使用BouncyCastle在C#中使用OpenSSL使用AES256-GCM解密PHP加密的字符串
解决方案 注意:我已经用PBKDF2-SHA512(20K迭代)替换了简单的SHA256派生密钥,以提高安全性 PHP函数:使用BouncyCastle在C#中使用OpenSSL使用AES256-GCM解密PHP加密的字符串,c#,php,openssl,bouncycastle,aes-gcm,C#,Php,Openssl,Bouncycastle,Aes Gcm,解决方案 注意:我已经用PBKDF2-SHA512(20K迭代)替换了简单的SHA256派生密钥,以提高安全性 PHP函数: function str_encryptaesgcm($plaintext, $password, $encoding = null) { $keysalt = openssl_random_pseudo_bytes(16); $key = hash_pbkdf2("sha512", $password, $keysalt, 20000
function str_encryptaesgcm($plaintext, $password, $encoding = null) {
$keysalt = openssl_random_pseudo_bytes(16);
$key = hash_pbkdf2("sha512", $password, $keysalt, 20000, 32, true);
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length("aes-256-gcm"));
$tag = "";
$encryptedstring = openssl_encrypt($plaintext, "aes-256-gcm", $key, OPENSSL_RAW_DATA, $iv, $tag, "", 16);
return $encoding == "hex" ? bin2hex($keysalt.$iv.$encryptedstring.$tag) : ($encoding == "base64" ? base64_encode($keysalt.$iv.$encryptedstring.$tag) : $keysalt.$iv.$encryptedstring.$tag);
}
function str_decryptaesgcm($encryptedstring, $password, $encoding = null) {
$encryptedstring = $encoding == "hex" ? hex2bin($encryptedstring) : ($encoding == "base64" ? base64_decode($encryptedstring) : $encryptedstring);
$keysalt = substr($encryptedstring, 0, 16);
$key = hash_pbkdf2("sha512", $password, $keysalt, 20000, 32, true);
$ivlength = openssl_cipher_iv_length("aes-256-gcm");
$iv = substr($encryptedstring, 16, $ivlength);
$tag = substr($encryptedstring, -16);
return openssl_decrypt(substr($encryptedstring, 16 + $ivlength, -16), "aes-256-gcm", $key, OPENSSL_RAW_DATA, $iv, $tag);
}
C级:
我使用openssl在PHP中加密/解密字符串:
function str_encryptaesgcm($plaintext, $password, $encoding = null) {
$aes = array("key" => substr(hash("sha256", $password, true), 0, 32), "cipher" => "aes-256-gcm", "iv" => openssl_random_pseudo_bytes(openssl_cipher_iv_length("aes-256-gcm")));
$encryptedstring = openssl_encrypt($plaintext, $aes["cipher"], $aes["key"], OPENSSL_RAW_DATA, $aes["iv"], $aes["tag"], "", 16);
return $encoding == "hex" ? bin2hex($aes["iv"].$encryptedstring.$aes["tag"]) : ($encoding == "base64" ? base64_encode($aes["iv"].$encryptedstring.$aes["tag"]) : $aes["iv"].$encryptedstring.$aes["tag"]);
}
function str_decryptaesgcm($encryptedstring, $password, $encoding = null) {
$encryptedstring = $encoding == "hex" ? hex2bin($encryptedstring) : ($encoding == "base64" ? base64_decode($encryptedstring) : $encryptedstring);
$aes = array("key" => substr(hash("sha256", $password, true), 0, 32), "cipher" => "aes-256-gcm", "ivlength" => openssl_cipher_iv_length("aes-256-gcm"), "iv" => substr($encryptedstring, 0, openssl_cipher_iv_length("aes-256-gcm")), "tag" => substr($encryptedstring, -16));
return openssl_decrypt(substr($encryptedstring, $aes["ivlength"], -16), $aes["cipher"], $aes["key"], OPENSSL_RAW_DATA, $aes["iv"], $aes["tag"]);
}
一切正常,事实上我得到:
$text = "Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit...";
$pass = "A random password to encrypt";
$enc = str_encryptaesgcm($text, $pass, "base64"); // OUTPUT: TrbntVEj8GEGeLE6ZYJnDIXnqSese5biWn604NePb2r6jsFhuzJsNHnN2GCizrGfhP4W39tahrGj0tORxvUbDpGT76WHr/v2wmnHHHiDGyjeKlWLu9/gfeualYvhsNF/N9inSpqxE2lQ+/vwpUJKYJw3bfo7DoGPDNk=
$dec = str_decryptaesgcm($enc, $pass, "base64"); // OUTPUT: Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit...
不幸的是,我需要从C#中解密字符串,因此我使用BouncyCastle来实现这一点,我使用的类是:
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Modes;
using Org.BouncyCastle.Crypto.Parameters;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace PoGORaidEngine.Crypto
{
internal static class AESGCM
{
private const int KEY_BIT_SIZE = 256;
private const int MAC_BIT_SIZE = 128;
private const int NONCE_BIT_SIZE = 96; // 12 bytes (openssl)
internal static string DecryptString(string EncryptedString, string Password)
{
if (string.IsNullOrEmpty(EncryptedString))
return string.Empty;
byte[] Key = Encoding.UTF8.GetBytes(SHA256String(Password).Substring(0, 32));
byte[] EncryptedData = Convert.FromBase64String(EncryptedString);
if (Key == null || Key.Length != KEY_BIT_SIZE / 8)
throw new ArgumentException(string.Format("Key needs to be {0} bit.", KEY_BIT_SIZE), "Key");
using (MemoryStream MStream = new MemoryStream(EncryptedData))
using (BinaryReader Binary = new BinaryReader(MStream))
{
byte[] IV = Binary.ReadBytes(NONCE_BIT_SIZE / 8);
GcmBlockCipher Cipher = new GcmBlockCipher(new AesEngine());
Cipher.Init(false, new AeadParameters(new KeyParameter(Key), MAC_BIT_SIZE, IV));
byte[] CipherText = Binary.ReadBytes(EncryptedData.Length - IV.Length);
byte[] PlainText = new byte[Cipher.GetOutputSize(CipherText.Length)];
int Length = Cipher.ProcessBytes(CipherText, 0, CipherText.Length, PlainText, 0);
Cipher.DoFinal(PlainText, Length);
return Encoding.UTF8.GetString(PlainText);
}
}
private static string SHA256String(string Password)
{
using (SHA256 Hash = SHA256.Create())
{
byte[] PasswordBytes = Hash.ComputeHash(Encoding.UTF8.GetBytes(Password));
StringBuilder SB = new StringBuilder();
for (int i = 0; i < PasswordBytes.Length; i++)
SB.Append(PasswordBytes[i].ToString("X2"));
return SB.ToString();
}
}
}
}
我浪费了几个小时试图找出问题,但没有成功,我也尝试在这里搜索,在Stackoverflow上,但我没有找到答案,甚至没有找到这个。
是否有人曾经测试并尝试使用AES256-GCM使用BouncyCastle从PHP(openssl)解密到C#?提前感谢您的帮助
更新
我尝试更新PHP方法进行加密,以查看数据是否正常:
function str_encryptaesgcm($plaintext, $password, $encoding = null) {
$aes = array("key" => substr(hash("sha256", $password, true), 0, 32), "cipher" => "aes-256-gcm", "iv" => openssl_random_pseudo_bytes(openssl_cipher_iv_length("aes-256-gcm")));
$encryptedstring = openssl_encrypt($plaintext, $aes["cipher"], $aes["key"], OPENSSL_RAW_DATA, $aes["iv"], $aes["tag"], "", 16);
switch ($encoding) {
case "base64":
return array("encrypteddata" => base64_encode($aes["iv"].$encryptedstring.$aes["tag"]), "iv" => base64_encode($aes["iv"]), "encryptedstring" => base64_encode($encryptedstring), "tag" => base64_encode($aes["tag"]));
case "hex":
return array("encrypteddata" => bin2hex($aes["iv"].$encryptedstring.$aes["tag"]), "iv" => bin2hex($aes["iv"]), "encryptedstring" => bin2hex($encryptedstring), "tag" => bin2hex($aes["tag"]));
default:
return array("encrypteddata" => $aes["iv"].$encryptedstring.$aes["tag"], "iv" => $aes["iv"], "encryptedstring" => $encryptedstring, "tag" => $aes["tag"]);
}
}
所以我得到:
{"encrypteddata":"w2eUXD41sCgTBvN7PtKlhzHB0lodPohnOh8V1lWsATvRujwsV18DDftGqJLqpsWxatYUX7C0jxjLcPQUoazIfiVdRmAsbGAKuvXYSsNjQ6ahGY4AxowAp0p\/IGDuYWbCrof6GZHUyoxv9Ry8NP1yxNItnBlUhGS8ua0=","iv":"w2eUXD41sCgTBvN7","encryptedstring":"PtKlhzHB0lodPohnOh8V1lWsATvRujwsV18DDftGqJLqpsWxatYUX7C0jxjLcPQUoazIfiVdRmAsbGAKuvXYSsNjQ6ahGY4AxowAp0p\/IGDuYWbCrof6GZHUyoxv9Q==","tag":"HLw0\/XLE0i2cGVSEZLy5rQ=="}
这让我明白,在PHP方面,一切都正常,还因为当我从PHP执行解密时,一切都正常工作。我试图按照的建议更新C代码上的类,但是我得到了一个新的异常:Org.BouncyCastle.Crypto.InvalidCipherTextException:数据太短
:
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Modes;
using Org.BouncyCastle.Crypto.Parameters;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace PoGORaidEngine.Crypto
{
internal static class AESGCM
{
private const int MAC_BIT_SIZE = 128;
private const int NONCE_BIT_SIZE = 96;
internal static string DecryptString(string EncryptedString, string Password)
{
if (string.IsNullOrEmpty(EncryptedString))
return string.Empty;
byte[] EncryptedData = Convert.FromBase64String(EncryptedString);
byte[] Key = DerivateKey(Password);
byte[] IV;
byte[] CipherText;
byte[] Tag;
using (MemoryStream MStream = new MemoryStream(EncryptedData))
using (BinaryReader Binary = new BinaryReader(MStream))
{
IV = Binary.ReadBytes(NONCE_BIT_SIZE / 8);
CipherText = Binary.ReadBytes(EncryptedData.Length - IV.Length - (MAC_BIT_SIZE / 8));
Tag = Binary.ReadBytes(MAC_BIT_SIZE / 8);
}
byte[] AAED = new byte[0];
byte[] DecryptedData = new byte[CipherText.Length];
GcmBlockCipher Cipher = new GcmBlockCipher(new AesEngine());
Cipher.Init(false, new AeadParameters(new KeyParameter(Key), MAC_BIT_SIZE, IV, AAED));
int Length = Cipher.ProcessBytes(CipherText, 0, CipherText.Length, DecryptedData, 0);
Cipher.DoFinal(DecryptedData, Length);
return Encoding.UTF8.GetString(DecryptedData);
}
private static byte[] DerivateKey(string Password)
{
using (SHA256 Hash = SHA256.Create())
return Hash.ComputeHash(Encoding.UTF8.GetBytes(Password));
}
}
}
作为一个计数器测试,我试图在base64 IV中获得干净的加密字符串和标记,并且数据完全匹配,就像在PHP中一样。
我相信解决办法非常接近。问题出现在:
Cipher.DoFinal(DecryptedData,Length)
(newbyte[CipherText.Length]
)。我不确定您在C#上的“密钥派生”是否与在PHP上一样有效,所以我使用了自己的一个。此外,我还使用了自己的解密函数,该函数在没有Bouncy Castle的情况下运行,这可能是您使用Bouncy Castle的良好基础
请注意,使用SHA哈希的密钥派生是不安全的,您应该为此任务使用类似PBKDF2的内容
我正在使用示例输出
TrbntVEj8GEGeLE6ZYJnDIXnqSese5biWn604NePb2r6jsFhuzJsNHnN2GCizrGfhP4W39tahrGj0tORxvUbDpGT76WHr/v2wmnHHHiDGyjeKlWLu9/gfeualYvhsNF/N9inSpqxE2lQ+/vwpUJKYJw3bfo7DoGPDNk=
作为C#中解密函数的输入-结果如下:
AES GCM 256 String decryption
* * * Decryption * * *
ciphertext (Base64): TrbntVEj8GEGeLE6ZYJnDIXnqSese5biWn604NePb2r6jsFhuzJsNHnN2GCizrGfhP4W39tahrGj0tORxvUbDpGT76WHr/v2wmnHHHiDGyjeKlWLu9/gfeualYvhsNF/N9inSpqxE2lQ+/vwpUJKYJw3bfo7DoGPDNk=
plaintext: Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit...
请注意,我的代码没有异常处理,仅用于教育目的,代码在联机编译器()中使用.net 5运行:
编辑:您是否注意到GCM标记从未在更新的解密函数中使用
Bouncy Castle的GCM函数的工作原理类似于Java挂件,需要一个将标记附加到密文中的密文
最后,您需要执行一些字节数组复制操作:
byte[] CipherTextTag = new byte[CipherText.Length + Tag.Length];
System.Buffer.BlockCopy(CipherText, 0, CipherTextTag, 0, CipherText.Length);
System.Buffer.BlockCopy(Tag, 0, CipherTextTag, CipherText.Length, Tag.Length);
int Length = Cipher.ProcessBytes(CipherTextTag, 0, CipherTextTag.Length, DecryptedData, 0);
使用此“完整密文”可以使其与原始PHP代码一起运行:
AES GCM 256 String decryption
* * * Decryption * * *
ciphertext (Base64): aV+gDmSBbi9PjOT9FD8LcuISbEQ5F3q0X8qzf3MKiDzxo12WQVirsnltbApLMMG9JScVfTXx7PJw7EVFoKz8JLMYLMu/JsRGcfvihSK+d/yeRTBEuJHL74Hv2Zr7b4CoMJhEUmYF3KT2Onlj4lI5ChOjmgXvpSev/xc=
plaintext: Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit...
完整代码:
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Modes;
using Org.BouncyCastle.Crypto.Parameters;
public class Program {
public static void Main() {
Console.WriteLine("AES GCM 256 String decryption");
// decryption
Console.WriteLine("\n* * * Decryption * * *");
string password = "A random password to encrypt";
//generate hash of password # # # this is UNSECURE # # #
string soCiphertextBase64 = "aV+gDmSBbi9PjOT9FD8LcuISbEQ5F3q0X8qzf3MKiDzxo12WQVirsnltbApLMMG9JScVfTXx7PJw7EVFoKz8JLMYLMu/JsRGcfvihSK+d/yeRTBEuJHL74Hv2Zr7b4CoMJhEUmYF3KT2Onlj4lI5ChOjmgXvpSev/xc=";
Console.WriteLine("ciphertext (Base64): " + soCiphertextBase64);
string soDecryptedtextAsk = DecryptString(soCiphertextBase64, password);
Console.WriteLine("plaintext: " + soDecryptedtextAsk);
}
static string DecryptString(string EncryptedString, string Password)
{
const int MAC_BIT_SIZE = 128;
const int NONCE_BIT_SIZE = 96;
if (string.IsNullOrEmpty(EncryptedString))
return string.Empty;
byte[] EncryptedData = Convert.FromBase64String(EncryptedString);
byte[] Key = DerivateKey(Password);
byte[] IV;
byte[] CipherText;
byte[] Tag;
using (MemoryStream MStream = new MemoryStream(EncryptedData))
using (BinaryReader Binary = new BinaryReader(MStream))
{
IV = Binary.ReadBytes(NONCE_BIT_SIZE / 8);
CipherText = Binary.ReadBytes(EncryptedData.Length - IV.Length - (MAC_BIT_SIZE / 8));
Tag = Binary.ReadBytes(MAC_BIT_SIZE / 8);
}
byte[] AAED = new byte[0];
byte[] DecryptedData = new byte[CipherText.Length];
GcmBlockCipher Cipher = new GcmBlockCipher(new AesEngine());
Cipher.Init(false, new AeadParameters(new KeyParameter(Key), MAC_BIT_SIZE, IV, AAED));
// combine ciphertext + tag
byte[] CipherTextTag = new byte[CipherText.Length + Tag.Length];
System.Buffer.BlockCopy(CipherText, 0, CipherTextTag, 0, CipherText.Length);
System.Buffer.BlockCopy(Tag, 0, CipherTextTag, CipherText.Length, Tag.Length);
int Length = Cipher.ProcessBytes(CipherTextTag, 0, CipherTextTag.Length, DecryptedData, 0);
//int Length = Cipher.ProcessBytes(CipherText, 0, CipherText.Length, DecryptedData, 0);
Cipher.DoFinal(DecryptedData, Length);
return Encoding.UTF8.GetString(DecryptedData);
}
private static byte[] DerivateKey(string Password)
{
using (SHA256 Hash = SHA256.Create())
return Hash.ComputeHash(Encoding.UTF8.GetBytes(Password));
}
}
马可-我很好奇-这是你唯一使用的两种语言吗(PHP和C)?我们已经为GCM(128和256)编写了一些跨语言/库,使用Java、C#、Go、Python、Ruby、C、Openssl、bouncycastle和其他工具,并且没有遇到您遇到的任何问题,但我们处理密钥管理的方式有点不同。我们还没有添加PHP,但与C相比,使用OpenSSL的一些PHP接口有一些不同。您好,首先感谢您的回答。我曾经这样编辑过我的类:但是现在抛出了一个新的异常:Org.bounchycastle.Crypto.InvalidCipherTextException:数据太短调试数据总是一个好主意,您可以比较“BC”使用我发布的解决方案轻松获取数据,以找出哪些数据太短:-)顺便说一句:请编辑您的帖子并从您的pastebin源添加新代码,因为第三方源可能会消失,谢谢。更新。我仍然不知道问题出在哪里。@Marco Concas:请看我编辑的答案:-)这是缺失的部分,是的!只是标签!问题已经解决了。我将使用您提出的更安全的算法编辑密钥派生,并更新答案。感谢您为我和这个社区奉献的时间。您不需要PBKDF2的外部库,请参阅我知道可以避免使用外部库,如果可能的话,我可以避免使用外部库,但Rfc2898DeriveBytes类不支持SHA512。这就是我使用AspNet的NuGet的原因。你检查了我的链接吗?示例是在没有外部库的情况下使用SHA-1、SHA-256和SHA-512运行PBKDF2。这是指向运行示例的联机编译器的链接:@MichaelFehr fixed。非常感谢。我不理解这个问题。抱歉-可能更多的是一种尝试和帮助指出加密库和PBKDF的声明。在我们的项目中,我们使用8种不同的语言和几个不同的加密库(OpenSSL、Bouncy Castle和其他)与GCM 128和256,它们都可以完美地互操作。加密密钥来自HSM,因此不需要PBKDF。我们正在考虑添加PHP支持,但与其他语言(尤其是GCM)相比,OpenSSL API的可用性有所不同。您是否后退一步,尝试simple key/iv(无sha/kdf)以确保其他所有功能都正常工作?我已经解决了问题,所有功能都可以完美安全地工作。请参阅我文章开头的解决方案。
byte[] CipherTextTag = new byte[CipherText.Length + Tag.Length];
System.Buffer.BlockCopy(CipherText, 0, CipherTextTag, 0, CipherText.Length);
System.Buffer.BlockCopy(Tag, 0, CipherTextTag, CipherText.Length, Tag.Length);
int Length = Cipher.ProcessBytes(CipherTextTag, 0, CipherTextTag.Length, DecryptedData, 0);
AES GCM 256 String decryption
* * * Decryption * * *
ciphertext (Base64): aV+gDmSBbi9PjOT9FD8LcuISbEQ5F3q0X8qzf3MKiDzxo12WQVirsnltbApLMMG9JScVfTXx7PJw7EVFoKz8JLMYLMu/JsRGcfvihSK+d/yeRTBEuJHL74Hv2Zr7b4CoMJhEUmYF3KT2Onlj4lI5ChOjmgXvpSev/xc=
plaintext: Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit...
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Modes;
using Org.BouncyCastle.Crypto.Parameters;
public class Program {
public static void Main() {
Console.WriteLine("AES GCM 256 String decryption");
// decryption
Console.WriteLine("\n* * * Decryption * * *");
string password = "A random password to encrypt";
//generate hash of password # # # this is UNSECURE # # #
string soCiphertextBase64 = "aV+gDmSBbi9PjOT9FD8LcuISbEQ5F3q0X8qzf3MKiDzxo12WQVirsnltbApLMMG9JScVfTXx7PJw7EVFoKz8JLMYLMu/JsRGcfvihSK+d/yeRTBEuJHL74Hv2Zr7b4CoMJhEUmYF3KT2Onlj4lI5ChOjmgXvpSev/xc=";
Console.WriteLine("ciphertext (Base64): " + soCiphertextBase64);
string soDecryptedtextAsk = DecryptString(soCiphertextBase64, password);
Console.WriteLine("plaintext: " + soDecryptedtextAsk);
}
static string DecryptString(string EncryptedString, string Password)
{
const int MAC_BIT_SIZE = 128;
const int NONCE_BIT_SIZE = 96;
if (string.IsNullOrEmpty(EncryptedString))
return string.Empty;
byte[] EncryptedData = Convert.FromBase64String(EncryptedString);
byte[] Key = DerivateKey(Password);
byte[] IV;
byte[] CipherText;
byte[] Tag;
using (MemoryStream MStream = new MemoryStream(EncryptedData))
using (BinaryReader Binary = new BinaryReader(MStream))
{
IV = Binary.ReadBytes(NONCE_BIT_SIZE / 8);
CipherText = Binary.ReadBytes(EncryptedData.Length - IV.Length - (MAC_BIT_SIZE / 8));
Tag = Binary.ReadBytes(MAC_BIT_SIZE / 8);
}
byte[] AAED = new byte[0];
byte[] DecryptedData = new byte[CipherText.Length];
GcmBlockCipher Cipher = new GcmBlockCipher(new AesEngine());
Cipher.Init(false, new AeadParameters(new KeyParameter(Key), MAC_BIT_SIZE, IV, AAED));
// combine ciphertext + tag
byte[] CipherTextTag = new byte[CipherText.Length + Tag.Length];
System.Buffer.BlockCopy(CipherText, 0, CipherTextTag, 0, CipherText.Length);
System.Buffer.BlockCopy(Tag, 0, CipherTextTag, CipherText.Length, Tag.Length);
int Length = Cipher.ProcessBytes(CipherTextTag, 0, CipherTextTag.Length, DecryptedData, 0);
//int Length = Cipher.ProcessBytes(CipherText, 0, CipherText.Length, DecryptedData, 0);
Cipher.DoFinal(DecryptedData, Length);
return Encoding.UTF8.GetString(DecryptedData);
}
private static byte[] DerivateKey(string Password)
{
using (SHA256 Hash = SHA256.Create())
return Hash.ComputeHash(Encoding.UTF8.GetBytes(Password));
}
}