Class Security

Security Library contains utility methods related to security

Namespace: Cake\Utility
Location: Utility/Security.php

Properties summary

  • $_instance protected static
    object
    The crypto implementation to use.
  • $_salt protected static
    string
    The HMAC salt to use for encryption and decryption routines
  • $hashType public static
    string

    Default hash method. If $type param for Security::hash() is not specified this value is used. Defaults to 'sha1'.

Method Summary

  • _checkKey() protected static
    Check the encryption key for proper length.
  • constantEquals() public static
    A timing attack resistant comparison that prefers native PHP implementations.
  • decrypt() public static
    Decrypt a value using AES-256.
  • encrypt() public static
    Encrypt a value using AES-256.
  • engine() public static
    Get the crypto implementation based on the loaded extensions.
  • getSalt() public static

    Gets the HMAC salt to be used for encryption/decryption routines.

  • hash() public static
    Create a hash from string using given method.
  • insecureRandomBytes() public static
    Like randomBytes() above, but not cryptographically secure.
  • randomBytes() public static
    Get random bytes from a secure source.
  • randomString() public static
    Creates a secure random string.
  • rijndael() public static deprecated
    Encrypts/Decrypts a text using the given key using rijndael method.
  • salt() public static deprecated

    Gets or sets the HMAC salt to be used for encryption/decryption routines.

  • setHash() public static

    Sets the default hash method for the Security object. This affects all objects using Security::hash().

  • setSalt() public static

    Sets the HMAC salt to be used for encryption/decryption routines.

Method Detail

_checkKey()source protected static 

_checkKey( string $key , string $method )

Check the encryption key for proper length.

Parameters

string $key
Key to check.
string $method
The method the key is being checked for.

Throws

InvalidArgumentException
When key length is not 256 bit/32 bytes

constantEquals()source public static 

constantEquals( string $original , string $compare )

A timing attack resistant comparison that prefers native PHP implementations.

Parameters

string $original
The original value.
string $compare
The comparison value.

Returns

boolean

See

https://github.com/resonantcore/php-future/

Since

3.6.2

decrypt()source public static 

decrypt( string $cipher , string $key , string|null $hmacSalt = null )

Decrypt a value using AES-256.

Parameters

string $cipher
The ciphertext to decrypt.
string $key
The 256 bit/32 byte key to use as a cipher key.
string|null $hmacSalt optional null
The salt to use for the HMAC process. Leave null to use Security.salt.

Returns

string|boolean
Decrypted data. Any trailing null bytes will be removed.

Throws

InvalidArgumentException
On invalid data or key.

encrypt()source public static 

encrypt( string $plain , string $key , string|null $hmacSalt = null )

Encrypt a value using AES-256.

Caveat You cannot properly encrypt/decrypt data with trailing null bytes. Any trailing null bytes will be removed on decryption due to how PHP pads messages with nulls prior to encryption.

Parameters

string $plain
The value to encrypt.
string $key
The 256 bit/32 byte key to use as a cipher key.
string|null $hmacSalt optional null
The salt to use for the HMAC process. Leave null to use Security.salt.

Returns

string
Encrypted data.

Throws

InvalidArgumentException
On invalid data or key.

engine()source public static 

engine( Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt|null $instance = null )

Get the crypto implementation based on the loaded extensions.

You can use this method to forcibly decide between mcrypt/openssl/custom implementations.

Parameters

Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt|null $instance optional null
The crypto instance to use.

Returns

Cake\Utility\Crypto\OpenSsl|Cake\Utility\Crypto\Mcrypt
Crypto instance.

Throws

InvalidArgumentException
When no compatible crypto extension is available.

getSalt()source public static 

getSalt( )

Gets the HMAC salt to be used for encryption/decryption routines.

Returns

string
The currently configured salt

hash()source public static 

hash( string $string , string|null $algorithm = null , mixed $salt = false )

Create a hash from string using given method.

Parameters

string $string
String to hash
string|null $algorithm optional null

Hashing algo to use (i.e. sha1, sha256 etc.). Can be any valid algo included in list returned by hash_algos(). If no value is passed the type specified by Security::$hashType is used.

mixed $salt optional false

If true, automatically prepends the application's salt value to $string (Security.salt).

Returns

string
Hash

Link

https://book.cakephp.org/3.0/en/core-libraries/security.html#hashing-data

insecureRandomBytes()source public static 

insecureRandomBytes( integer $length )

Like randomBytes() above, but not cryptographically secure.

Parameters

integer $length
The number of bytes you want.

Returns

string
Random bytes in binary.

See

\Cake\Utility\Security::randomBytes()

randomBytes()source public static 

randomBytes( integer $length )

Get random bytes from a secure source.

This method will fall back to an insecure source an trigger a warning if it cannot find a secure source of random data.

Parameters

integer $length
The number of bytes you want.

Returns

string
Random bytes in binary.

randomString()source public static 

randomString( integer $length = 64 )

Creates a secure random string.

Parameters

integer $length optional 64
String length. Default 64.

Returns

string

Since

3.6.0

rijndael()source public static deprecated 

rijndael( string $text , string $key , string $operation )

Encrypts/Decrypts a text using the given key using rijndael method.

Deprecated

3.6.3 This method relies on functions provided by mcrypt extension which has been deprecated in PHP 7.1 and removed in PHP 7.2. There's no 1:1 replacement for this method. Upgrade your code to use Security::encrypt()/Security::decrypt() with OpenSsl engine instead.


Parameters

string $text
Encrypted string to decrypt, normal string to encrypt
string $key
Key to use as the encryption key for encrypted data.
string $operation
Operation to perform, encrypt or decrypt

Returns

string
Encrypted/Decrypted string.

Throws

InvalidArgumentException
When there are errors.

salt()source public static deprecated 

salt( string|null $salt = null )

Gets or sets the HMAC salt to be used for encryption/decryption routines.

Deprecated

3.5.0 Use getSalt()/setSalt() instead.

Parameters

string|null $salt optional null
The salt to use for encryption routines. If null returns current salt.

Returns

string
The currently configured salt

setHash()source public static 

setHash( string $hash )

Sets the default hash method for the Security object. This affects all objects using Security::hash().

Parameters

string $hash
Method to use (sha1/sha256/md5 etc.)

See

\Cake\Utility\Security::hash()

setSalt()source public static 

setSalt( string $salt )

Sets the HMAC salt to be used for encryption/decryption routines.

Parameters

string $salt
The salt to use for encryption routines.

Properties detail

$_instancesource

protected static object

The crypto implementation to use.

$_saltsource

protected static string

The HMAC salt to use for encryption and decryption routines

$hashTypesource

public static string

Default hash method. If $type param for Security::hash() is not specified this value is used. Defaults to 'sha1'.

'sha1'

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.6/class-Cake.Utility.Security.html