Свойство | Тип | Описание | |
---|---|---|---|
$allowedCiphers | Look-up table of block sizes and key sizes for each supported OpenSSL cipher. In each element, the key is one of the ciphers supported by OpenSSL (@see openssl_get_cipher_methods()). The value is an array of two integers, the first is the cipher's block size in bytes and the second is the key size in bytes. > Warning: All OpenSSL ciphers that we recommend are in the default value, i.e. AES in CBC mode. > Note: Yii's encryption protocol uses the same size for cipher key, HMAC signature key and key derivation salt. | ||
$authKeyInfo | HKDF info value for derivation of message authentication key. | ||
$cipher | The cipher to use for encryption and decryption. | ||
$derivationIterations | derivation iterations count. Set as high as possible to hinder dictionary password attacks. | ||
$kdfHash | Hash algorithm for key derivation. Recommend sha256, sha384 or sha512. | ||
$macHash | Hash algorithm for message authentication. Recommend sha256, sha384 or sha512. | ||
$passwordHashCost | Default cost used for password hashing. Allowed value is between 4 and 31. | ||
$passwordHashStrategy | strategy, which should be used to generate password hash. Available strategies: - 'password_hash' - use of PHP password_hash() function with PASSWORD_DEFAULT algorithm. This option is recommended, but it requires PHP version >= 5.5.0 - 'crypt' - use PHP crypt() function. |
Метод | Описание | |
---|---|---|
compareString ( string $expected, string $actual ) : boolean | Performs string comparison using timing attack resistant approach. | |
decryptByKey ( string $data, string $inputKey, string $info = null ) : boolean | string | Verifies and decrypts data encrypted with Security::encryptByKey. | |
decryptByPassword ( string $data, string $password ) : boolean | string | Verifies and decrypts data encrypted with Security::encryptByPassword. | |
encryptByKey ( string $data, string $inputKey, string $info = null ) : string | Encrypts data using a cryptographic key. | |
encryptByPassword ( string $data, string $password ) : string | Encrypts data using a password. | |
generatePasswordHash ( string $password, integer $cost = null ) : string | Generates a secure hash from a password and a random salt. | |
generateRandomKey ( integer $length = 32 ) : string | Generates specified number of random bytes. | |
generateRandomString ( integer $length = 32 ) : string | Generates a random string of specified length. | |
hashData ( string $data, string $key, boolean $rawHash = false ) : string | Prefixes data with a keyed hash value so that it can later be detected if it is tampered. | |
hkdf ( string $algo, string $inputKey, string $salt = null, string $info = null, integer $length ) : string | Derives a key from the given input key using the standard HKDF algorithm. | |
pbkdf2 ( string $algo, string $password, string $salt, integer $iterations, integer $length ) : string | Derives a key from the given password using the standard PBKDF2 algorithm. | |
validateData ( string $data, string $key, boolean $rawHash = false ) : string | Validates if the given data is tampered. | |
validatePassword ( string $password, string $hash ) : boolean | Verifies a password against a hash. |
Метод | Описание | |
---|---|---|
decrypt ( string $data, boolean $passwordBased, string $secret, string $info ) : boolean | string | Decrypts data. | |
encrypt ( string $data, boolean $passwordBased, string $secret, string $info ) : string | Encrypts data. | |
generateSalt ( integer $cost = 13 ) : string | Generates a salt that can be used to generate a password hash. |
protected decrypt ( string $data, boolean $passwordBased, string $secret, string $info ) : boolean | string | ||
$data | string | encrypted data to be decrypted. |
$passwordBased | boolean | set true to use password-based key derivation |
$secret | string | the decryption password or key |
$info | string | context/application specific information, @see encrypt() |
Результат | boolean | string | the decrypted data or false on authentication failure |
public decryptByKey ( string $data, string $inputKey, string $info = null ) : boolean | string | ||
$data | string | the encrypted data to decrypt |
$inputKey | string | the input to use for encryption and authentication |
$info | string | optional context and application specific information, see [[hkdf()]] |
Результат | boolean | string | the decrypted data or false on authentication failure |
protected encrypt ( string $data, boolean $passwordBased, string $secret, string $info ) : string | ||
$data | string | data to be encrypted |
$passwordBased | boolean | set true to use password-based key derivation |
$secret | string | the encryption password or key |
$info | string | context/application specific information, e.g. a user ID See [RFC 5869 Section 3.2](https://tools.ietf.org/html/rfc5869#section-3.2) for more details. |
Результат | string | the encrypted data |
public encryptByKey ( string $data, string $inputKey, string $info = null ) : string | ||
$data | string | the data to encrypt |
$inputKey | string | the input to use for encryption and authentication |
$info | string | optional context and application specific information, see [[hkdf()]] |
Результат | string | the encrypted data |
public generatePasswordHash ( string $password, integer $cost = null ) : string | ||
$password | string | The password to be hashed. |
$cost | integer | Cost parameter used by the Blowfish hash algorithm. The higher the value of cost, the longer it takes to generate the hash and to verify a password against it. Higher cost therefore slows down a brute-force attack. For best protection against brute-force attacks, set it to the highest value that is tolerable on production servers. The time taken to compute the hash doubles for every increment by one of $cost. |
Результат | string | The password hash string. When [[passwordHashStrategy]] is set to 'crypt', the output is always 60 ASCII characters, when set to 'password_hash' the output length might increase in future versions of PHP (http://php.net/manual/en/function.password-hash.php) |
public generateRandomKey ( integer $length = 32 ) : string | ||
$length | integer | the number of bytes to generate |
Результат | string | the generated random bytes |
public generateRandomString ( integer $length = 32 ) : string | ||
$length | integer | the length of the key in characters |
Результат | string | the generated random key |
protected generateSalt ( integer $cost = 13 ) : string | ||
$cost | integer | the cost parameter |
Результат | string | the random salt value. |
public hashData ( string $data, string $key, boolean $rawHash = false ) : string | ||
$data | string | the data to be protected |
$key | string | the secret key to be used for generating hash. Should be a secure cryptographic key. |
$rawHash | boolean | whether the generated hash value is in raw binary format. If false, lowercase hex digits will be generated. |
Результат | string | the data prefixed with the keyed hash |
public hkdf ( string $algo, string $inputKey, string $salt = null, string $info = null, integer $length ) : string | ||
$algo | string | a hash algorithm supported by `hash_hmac()`, e.g. 'SHA-256' |
$inputKey | string | the source key |
$salt | string | the random salt |
$info | string | optional info to bind the derived key material to application- and context-specific information, e.g. a user ID or API version, see [RFC 5869](https://tools.ietf.org/html/rfc5869) |
$length | integer | length of the output key in bytes. If 0, the output key is the length of the hash algorithm output. |
Результат | string | the derived key |
public pbkdf2 ( string $algo, string $password, string $salt, integer $iterations, integer $length ) : string | ||
$algo | string | a hash algorithm supported by `hash_hmac()`, e.g. 'SHA-256' |
$password | string | the source password |
$salt | string | the random salt |
$iterations | integer | the number of iterations of the hash algorithm. Set as high as possible to hinder dictionary password attacks. |
$length | integer | length of the output key in bytes. If 0, the output key is the length of the hash algorithm output. |
Результат | string | the derived key |
public validateData ( string $data, string $key, boolean $rawHash = false ) : string | ||
$data | string | the data to be validated. The data must be previously generated by [[hashData()]]. |
$key | string | the secret key that was previously used to generate the hash for the data in [[hashData()]]. function to see the supported hashing algorithms on your system. This must be the same as the value passed to [[hashData()]] when generating the hash for the data. |
$rawHash | boolean | this should take the same value as when you generate the data using [[hashData()]]. It indicates whether the hash value in the data is in binary format. If false, it means the hash value consists of lowercase hex digits only. hex digits will be generated. |
Результат | string | the real data with the hash stripped off. False if the data is tampered. |
public $allowedCiphers |
public $authKeyInfo |
public $derivationIterations |
public $kdfHash |
public $macHash |
public $passwordHashCost |
public $passwordHashStrategy |