I’ve tinkered with CSecurityManager a few times, but never had a project with a budget large enough to cover the learning curve - I’ve always found this to look attractive, but overly complicated. Or perhaps it just needs better documentation or a working sample of some sort?
I understand why a permission graph is theoretically the most flexible security model, but it is definitely not the easiest to understand, and because of it’s great flexibility, it is also easy to make mistakes. Any ideas for a simpler security model of some sort? Something that is easier to understand and implement.
On Windows you are replacing openssl_random_pseudo_bytes() with a non cryptographically secure alternative, aren’t you? Using the time in microseconds (uniqid(), microtime() for hash_hmac()) is not cryptographically secure and relying on Yii::app()->name is not more secure.
There is this: CryptGenRandom, but I don’t know if it is possible to call it at php-application level, without using PHP’s .NET API or the w32api, which are marked experimental in the php documentation
openssl_random_pseudo_bytes() is the best way to get random bytes on any platform but it depends on the openssl extension being available, which you cann’t rely on: https://wiki.php.net/rfc/csrandombytes
the problem is what to do when openssl_random_pseudo_bytes() isn’t available.
I don’t think it’s a good idea for the framework to substitute non-crypto-secure random bytes in a class with Secure in its name.
A better approach is to throw an exception if secure platform requirements cannot be met. Perhaps offer the use a way to adopt the insecure option.
But I feel strongly that the user needs to be warned. A framework such as Yii can give the user comfort that she is "doing it right" and we should not do that if the platform cannot meet secure requirements.
It’s really hard: PHP RFC: Platform and extension-independent API to the system CSPRNG And it’s not just a problem on Windows. The RFC enumerates all the ways to get random bytes from the system CRPRNG that I can find.
I had a discussion earlier this year on php-internals. It seemed they were ok with a new function but I’m stuck trying to find how to read the state of the entropy pool on Solaris, OS X and Windows. Anyway, that’s all way in the future.
Yii framework can help here though I don’t think it can easily solve the problem 100%. A class such as Randomness illustrates what Yii could do to help users by exploring every avenue to get random data. But it should throw an exception when it can’t. Maybe the user could be allowed to configure an insecure option but it should be starkly named so they understand the consequences.
On the other topic, password storage using crypt(), good idea. Yii can help. I’ve helped lots of programmers on Freenode #yii try to use crypt() and they find it very hard, even though the code to use it is so simple. The README of Randomness is so long because of this experience.
The salt for blowfish hashing a password in crypt() does not actually need to be crypto-strong random. No need to drain the entropy pool for that.