Those things about encryption and decryption in yii2
- 2021-10-15 09:56:20
- OfStack
Preface
Yii provides handy help functions that allow you to encrypt and decrypt data with a secure key. Data is transmitted by encryption function, so that only those who have the security key can decrypt it. For example, we need to store some information in our database, but we need to make sure that only those who have the security key can see it (even if the application's database is compromised).
As we all know, when we do programs, encryption and decryption is an unavoidable topic. When using yii2 to develop applications, what are the built-in support for encryption and decryption (security) convenience? This article will reveal for you.
Related environment
Operating system and IDE macOS 10.13. 1 & PhpStorm2018.1.2 Software version PHP7.1. 8 Yii2.0. 14In yii2, the library for managing encryption and decryption is called Security, which exists as an yii2 component, so you can use Yii:: $app- > security to get and use it.
The source code location of the Security component is as follows
vendor/yiisoft/yii2/base/Security.php
There are 15 Security components 1 with encryption and decryption ( & Coding), let's make a list first.
encryptByPassword encryptByKey decryptByPassword decryptByKey hkdf pbkdf2 hashData validateData generateRandomKey generateRandomString generatePasswordHash validatePassword compareString maskToken unmaskTokenI think there are some you haven't seen before. It doesn't matter. Let's get to know them.
generateRandomString
The reason why I started with generateRandomString is that it is most commonly used, at least I am.
public function generateRandomString($length = 32){...}
Generates a random string with the parameter $length representing the length of the string, which defaults to 32 bits. It is worth noting that the value of this string is in the range [A-Za-z0-9_-].
generatePasswordHash
&
validatePassword
generatePasswordHash & validatePassword is often used to encrypt user passwords and verify whether passwords are correct. Since MD5 may be collided, when we use yii2 to develop applications, generatePasswordHash function becomes the first choice to encrypt passwords, which calls crypt function.
The general usage of 1 is as follows
// Use generatePasswordHash Encrypt the user's password, $hash Store in a library
$hash = Yii::$app->getSecurity()->generatePasswordHash($password);
// Use validatePassword Verify the password
if(Yii::$app->getSecurity()->validatePassword($password, $hash)){
// Correct password
}else{
// Password error
}
generateRandomKey
Similar to generateRandomString, a random string is generated, the parameter is length, and the default is 32 bits. The difference is that generateRandomKey does not generate ASCII.
Simply put, generateRandomString is approximately equal to base64_encode (generateRandomKey).
encryptByPassword
&
decryptByPassword
Encoding and decoding function, using a secret key to encode the data, and then using this secret key to decode the encoded data.
Example
$dat = Yii::$app->security->encryptByPassword("hello","3166886");
echo Yii::$app->security->encryptByPassword($dat,"3166886");// hello
Note that the encoded data obtained through the above is not ASCII, but can be wrapped under the outer layer through base64_encode and base64_decode.
encryptByKey
&
decryptByKey
It is also a set of encoding and decoding functions, which is faster than that by password. Function is declared as
public function encryptByKey($data, $inputKey, $info = null){}
public function decryptByKey($data, $inputKey, $info = null){}
encryptByKey & There is a third parameter in decryptByKey, for example, we can pass the member's ID, etc., so that this information will be used as the key to encryption and decryption from $inputKey1.
hkdf
Derives 1 key from a given input key using the standard HKDF algorithm. The hash_hkdf method is used in PHP7 +, less than the hash_hmac method used in PHP7.
pbkdf2
Use the standard PBKDF2 algorithm to derive 1 key from the given password. This method can be used for password encryption, but yii2 has a better password encryption scheme generatePasswordHash.
hashData and validateData
Sometimes, in order to prevent the content from being tampered with, we need to mark the data. hashData and validateData are the combination of this task.
hashData is used to prefix the original data, such as the following code
$result = Yii::$app->security->hashData("hello",'123456',false);
// ac28d602c767424d0c809edebf73828bed5ce99ce1556f4df8e223faeec60eddhello
You see an extra set of characters in front of hello, which will change with the original data. In this way, we put a special tamper-proof mark on the data, and then validateData came on.
Note: The third parameter of hashData represents whether the generated hash value is in the original binary format. If it is false, a lowercase 106 digit is generated.
validateData detects data that has been prefixed with data, as follows
$result = Yii::$app->security->validateData("ac28d602c767424d0c809edebf73828bed5ce99ce1556f4df8e223faeec60eddhello",'123456',false);
// hello
If the original string is returned, it means that the verification passed, otherwise it will return false.
The third parameter of the validateData function should be the same value as when the data is generated using hashData (). It indicates whether the hash value in the data is in binary format. If false, it means that the hash value consists only of lowercase 106-ary digits. 106-ary digits will be generated.
compareString
String comparison that can prevent timing attacks, and its usage is very simple.
Yii::$app->security->compareString("abc",'abc');
If the result is true, it will be equal, otherwise it will not be equal.
So what is timing attack? Let me give a simple example.
if($code == Yii::$app->request->get('code')){
}
According to the above comparison logic, the two strings are compared one by one from the first bit, and the false will be returned immediately if the difference is found. Then, by calculating the return speed, we can know which bit is different, thus realizing the scene of cracking passwords by bit that often appears in movies.
Using compareString to compare two strings, regardless of whether the strings are equal or not, the time consumption of the function is constant, which can effectively prevent timing attacks.
maskToken
&
&
unmaskToken
maskToken is used to cover up the real token and can not be compressed. The same token finally generates different random tokens. maskToken is used on the csrf function of yii2. The principle is not complicated. Let's look at the source code.
public function maskToken($token){
$mask = $this->generateRandomKey(StringHelper::byteLength($token));
return StringHelper::base64UrlEncode($mask . ($mask ^ $token));
}
The purpose of unmaskToken is also clear, which is used to obtain token masked by maskToken.
Next, let's look at an example code
$token = Yii::$app->security->maskToken("123456");
echo Yii::$app->security->unmaskToken($token);// The result is 123456
Finally, let's sum up
Encryption/decryption: encryptByKey (), decryptByKey (), encryptByPassword () and decryptByPassword (); Key derivation using standard algorithms: pbkdf2 () and hkdf (); Prevent data tampering: hashData () and validateData (); Password authentication: generatePasswordHash () and validatePassword ()Summarize