Zend Encrypt and Decrypt. Ask Question. Up vote 0 down vote favorite. I have the below class. Browse other questions tagged php security encryption zend-framework cryptography or ask your own question. 2 years, 3 months ago. How to protect sensitive data in PHP using Zend Framework 2.
You worked hard to develop your code. Now you need to protect it. Zend Guard's powerful encoding and obfuscation technologies prevent reverse engineering, copyright infringement and unauthorized modification of your code.
Encoding is a process where the PHP source code is converted to an intermediate machine readable format, just like PHP encryption. This format is hard for humans to read and convert back to source code. As a result it protects your code from casual browsing. This means that if people obtain access to your site's code they will not be able to use that for unintended purposes.
Obfuscation is a process where the code is intentionally made very hard to read as source code or as reverse engineered code. This obfuscation is designed to manage risks that stem from unauthorized access to source code. These risks include loss of intellectual property, ease of probing for application vulnerabilities and loss of revenue that can result when applications are reverse engineered, modified to circumvent licensing and then recompiled. Although reverse engineering always existed in computer software, it is especially important for in computing environments such as PHP which take advantage of dynamic processing of language elements rather than code which has been compiled into machine language before being deployed.
Zend Guard's licensing capabilities allow Independent Software Vendors (ISVs) to create a variety of licensing policies for their commercial PHP applications. The product supports most commonly used licensing models such as concurrent users, time limited, segment of network, or server specific licensing. These capabilities allow vendors to maximize their revenue by preventing unauthorized use.
All notable changes to this project will be documented in this file, in reversechronological order by release.
#55 updates ZendCryptHmac
to use hash_hmac_algos
instead of hmac_algos
when it is present.
#50 updates all classes to import functions and constants they use.
ext/mbstring
in order to install successfully.ZendCryptPasswordBcrypt::benchmarkCost()
, which allows you to find themaximum cost value possible for your hardware within a 50ms timeframe.ZendCryptPublicKeyRsaOptions
class, openssl_padding
(orsetOpensslPadding()
; this is now consumed inZendCryptPublicKeyRsa::encrypt()
andZendCryptPublicKeyRsa::decrypt()
, instead of the optional $padding
argument.$padding
argument from each of ZendCryptPublicKeyRsa
'sencrypt()
and decrypt()
methods; you can now specify the value via theRsaOptions
.substr()
and strlen()
to use mb_substr()
andmb_strlen()
, respectively. This provides better security with binary values.ZendCryptPasswordBcrypt
implementation to use password_hash()
andpassword_verify()
internally, as they are supported in all PHP versions wesupport.DiffieHellman
publickey implementation to initialize the BigInteger
adapter from zend-math as the first operation of its constructor, fixing afatal error that occurs when binary data is provided.ArrayObject
, which implements the samebehavior being tested.AbstractPluginManager
.ZF2015-10: ZendCryptPublicKeyRsaPublicKey
has a call to openssl_public_encrypt()
which used PHP's default $padding
argument, which specifiesOPENSSL_PKCS1_PADDING
, indicating usage of PKCS1v1.5 padding. This paddinghas a known vulnerability, theBleichenbacher's chosen-ciphertext attack,which can be used to recover an RSA private key. This release contains a patchthat changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING
.
Users upgrading to this version may have issues decrypting previously storedvalues, due to the change in padding. If this occurs, you can pass theconstant OPENSSL_PKCS1_PADDING
to a new $padding
argument inZendCryptPublicKeyRsa::encrypt()
and decrypt()
(though typically thisshould only apply to the latter):
where $rsa
is an instance of ZendCryptPublicKeyRsa
.
(The $key
and $mode
argument defaults are null
andZendCryptPublicKeyRsa::MODE_AUTO
, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
ZF2015-10: ZendCryptPublicKeyRsaPublicKey
has a call to openssl_public_encrypt()
which used PHP's default $padding
argument, which specifiesOPENSSL_PKCS1_PADDING
, indicating usage of PKCS1v1.5 padding. This paddinghas a known vulnerability, theBleichenbacher's chosen-ciphertext attack,which can be used to recover an RSA private key. This release contains a patchthat changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING
.
Users upgrading to this version may have issues decrypting previously storedvalues, due to the change in padding. If this occurs, you can pass theconstant OPENSSL_PKCS1_PADDING
to a new $padding
argument inZendCryptPublicKeyRsa::encrypt()
and decrypt()
(though typically thisshould only apply to the latter):
where $rsa
is an instance of ZendCryptPublicKeyRsa
.
(The $key
and $mode
argument defaults are null
andZendCryptPublicKeyRsa::MODE_AUTO
, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
hotfix/5