source of random data.
Parameters
-
int
$length The number of bytes you want.
Returns
string
randomString() ¶ public static
randomString(int $length = 64): string
Creates a secure random string.
Parameters
-
int
$length optional String length. Default 64.
Returns
string
setHash() ¶ public static
setHash(string $hash): void
Sets the default hash method for the Security object. This affects all objects using Security::hash().
Parameters
-
string
$hash Method to use (sha1/sha256/md5 etc.)
Returns
void
See Also
setSalt() ¶ public static
setSalt(string $salt): void
Sets the HMAC salt to be used for encryption/decryption routines.
Parameters
-
string
$salt The salt to use for encryption routines.
Returns
void