Class yii\base\Security
| Inheritance | yii\base\Security » yii\base\Component » yii\base\Object |
|---|---|
| Implements | yii\base\Configurable |
| Available since version | 2.0 |
| Source Code | https://github.com/yiisoft/yii2/blob/master/framework/base/Security.php |
Security provides a set of methods to handle common security-related tasks.
In particular, Security supports the following features:
- Encryption/decryption: encryptByKey(), decryptByKey(), encryptByPassword() and decryptByPassword()
- Key derivation using standard algorithms: pbkdf2() and hkdf()
- Data tampering prevention: hashData() and validateData()
- Password validation: generatePasswordHash() and validatePassword()
Note: this class requires 'OpenSSL' PHP extension for random key/string generation on Windows and for encryption/decryption on all platforms. For the highest security level PHP version >= 5.5.0 is recommended.
Public Properties
| Property | Type | Description | Defined By |
|---|---|---|---|
| $allowedCiphers | array[] | Look-up table of block sizes and key sizes for each supported OpenSSL cipher. | yii\base\Security |
| $authKeyInfo | string | HKDF info value for derivation of message authentication key. | yii\base\Security |
| $behaviors | yii\base\Behavior[] | List of behaviors attached to this component | yii\base\Component |
| $cipher | string | The cipher to use for encryption and decryption. | yii\base\Security |
| $derivationIterations | integer | Derivation iterations count. | yii\base\Security |
| $kdfHash | string | Hash algorithm for key derivation. | yii\base\Security |
| $macHash | string | Hash algorithm for message authentication. | yii\base\Security |
| $passwordHashStrategy | string | Strategy, which should be used to generate password hash. | yii\base\Security |
Public Methods
| Method | Description | Defined By |
|---|---|---|
| __call() | Calls the named method which is not a class method. | yii\base\Component |
| __clone() | This method is called after the object is created by cloning an existing one. | yii\base\Component |
| __construct() | Constructor. | yii\base\Object |
| __get() | Returns the value of a component property. | yii\base\Component |
| __isset() | Checks if a property is set, i.e. defined and not null. | yii\base\Component |
| __set() | Sets the value of a component property. | yii\base\Component |
| __unset() | Sets a component property to be null. | yii\base\Component |
| attachBehavior() | Attaches a behavior to this component. | yii\base\Component |
| attachBehaviors() | Attaches a list of behaviors to the component. | yii\base\Component |
| behaviors() | Returns a list of behaviors that this component should behave as. | yii\base\Component |
| canGetProperty() | Returns a value indicating whether a property can be read. | yii\base\Component |
| canSetProperty() | Returns a value indicating whether a property can be set. | yii\base\Component |
| className() | Returns the fully qualified name of this class. | yii\base\Object |
| compareString() | Performs string comparison using timing attack resistant approach. | yii\base\Security |
| decryptByKey() | Verifies and decrypts data encrypted with encryptByPassword(). | yii\base\Security |
| decryptByPassword() | Verifies and decrypts data encrypted with encryptByPassword(). | yii\base\Security |
| detachBehavior() | Detaches a behavior from the component. | yii\base\Component |
| detachBehaviors() | Detaches all behaviors from the component. | yii\base\Component |
| encryptByKey() | Encrypts data using a cryptograhic key. | yii\base\Security |
| encryptByPassword() | Encrypts data using a password. | yii\base\Security |
| ensureBehaviors() | Makes sure that the behaviors declared in behaviors() are attached to this component. | yii\base\Component |
| generatePasswordHash() | Generates a secure hash from a password and a random salt. | yii\base\Security |
| generateRandomKey() | Generates specified number of random bytes. | yii\base\Security |
| generateRandomString() | Generates a random string of specified length. | yii\base\Security |
| getBehavior() | Returns the named behavior object. | yii\base\Component |
| getBehaviors() | Returns all behaviors attached to this component. | yii\base\Component |
| hasEventHandlers() | Returns a value indicating whether there is any handler attached to the named event. | yii\base\Component |
| hasMethod() | Returns a value indicating whether a method is defined. | yii\base\Component |
| hasProperty() | Returns a value indicating whether a property is defined for this component. | yii\base\Component |
| hashData() | Prefixes data with a keyed hash value so that it can later be detected if it is tampered. | yii\base\Security |
| hkdf() | Derives a key from the given input key using the standard HKDF algorithm. | yii\base\Security |
| init() | Initializes the object. | yii\base\Object |
| off() | Detaches an existing event handler from this component. | yii\base\Component |
| on() | Attaches an event handler to an event. | yii\base\Component |
| pbkdf2() | Derives a key from the given password using the standard PBKDF2 algorithm. | yii\base\Security |
| trigger() | Triggers an event. | yii\base\Component |
| validateData() | Validates if the given data is tampered. | yii\base\Security |
| validatePassword() | Verifies a password against a hash. | yii\base\Security |
Protected Methods
| Method | Description | Defined By |
|---|---|---|
| decrypt() | Decrypts data. | yii\base\Security |
| encrypt() | Encrypts data. | yii\base\Security |
| generateSalt() | Generates a salt that can be used to generate a password hash. | yii\base\Security |
Property Details
Look-up table of block sizes and key sizes for each supported OpenSSL cipher.
In each element, the key is one of the ciphers supported by OpenSSL (@see openssl_get_cipher_methods()). The value is an array of two integers, the first is the cipher's block size in bytes and the second is the key size in bytes.
Warning: All OpenSSL ciphers that we recommend are in the default value, i.e. AES in CBC mode.
Note: Yii's encryption protocol uses the same size for cipher key, HMAC signature key and key derivation salt.
HKDF info value for derivation of message authentication key.
See also hkdf().
The cipher to use for encryption and decryption.
Derivation iterations count. Set as high as possible to hinder dictionary password attacks.
Hash algorithm for key derivation. Recommend sha256, sha384 or sha512.
See also \yii\base\hash_algos().
Hash algorithm for message authentication. Recommend sha256, sha384 or sha512.
See also \yii\base\hash_algos().
Strategy, which should be used to generate password hash. Available strategies:
- 'password_hash' - use of PHP
password_hash()function with PASSWORD_DEFAULT algorithm. This option is recommended, but it requires PHP version >= 5.5.0 - 'crypt' - use PHP
crypt()function.
Method Details
Performs string comparison using timing attack resistant approach.
See also http://codereview.stackexchange.com/questions/13512.
| boolean compareString( $expected, $actual ) | ||
| $expected | string | String to compare. |
| $actual | string | User-supplied string. |
| return | boolean | Whether strings are equal. |
|---|---|---|
Decrypts data.
See also encrypt().
| bool|string decrypt( $data, $passwordBased, $secret, $info ) | ||
| $data | string | Encrypted data to be decrypted. |
| $passwordBased | boolean | Set true to use password-based key derivation |
| $secret | string | The decryption password or key |
| $info | string | Context/application specific information, @see encrypt() |
| return | bool|string | The decrypted data or false on authentication failure |
|---|---|---|
| throws | yii\base\InvalidConfigException | on OpenSSL not loaded |
| throws | yii\base\Exception | on OpenSSL error |
Verifies and decrypts data encrypted with encryptByPassword().
See also encryptByKey().
| bool|string decryptByKey( $data, $inputKey, $info = null ) | ||
| $data | string | The encrypted data to decrypt |
| $inputKey | string | The input to use for encryption and authentication |
| $info | string | Optional context and application specific information, see hkdf() |
| return | bool|string | The decrypted data or false on authentication failure |
|---|---|---|
Verifies and decrypts data encrypted with encryptByPassword().
See also encryptByPassword().
| bool|string decryptByPassword( $data, $password ) | ||
| $data | string | The encrypted data to decrypt |
| $password | string | The password to use for decryption |
| return | bool|string | The decrypted data or false on authentication failure |
|---|---|---|
Encrypts data.
See also decrypt().
| string encrypt( $data, $passwordBased, $secret, $info ) | ||
| $data | string | Data to be encrypted |
| $passwordBased | boolean | Set true to use password-based key derivation |
| $secret | string | The encryption password or key |
| $info | string | Context/application specific information, e.g. a user ID See RFC 5869 Section 3.2 for more details. |
| return | string | The encrypted data |
|---|---|---|
| throws | yii\base\InvalidConfigException | on OpenSSL not loaded |
| throws | yii\base\Exception | on OpenSSL error |
Encrypts data using a cryptograhic key.
Derives keys for encryption and authentication from the input key using HKDF and a random salt, which is very fast relative to encryptByPassword(). The input key must be properly random -- use generateRandomKey() to generate keys. The encrypted data includes a keyed message authentication code (MAC) so there is no need to hash input or output data.
See also:
| string encryptByKey( $data, $inputKey, $info = null ) | ||
| $data | string | The data to encrypt |
| $inputKey | string | The input to use for encryption and authentication |
| $info | string | Optional context and application specific information, see hkdf() |
| return | string | The encrypted data |
|---|---|---|
Encrypts data using a password.
Derives keys for encryption and authentication from the password using PBKDF2 and a random salt, which is deliberately slow to protect against dictionary attacks. Use encryptByKey() to encrypt fast using a cryptographic key rather than a password. Key derivation time is determined by $derivationIterations, which should be set as high as possible. The encrypted data includes a keyed message authentication code (MAC) so there is no need to hash input or output data. > Note: Avoid encrypting with passwords wherever possible. Nothing can protect against poor-quality or compromised passwords.
See also:
| string encryptByPassword( $data, $password ) | ||
| $data | string | The data to encrypt |
| $password | string | The password to use for encryption |
| return | string | The encrypted data |
|---|---|---|
Generates a secure hash from a password and a random salt.
The generated hash can be stored in database. Later when a password needs to be validated, the hash can be fetched and passed to validatePassword(). For example,
// generates the hash (usually done during user registration or when the password is changed)
$hash = Yii::$app->getSecurity()->generatePasswordHash($password);
// ...save $hash in database...
// during login, validate if the password entered is correct using $hash fetched from database
if (Yii::$app->getSecurity()->validatePassword($password, $hash) {
// password is good
} else {
// password is bad
}
See also validatePassword().
| string generatePasswordHash( $password, $cost = 13 ) | ||
| $password | string | The password to be hashed. |
| $cost | integer | Cost parameter used by the Blowfish hash algorithm. The higher the value of cost, the longer it takes to generate the hash and to verify a password against it. Higher cost therefore slows down a brute-force attack. For best protection against brute-force attacks, set it to the highest value that is tolerable on production servers. The time taken to compute the hash doubles for every increment by one of $cost. |
| return | string | The password hash string. When $passwordHashStrategy is set to 'crypt', the output is always 60 ASCII characters, when set to 'password_hash' the output length might increase in future versions of PHP (http://php.net/manual/en/function.password-hash.php) |
|---|---|---|
| throws | yii\base\Exception | on bad password parameter or cost parameter. |
| throws | yii\base\InvalidConfigException | when an unsupported password hash strategy is configured. |
Generates specified number of random bytes.
Note that output may not be ASCII.
See also generateRandomString() if you need a string.
| string generateRandomKey( $length = 32 ) | ||
| $length | integer | The number of bytes to generate |
| return | string | The generated random bytes |
|---|---|---|
| throws | yii\base\InvalidConfigException | if OpenSSL extension is required (e.g. on Windows) but not installed. |
| throws | yii\base\Exception | on failure. |
Generates a random string of specified length.
The string generated matches [A-Za-z0-9_-]+ and is transparent to URL-encoding.
| string generateRandomString( $length = 32 ) | ||
| $length | integer | The length of the key in characters |
| return | string | The generated random key |
|---|---|---|
| throws | yii\base\InvalidConfigException | if OpenSSL extension is needed but not installed. |
| throws | yii\base\Exception | on failure. |
Generates a salt that can be used to generate a password hash.
The PHP crypt() built-in function requires, for the Blowfish hash algorithm, a salt string in a specific format: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
| string generateSalt( $cost = 13 ) | ||
| $cost | integer | The cost parameter |
| return | string | The random salt value. |
|---|---|---|
| throws | yii\base\InvalidParamException | if the cost parameter is out of the range of 4 to 31. |
Prefixes data with a keyed hash value so that it can later be detected if it is tampered.
There is no need to hash inputs or outputs of encryptByKey() or encryptByPassword() as those methods perform the task.
See also:
| string hashData( $data, $key, $rawHash = false ) | ||
| $data | string | The data to be protected |
| $key | string | The secret key to be used for generating hash. Should be a secure cryptographic key. |
| $rawHash | boolean | Whether the generated hash value is in raw binary format. If false, lowercase hex digits will be generated. |
| return | string | The data prefixed with the keyed hash |
|---|---|---|
| throws | yii\base\InvalidConfigException | when HMAC generation fails. |
Derives a key from the given input key using the standard HKDF algorithm.
Implements HKDF specified in RFC 5869. Recommend use one of the SHA-2 hash algorithms: sha224, sha256, sha384 or sha512.
| string hkdf( $algo, $inputKey, $salt = null, $info = null, $length = 0 ) | ||
| $algo | string | A hash algorithm supported by |
| $inputKey | string | The source key |
| $salt | string | The random salt |
| $info | string | Optional info to bind the derived key material to application- and context-specific information, e.g. a user ID or API version, see RFC 5869 |
| $length | integer | Length of the output key in bytes. If 0, the output key is the length of the hash algorithm output. |
| return | string | The derived key |
|---|---|---|
| throws | yii\base\InvalidParamException | when HMAC generation fails. |
Derives a key from the given password using the standard PBKDF2 algorithm.
Implements HKDF2 specified in RFC 2898 Recommend use one of the SHA-2 hash algorithms: sha224, sha256, sha384 or sha512.
| string pbkdf2( $algo, $password, $salt, $iterations, $length = 0 ) | ||
| $algo | string | A hash algorithm supported by |
| $password | string | The source password |
| $salt | string | The random salt |
| $iterations | integer | The number of iterations of the hash algorithm. Set as high as possible to hinder dictionary password attacks. |
| $length | integer | Length of the output key in bytes. If 0, the output key is the length of the hash algorithm output. |
| return | string | The derived key |
|---|---|---|
| throws | yii\base\InvalidParamException | when hash generation fails due to invalid params given. |
Validates if the given data is tampered.
See also hashData().
| string validateData( $data, $key, $rawHash = false ) | ||
| $data | string | The data to be validated. The data must be previously generated by hashData(). |
| $key | string | The secret key that was previously used to generate the hash for the data in hashData(). function to see the supported hashing algorithms on your system. This must be the same as the value passed to hashData() when generating the hash for the data. |
| $rawHash | boolean | This should take the same value as when you generate the data using hashData(). It indicates whether the hash value in the data is in binary format. If false, it means the hash value consists of lowercase hex digits only. hex digits will be generated. |
| return | string | The real data with the hash stripped off. False if the data is tampered. |
|---|---|---|
| throws | yii\base\InvalidConfigException | when HMAC generation fails. |
Verifies a password against a hash.
See also generatePasswordHash().
| boolean validatePassword( $password, $hash ) | ||
| $password | string | The password to verify. |
| $hash | string | The hash to verify the password against. |
| return | boolean | Whether the password is correct. |
|---|---|---|
| throws | yii\base\InvalidParamException | on bad password/hash parameters or if crypt() with Blowfish hash is not available. |
| throws | yii\base\InvalidConfigException | when an unsupported password hash strategy is configured. |