Class Security

Security Library contains utility methods related to security

Namespace: Cake\Utility
Location: Utility/Security.php

Properties summary

  • $_instance protected static
    object
    The crypto implementation to use.
  • $_salt protected static
    string
    The HMAC salt to use for encryption and decryption routines
  • $hashType public static
    string

    Default hash method. If $type param for Security::hash() is not specified this value is used. Defaults to 'sha1'.

Method Summary

  • _checkKey() protected static
    Check the encryption key for proper length.
  • _constantEquals() protected static
    A timing attack resistant comparison that prefers native PHP implementations.
  • decrypt() public static
    Decrypt a value using AES-256.
  • encrypt() public static
    Encrypt a value using AES-256.
  • engine() public static
    Get the crypto implementation based on the loaded extensions.
  • getSalt() public static

    Gets the HMAC salt to be used for encryption/decryption routines.

  • hash() public static
    Create a hash from string using given method.
  • insecureRandomBytes() public static
    Like randomBytes() above, but not cryptographically secure.
  • randomBytes() public static
    Get random bytes from a secure source.
  • rijndael() public static
    Encrypts/Decrypts a text using the given key using rijndael method.
  • salt() public static

    Gets or sets the HMAC salt to be used for encryption/decryption routines.

  • setHash() public static

    Sets the default hash method for the Security object. This affects all objects using Security::hash().

  • setSalt() public static

    Sets the HMAC salt to be used for encryption/decryption routines.

Method Detail

_checkKey()source protected static 

_checkKey( string $key , string $method )

Check the encryption key for proper length.

Parameters

string $key
Key to check.
string $method
The method the key is being checked for.

Throws

InvalidArgumentException
When key length is not 256 bit/32 bytes

_constantEquals()source protected static 

_constantEquals( string $hmac , string $compare )

A timing attack resistant comparison that prefers native PHP implementations.

Parameters

string $hmac
The hmac from the ciphertext being decrypted.
string $compare
The comparison hmac.

Returns

boolean

See

https://github.com/resonantcore/php-future/

decrypt()source public static 

decrypt( string $cipher , string $key , string|null $hmacSalt null )

Decrypt a value using AES-256.

Parameters

string $cipher
The ciphertext to decrypt.
string $key
The 256 bit/32 byte key to use as a cipher key.
string|null $hmacSalt optional null
The salt to use for the HMAC process. Leave null to use Security.salt.

Returns

string|boolean
Decrypted data. Any trailing null bytes will be removed.

Throws

InvalidArgumentException
On invalid data or key.

encrypt()source public static 

encrypt( string $plain , string $key , string|null $hmacSalt null )

Encrypt a value using AES-256.

Caveat You cannot properly encrypt/decrypt data with trailing null bytes. Any trailing null bytes will be removed on decryption due to how PHP pads messages with nulls prior to encryption.

Parameters

string $plain
The value to encrypt.
string $key
The 256 bit/32 byte key to use as a cipher key.
string|null $hmacSalt optional null
The salt to use for the HMAC process. Leave null to use Security.salt.

Returns

string
Encrypted data.

Throws

InvalidArgumentException
On invalid data or key.

engine()source public static 

engine( Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt|null $instance null )

Get the crypto implementation based on the loaded extensions.

You can use this method to forcibly decide between mcrypt/openssl/custom implementations.

Parameters

Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt|null $instance optional null
The crypto instance to use.

Returns

Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt
Crypto instance.

Throws

InvalidArgumentException
When no compatible crypto extension is available.

getSalt()source public static 

getSalt( )

Gets the HMAC salt to be used for encryption/decryption routines.

Returns

string
The currently configured salt

hash()source public static 

hash( string $string , string|null $type null , mixed $salt false )

Create a hash from string using given method.

Parameters

string $string
String to hash
string|null $type optional null

Hashing algo to use (i.e. sha1, sha256 etc.). Can be any valid algo included in list returned by hash_algos(). If no value is passed the type specified by Security::$hashType is used.

mixed $salt optional false

If true, automatically prepends the application's salt value to $string (Security.salt).

Returns

string
Hash

Link

https://book.cakephp.org/3.0/en/core-libraries/security.html#hashing-data

insecureRandomBytes()source public static 

insecureRandomBytes( integer $length )

Like randomBytes() above, but not cryptographically secure.

Parameters

integer $length
The number of bytes you want.

Returns

string
Random bytes in binary.

See

\Cake\Utility\Security::randomBytes()

randomBytes()source public static 

randomBytes( integer $length )

Get random bytes from a secure source.

This method will fall back to an insecure source an trigger a warning if it cannot find a secure source of random data.

Parameters

integer $length
The number of bytes you want.

Returns

string
Random bytes in binary.

rijndael()source public static 

rijndael( string $text , string $key , string $operation )

Encrypts/Decrypts a text using the given key using rijndael method.

Parameters

string $text
Encrypted string to decrypt, normal string to encrypt
string $key
Key to use as the encryption key for encrypted data.
string $operation
Operation to perform, encrypt or decrypt

Returns

string
Encrypted/Decrypted string

Throws

InvalidArgumentException
When there are errors.

salt()source public static 

salt( string|null $salt null )

Gets or sets the HMAC salt to be used for encryption/decryption routines.

Deprecated

3.5.0 Use getSalt()/setSalt() instead.

Parameters

string|null $salt optional null
The salt to use for encryption routines. If null returns current salt.

Returns

string
The currently configured salt

setHash()source public static 

setHash( string $hash )

Sets the default hash method for the Security object. This affects all objects using Security::hash().

Parameters

string $hash
Method to use (sha1/sha256/md5 etc.)

See

\Cake\Utility\Security::hash()

setSalt()source public static 

setSalt( string $salt )

Sets the HMAC salt to be used for encryption/decryption routines.

Parameters

string $salt
The salt to use for encryption routines.

Properties detail

$_instancesource

protected static object

The crypto implementation to use.

$_saltsource

protected static string

The HMAC salt to use for encryption and decryption routines

$hashTypesource

public static string

Default hash method. If $type param for Security::hash() is not specified this value is used. Defaults to 'sha1'.

'sha1'

© 2005–2018 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.5/class-Cake.Utility.Security.html