[Da:Sourcerer]

It will if you set the cryptAlgorithm property right.

[Emily Dickinson]

Da:Sourcerer, on 05 December 2011 - 04:31 PM, said:

It will if you set the cryptAlgorithm property right.

Nice! Would you be willing to post a complete solution - including code for the Behavior and the controller?
Em

[christomurr]

Da:Sourcerer ...

I'm very curious about what you're suggesting. Do you have an example I could see? I've spent so much time on this I've fallen very far behind.

Thanks again to all of you for helping me with this. I look forward to posting an elegant, working solution.

Christopher

[Da:Sourcerer]

The behaviour is pretty easy:

class EncryptionBehavior extends CActiveRecordBehavior
{
  public $cryptAttribute;
  public $key;

  public function beforeSave($event)
  {
    if($this->cryptAttribute !== null)
      $this->owner->{$this->cryptAttribute} = Yii::app()->securityManager->encrypt($this->owner->{$this->cryptAttribute}, $this->key);
  }

  public function afterFind($event)
  {
    if($this->cryptAttribute !== null)
      $this->owner->{$this->cryptAttribute} = Yii::app()->securityManager->decrypt($this->owner->{$this->cryptAttribute}, $this->key);
  }
}

There is no need to touch the controller for this behaviour. Just enable it in the model's behaviors() method:

class MyModel extends CActiveRecord
{
  ...
  public function behaviors()
  {
    return array(
      'EncryptionBehavior'=>array(
        'class'=>'EncryptionBehavior',
        'key'=>Yii::app()->params['secretKey'],
        'cryptAttribute'=>'myAttribute',
      ),
    );
  }
}

I just typed this freehand, so be cautious with this. Give me an hour or so until my dev machine is ready to go again

[christomurr]

Da:Sourcerer .... Thank you ... this looks like a great solution. I have it hooked up and gotten rid of the errors that broke my page (wasn't sure where to put things) ... but now I'm not getting the value of the decrypted field to display ... but I'm sure I'm close :-)

[Da:Sourcerer]

Hm, what do you get instead? Have you set CSecurityManager's cryptAlgorithm to rijndael-128?

[christomurr]

I changed it and it did not work. But then I tried AES-256-CBC and got a broken page with some interesting output:

mcrypt_module_open() [<a href='function.mcrypt-module-open'>function.mcrypt-module-open</a>]: Could not open encryption module

CSecurityManager requires PHP mcrypt extension to be loaded in order to use data encryption feature.

So perhaps I need to step back and tweak the server?

Thanks again .. this is getting exciting ;-)

[christomurr]

My mistake ... I do have mcrypt enabled.

I know I entered the database in my table using PHP AES_ENCRYPT in my old application. But when I tried one of the earlier suggestions here I was able to get the decrypted value (echo $data->enabled).

But I much prefer your method and want to get this to work.

[christomurr]

I set it to rijndael-128 and the page does not break, but neither do I get any value. I'll stop writing now until I figure it out ;-)

[Da:Sourcerer]

Hm, the first param of mcrypt_module_open() needs to be on of the outputs of mcrypt_list_algorithms(). AES-256-CBC doesn't sound like something that function would return... For reference:

# php -r "print_r(mcrypt_list_algorithms());"
Array
(
  [0] => cast-128
  [1] => gost
  [2] => rijndael-128
  [3] => twofish
  [4] => arcfour
  [5] => cast-256
  [6] => loki97
  [7] => rijndael-192
  [8] => saferplus
  [9] => wake
  [10] => blowfish-compat
  [11] => des
  [12] => rijndael-256
  [13] => serpent
  [14] => xtea
  [15] => blowfish
  [16] => enigma
  [17] => rc2
  [18] => tripledes
)

That is from a 64bit CentOS 6.0 with a suhosin-hardened PHP v5.3.8

The default algorithm for CSecurityManager is des. I really think rijndael-128 is the one to go for in your case. You might have to set it into ECB or CBC-mode, though.

[christomurr]

class EncryptionBehavior extends CActiveRecordBehavior
I have this in a file called EncryptionBehaviors.php in my components directory:

{
public $cryptAttribute;
public $key;

public function beforeSave($event)
{
if($this->cryptAttribute !== null)
$this->owner->{$this->cryptAttribute} = Yii::app()->securityManager->encrypt($this->owner->{$this->cryptAttribute}, $this->key);
}

public function afterFind($event)
{
if($this->cryptAttribute !== null)
$this->owner->{$this->cryptAttribute} = Yii::app()->securityManager->decrypt($this->owner->{$this->cryptAttribute}, $this->key);
}
}

I then have this is my model, just after the 'relations' array:

public function behaviors() {
return array(
'EncryptionBehavior'=>array(
'class'=>'EncryptionBehavior',
'key'=>Yii::app()->params['secretKey'],
'cryptAttribute'=>'clientSocialSecurity',
),
);
}

And I have this in my config/main.php

'params'=>array(
// this is used in contact page
'adminEmail'=>'webmaster@example.com',
'secretKey'=>'myKeyGoesHere',
),

I can see that things are being called and I am getting no errors. But the field in my view that holds the encrypted value displays nothing. All the other fields that are encrypted (and are not part of this routine) display the encrypted value.

Thank you again for your time.

[Da:Sourcerer]

Look for the components-stanza in your config/main.php. Add this:

'securityManager'=>array(
  'cryptAlgorithm'=>array(
    'rijndael-128',
    '',
    'cbc',
    ''
  ),
),

[christomurr]

I added this and still found no display of the value.

[Da:Sourcerer]

Hm, I'm out of ideas for now.

[christomurr]

Thats cool ....ill keep plugging away and hopefully will post some good need.

I cant tell you how much I appreciate you sticking with me and getting me this far ...

[Da:Sourcerer]

Ah, it must really be set into ECB mode. Setting it into CBC mode won't do you any good.

[christomurr]

I have this set in CSecurityManager.php:

public $cryptAlgorithm='rijndael-128';

(although I also tried adding -ebc and -cbc to this)

And I have this set in my config/main.php:

'components'=>array(
'user'=>array(
// enable cookie-based authentication
'allowAutoLogin'=>true,
),
'securityManager'=>array(
'cryptAlgorithm'=>array(
'rijndael-128',
'',
'ecb',
''
),
),

I have this in my model, but now I'm wondering if it belongs something else or in a different position within the model:

public function behaviors() {
return array(
'EncryptionBehavior'=>array(
'class'=>'EncryptionBehavior',
'key'=>Yii::app()->params['secretKey'],
'cryptAttribute'=>'clientSocialSecurity',
),
);
}


I have nothing in the view other than the gii-generated form.

I'm still missing something or putting something in the wrong place.

[christomurr]

In both code samples from Emily and DaSourcerer, I believe what is failing is that my afterFind and beforeSave functions are not getting executed. The class files appear to be called, but then I get no display of the value. In looking at logs, I don't believe the afterFind (which is what I'm testing first) is getting called/executed.

[ekerazha]

Note: remember that AES-256 is actually less secure than AES-128

This post has been edited by ekerazha: 06 December 2011 - 12:30 PM

[Da:Sourcerer]

Something's strange with CSecurityManager. Well, time for plan B:

# php -r "echo bin2hex(openssl_encrypt('abc', 'aes-128-ecb', 'def', true));"
481669422b4fe6acb546d80fb22ad0c4
# echo "SELECT HEX(AES_ENCRYPT('abc', 'def'));" | mysql
HEX(AES_ENCRYPT('abc', 'def'))
481669422B4FE6ACB546D80FB22AD0C4