This extension is a usefull class that let you encrypt/decrypt string (or object serializable) using strong AES256 (Advanced Encryption Standard with a key of 256 bits) standard with CBC + hashMac (mash-based message authentification code).
It uses built-in PHP Mcrypt AES methods.
Requirements ¶
- Yii 1.1 or above
- PHP 5.3 or above
- mcrypt lib activated server side.
Usage ¶
To use AES into your project :
- copy Aes256.php into a new folder in /protected/extensions/aes256/Aes256.php
- add aes256 extension into your /config/main.php, in the component part. Sample :
[...]
'components'=>array(
'aes256'=>array(
'class' => 'application.extensions.aes256.Aes256',
'privatekey_32bits_hexadecimal'=> '0123456789012345678901234567890123456789012345678901234567890123', // be sure that this parameter uses EXACTLY 64 chars of hexa (a-f, 0-9)
),
[...]
)
- if you want to encrypt/decrypt data, database side, include the method decrypt in your model in afterFind() and encrypt in beforeSave(). Sample :
protected function afterFind()
{
// decrypt myEncrypted Field value that is encrypted database side
$this->myEncryptedField = Yii::app()->aes256->decrypt($this->myEncryptedField);
return parent::afterFind();
}
protected function beforeSave()
{
$result = parent::beforeSave();
if(!$result) return false;
// encrypt myEncrypted Field value
$this->myEncryptedField = Yii::app()->aes256->encrypt($this->myEncryptedField);
return $result;
}
Don't forget that search() model method won't work on encrypted data neither specific SQL queries dealing with encrypted fields. So don't forget that if you are using specific SQL query results (outside Yii ActiveRecord) you will have to encrypt/decrypt database field manually
Don't forget that encrypted string value could be long. Avoid short database row VARCHAR(256) for example (to avoid truncated encrypted value that won't be decryptable). Personnaly, i'm using TEXT type or VARCHAR(3000).
Resources ¶
Sensitive data should be encrypted, and one of the most popular encryption specifications is the Advanced Encryption Standard (AES).
The AES specification, using the Rijndael algorithm, has been selected as the replacement for the 3DES algorithm that is implemented by Yii’s CSecurityManger.
We used CBC mode because it is more secured than ECB mode as it creates a different hash each time.
We also used hashMac (Hash-based message authentication code) to avoid several hacking exploits such as : padding oracle attach http://en.wikipedia.org/wiki/Padding_oracle_attack or bit flipping attach http://en.wikipedia.org/wiki/Bit-flipping_attack
Feel free to use last version in github https://github.com/lucbonnin/aes256_yii_extension
info
When it comes to encryption, you should be more specific and precise. The description should include that you use the AES that is built-in PHP and not your own implementation. Also, you use the phrase To implement AES for your project and I don't think anybody really wants to implement AES, only use it.
BTW why not extending CSecurityManager to provide a similar interface?
reply to #161189
Hi nineinchnick. Thanks for the comment, i will modify the extension description to be more relevant (about php built-in).
About CSecurityManager it doesn't use the AES256 CBC mode but ECB mode which is less secured than CBC.
reply to #16190
Can't CSecurityManager be extended to override the mode used and change it to CBC? If anybody alerady uses it it would be easier to switch.
reply to #16191
We can extend CSecurityManager but i prefered not to do it because if someone already use CSecurityManager he potentially could call hashData + encrypt method and my encrypt method already include hash. So to avoid mistake or double use of hash (for example) i chose to create a separated extension with only 2 easy methods encrypt/decrypt. No additional choice such ash hasmac or not, validation or not... and so on.
Anyway, anyone could use the Aes256 extension to make their own CSecurityManager overriden class, and perhaps share it here.
dinamic privatekey_32bits_hexadecimal?
Hi,
Great job!
It's possible use dinamic privatekey_32bits_hexadecimal?
For example, based in username?
thanks
If you have any questions, please ask in the forum instead.
Signup or Login in order to comment.