Get support for yiisoft/security

If you need help reviewing implementation, debugging, understanding undocumented features or anything in general with yiisoft/security, you can see the list of people available to help below. Save yourself timme by talking directly to the owner, maintainers and contributors of yiisoft/security. Who is better qualified to help you? You also get the added benefit of providing additional revenue to the projects you use, helping them remain sustainable.

Save yourself timme by talking directly to the owner, maintainers and contributors of yiisoft/security. Who is better qualified to help you? You also get the added benefit of providing additional revenue to the projects you use, helping them remain sustainable.

If you're new to LTH, please see our FAQ for more information on what it is we do.

Support Options

Unfortunately, there are currently no active helpers for this repository on the platform. Until they become available, we reccomend the following actions:

View Open Issues

Take a look to see if anyone else has experienced the same issue as you and if they managed to solve it.

Open an Issue

Make sure to read any relevant guidelines for opening issues on this repo before posting a new issue.

Sponsor directly

Check out the page and see if there are any options to sponsor this project or it's developers directly.

yiisoft/security

View on github

Security package provides a set of classes to handle common security-related tasks:

Random values generation
Password hashing and validation
Encryption and decryption
Data tampering prevention
Masking token length

Requirements

PHP 8.0 or higher.
hash PHP extension.
openssl PHP extension.
random PHP extension.

Installation

The package could be installed with Composer:

composer require yiisoft/security

General usage

Random values generation

In order to generate a string that is 42 characters long use:

$randomString = Random::string(42);

The following extras are available via PHP directly:

random_bytes() for bytes. Note that output may not be ASCII.
random_int() for integers.

Password hashing and validation

Working with passwords includes two steps. Saving password hashes:

$hash = (new PasswordHasher())->hash($password);

// save hash to database or another storage
saveHash($hash);

Validating password against the hash:

// obtain hash from database or another storage
$hash = getHash();

$result = (new PasswordHasher())->validate($password, $hash);

Encryption and decryption by password

Encrypting data:

$encryptedData = (new Crypt())->encryptByPassword($data, $password);

// save data to database or another storage
saveData($encryptedData);

Decrypting it:

// obtain encrypted data from database or another storage
$encryptedData = getEncryptedData();

$data = (new Crypt())->decryptByPassword($encryptedData, $password);

Encryption and decryption by key

Encrypting data:

$encryptedData = (new Crypt())->encryptByKey($data, $key);

// save data to database or another storage
saveData($encryptedData);

Decrypting it:

// obtain encrypted data from database or another storage
$encryptedData = getEncryptedData();

$data = (new Crypt())->decryptByKey($encryptedData, $key);

Data tampering prevention

MAC signing could be used in order to prevent data tampering. The $key should be present at both sending and receiving sides. At the sending side:

$signedMessage = (new Mac())->sign($message, $key);

sendMessage($signedMessage);

At the receiving side:

$signedMessage = receiveMessage($signedMessage);

try {
    $message = (new Mac())->getMessage($signedMessage, $key);
} catch (\Yiisoft\Security\DataIsTamperedException $e) {
    // data is tampered
}

Masking token length

Masking a token helps to mitigate BREACH attack by randomizing how token outputted on each request. A random mask applied to the token making the string always unique.

In order to mask a token:

$maskedToken = \Yiisoft\Security\TokenMask::apply($token);

In order to get original value from the masked one:

$token = \Yiisoft\Security\TokenMask::remove($maskedToken);

Native PHP functionality

Additionally to this library methods, there is a set of handy native PHP methods.

Timing attack resistant string comparison

Comparing strings as usual is not secure when dealing with user inputed passwords or key phrases. Usual string comparison return as soon as a difference between the strings is found so attacker could efficiently brute-force character by character going to the next one as soon as response time increases.

There is a special function in PHP that compares strings in a constant time:

hash_equals($expected, $actual);

Documentation

Internals

If you need help or have a question, the Yii Forum is a good place for that. You may also check out other Yii Community Resources.

License

The Yii Security is free software. It is released under the terms of the BSD License. Please see LICENSE for more information.

Maintained by Yii Software.

Support the project

Follow updates

Our Mission

We want to make open source more sustainable. The entire platform was born from this and everything we do is in aid of this.

From the Blog

Interesting Articles

Generating income from open source

Jun 23 • 8 min read
2023 State of OSS

Apr 23 • 45 min read ★
A funding experiment...

Aug 19 • 10 min read
But You Said I could

Aug 19 • 2 min read

Company

p-e622a1a2