Security package provides a set of classes to handle common security-related tasks:
- Random values generation
- Password hashing and validation
- Encryption and decryption
- Data tampering prevention
- Masking token length
- PHP 8.0 or higher.
-
hash
PHP extension. -
openssl
PHP extension. -
random
PHP extension.
composer require yiisoft/security
In order to generate a string that is 42 characters long use:
$randomString = Random::string(42);
The following extras are available via PHP directly:
-
random_bytes()
for bytes. Note that output may not be ASCII. -
random_int()
for integers.
Working with passwords includes two steps. Saving password hashes:
$hash = (new PasswordHasher())->hash($password);
// save hash to database or another storage
saveHash($hash);
Validating password against the hash:
// obtain hash from database or another storage
$hash = getHash();
$result = (new PasswordHasher())->validate($password, $hash);
Encrypting data:
$encryptedData = (new Crypt())->encryptByPassword($data, $password);
// save data to database or another storage
saveData($encryptedData);
Decrypting it:
// obtain encrypted data from database or another storage
$encryptedData = getEncryptedData();
$data = (new Crypt())->decryptByPassword($encryptedData, $password);
Encrypting data:
$encryptedData = (new Crypt())->encryptByKey($data, $key);
// save data to database or another storage
saveData($encryptedData);
Decrypting it:
// obtain encrypted data from database or another storage
$encryptedData = getEncryptedData();
$data = (new Crypt())->decryptByKey($encryptedData, $key);
MAC signing could be used in order to prevent data tampering. The $key
should be present at both sending and receiving
sides. At the sending side:
$signedMessage = (new Mac())->sign($message, $key);
sendMessage($signedMessage);
At the receiving side:
$signedMessage = receiveMessage($signedMessage);
try {
$message = (new Mac())->getMessage($signedMessage, $key);
} catch (\Yiisoft\Security\DataIsTamperedException $e) {
// data is tampered
}
Masking a token helps to mitigate BREACH attack by randomizing how token outputted on each request. A random mask applied to the token making the string always unique.
In order to mask a token:
$maskedToken = \Yiisoft\Security\TokenMask::apply($token);
In order to get original value from the masked one:
$token = \Yiisoft\Security\TokenMask::remove($maskedToken);
Additionally to this library methods, there is a set of handy native PHP methods.
Comparing strings as usual is not secure when dealing with user inputed passwords or key phrases. Usual string comparison return as soon as a difference between the strings is found so attacker could efficiently brute-force character by character going to the next one as soon as response time increases.
There is a special function in PHP that compares strings in a constant time:
hash_equals($expected, $actual);
The package is tested with PHPUnit. To run tests:
./vendor/bin/phpunit
The package tests are checked with Infection mutation framework. To run it:
./vendor/bin/infection
The code is statically analyzed with Psalm. To run static analysis:
./vendor/bin/psalm
The Yii Security is free software. It is released under the terms of the BSD License.
Please see LICENSE
for more information.
Maintained by Yii Software.