Php 使用trim()和#x27;s
我无法解密以%3D%3D结尾的值。解密后,我得到一个完全难以辨认的返回值。加密的值通过querystring传递,但我已经运行了一个循环测试,通过值0到200来排除url编码的问题 加密和解密功能:Php 使用trim()和#x27;s,php,encryption,Php,Encryption,我无法解密以%3D%3D结尾的值。解密后,我得到一个完全难以辨认的返回值。加密的值通过querystring传递,但我已经运行了一个循环测试,通过值0到200来排除url编码的问题 加密和解密功能: function encryptValue($encrypt) { $key = variable_get_local("privateKey", $default = ""); $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJ
function encryptValue($encrypt) {
$key = variable_get_local("privateKey", $default = "");
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$passcrypt = trim(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, trim($encrypt), MCRYPT_MODE_ECB, $iv));
$encode = urlencode(base64_encode($passcrypt));
return $encode;
}
function decryptValue($decrypt) {
$key = variable_get_local("privateKey", $default = "");
$decoded = base64_decode(urldecode($decrypt));
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$decrypted = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, trim($decoded), MCRYPT_MODE_ECB, $iv));
return $decrypted;
}
我尝试在加密和解密过程中保持iv值相同,但这不会改变输出。我还尝试删除了trim($decoded)
周围的trim()
,但这也没有改变任何事情
下面是我用来确定问题的内容。在0和200之间,加密将产生以%3D%3D结尾的值9次,并导致解密失败
for($i=0;$i<200;$i++) {
echo encryptValue($i) . "<br/>";
echo decryptValue(encryptValue($i)) . "<br/><hr/>";
}
对于($i=0;$i您的问题在于所有不应使用的trim
功能。您不修剪编码数据,因为数据将被删除,正如您所注意到的,这可能对密钥至关重要
它的工作原理如下:
function encryptValue($encrypt) {
$key = variable_get_local("privateKey", $default = "");
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$passcrypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, trim($encrypt), MCRYPT_MODE_ECB, $iv);
$encode = urlencode(base64_encode($passcrypt));
return $encode;
}
function decryptValue($decrypt) {
$key = variable_get_local("privateKey", $default = "");
$decoded = base64_decode(urldecode($decrypt));
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $decoded, MCRYPT_MODE_ECB, $iv);
return $decrypted;
}
以下是当前脚本中的一些观察结果:
- ECB模式不安全,请改用CBC
MCRYPT\u-RAND
与RAND
相同,请参见使用MCRYPT\u-DEV\u-uradom
- 为了获得更好的安全性,请使用加密+身份验证,使用
HMAC
来防止oracle填充攻击
- 如果您不是安全专家,请使用适当的测试库
Zend\Crypt
,而不是创建自己的库
示例:
// Encription Key
$encryptionKey = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); // Stored securely
// Signature Key
$signatureKey = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); // Stored securely
// Start DataEncryption Object
$obj = new DataEncryption($encryptionKey, $signatureKey);
$obj->setEncoding(DataEncryption::ENCODE_BASE64);
// Test
for($i = 0; $i < 200; $i ++) {
printf("%s = %s\n", $encode = $obj->encrypt($i), $obj->decrypt($encode));
}
class DataEncryption {
private $keyEncryption;
private $keySignature;
private $ivSize;
private $cipher = MCRYPT_RIJNDAEL_128;
private $mode = MCRYPT_MODE_CBC;
private $signatureLength = 10;
private $encoding = 2; // I prefer hex
const ENCODE_BASE64 = 1;
const ENCODE_HEX = 2;
function __construct($encryptionKey = null, $signatureKey = null) {
// Set Keys
$this->keyEncryption = empty($encryptionKey) ? mcrypt_create_iv(32, MCRYPT_DEV_URANDOM) : $encryptionKey;
$this->keySignature = empty($signatureKey) ? mcrypt_create_iv(32, MCRYPT_DEV_URANDOM) : $signatureKey;
// Get IV Size
$this->ivSize = mcrypt_get_iv_size($this->cipher, $this->mode);
}
public function getKeys() {
return array(
"encryption" => $this->keyEncryption,
"signature" => $this->keySignature
);
}
public function setMode($mode) {
$this->mode = $mode;
}
public function setCipher($cipher) {
$this->cipher = $cipher;
}
public function setEncoding($encode) {
$this->encoding = $encode;
}
public function encrypt($data) {
// add PKCS7 padding to data
$block = mcrypt_get_block_size($this->cipher, $this->mode);
$pad = $block - (strlen($data) % $block);
$data .= str_repeat(chr($pad), $pad);
$iv = $this->rand($this->ivSize);
$cipherData = mcrypt_encrypt($this->cipher, $this->keyEncryption, $data, $this->mode, $iv);
$finalData = $iv . $cipherData;
// protected against padding oracle attacks
$finalData = $this->sign($finalData) . $finalData;
return $this->encode($finalData);
}
public function decrypt($data) {
$data = $this->decode($data);
// Check Integrity
if (! $this->check($data)) {
return false;
}
$data = substr($data, $this->signatureLength);
// Break Data
$iv = substr($data, 0, $this->ivSize);
$cipherData = substr($data, $this->ivSize);
$data = mcrypt_decrypt($this->cipher, $this->keyEncryption, $cipherData, $this->mode, $iv);
// Remove PKCS7 padding
$block = mcrypt_get_block_size($this->cipher, $this->mode);
$pad = ord($data[($len = strlen($data)) - 1]);
// $data = rtrim($data, "\0..\32");
return substr($data, 0, $len - $pad);
}
public function encode($data) {
return $this->encoding === self::ENCODE_BASE64 ? base64_encode($data) : bin2hex($data);
}
public function decode($data) {
return $this->encoding === self::ENCODE_BASE64 ? base64_decode($data) : pack("H*", $data);
}
public function sign($data) {
$hash = hash_hmac('sha256', $data, $this->keySignature, true);
return substr($hash, 0, $this->signatureLength);
}
public function check($data) {
$signature = substr($data, 0, $this->signatureLength);
$data = substr($data, $this->signatureLength);
$hash = hash_hmac('sha256', $data, $this->keySignature, true);
// return $signature === substr($hash, 0, $this->signatureLength);
return $this->compare($signature, substr($hash, 0, $this->signatureLength));
}
public function rand($no) {
return mcrypt_create_iv($no, MCRYPT_DEV_URANDOM);
}
/**
* Prevent Timing Attacks
* @param string $a
* @param string $b
* @return boolean
*/
public function compare($a, $b) {
if (strlen($a) !== strlen($b)) {
return false;
}
$result = 0;
for($i = 0; $i < strlen($a); $i ++) {
$result |= ord($a[$i]) ^ ord($b[$i]);
}
return $result == 0;
}
}
使用的类
// Encription Key
$encryptionKey = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); // Stored securely
// Signature Key
$signatureKey = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); // Stored securely
// Start DataEncryption Object
$obj = new DataEncryption($encryptionKey, $signatureKey);
$obj->setEncoding(DataEncryption::ENCODE_BASE64);
// Test
for($i = 0; $i < 200; $i ++) {
printf("%s = %s\n", $encode = $obj->encrypt($i), $obj->decrypt($encode));
}
class DataEncryption {
private $keyEncryption;
private $keySignature;
private $ivSize;
private $cipher = MCRYPT_RIJNDAEL_128;
private $mode = MCRYPT_MODE_CBC;
private $signatureLength = 10;
private $encoding = 2; // I prefer hex
const ENCODE_BASE64 = 1;
const ENCODE_HEX = 2;
function __construct($encryptionKey = null, $signatureKey = null) {
// Set Keys
$this->keyEncryption = empty($encryptionKey) ? mcrypt_create_iv(32, MCRYPT_DEV_URANDOM) : $encryptionKey;
$this->keySignature = empty($signatureKey) ? mcrypt_create_iv(32, MCRYPT_DEV_URANDOM) : $signatureKey;
// Get IV Size
$this->ivSize = mcrypt_get_iv_size($this->cipher, $this->mode);
}
public function getKeys() {
return array(
"encryption" => $this->keyEncryption,
"signature" => $this->keySignature
);
}
public function setMode($mode) {
$this->mode = $mode;
}
public function setCipher($cipher) {
$this->cipher = $cipher;
}
public function setEncoding($encode) {
$this->encoding = $encode;
}
public function encrypt($data) {
// add PKCS7 padding to data
$block = mcrypt_get_block_size($this->cipher, $this->mode);
$pad = $block - (strlen($data) % $block);
$data .= str_repeat(chr($pad), $pad);
$iv = $this->rand($this->ivSize);
$cipherData = mcrypt_encrypt($this->cipher, $this->keyEncryption, $data, $this->mode, $iv);
$finalData = $iv . $cipherData;
// protected against padding oracle attacks
$finalData = $this->sign($finalData) . $finalData;
return $this->encode($finalData);
}
public function decrypt($data) {
$data = $this->decode($data);
// Check Integrity
if (! $this->check($data)) {
return false;
}
$data = substr($data, $this->signatureLength);
// Break Data
$iv = substr($data, 0, $this->ivSize);
$cipherData = substr($data, $this->ivSize);
$data = mcrypt_decrypt($this->cipher, $this->keyEncryption, $cipherData, $this->mode, $iv);
// Remove PKCS7 padding
$block = mcrypt_get_block_size($this->cipher, $this->mode);
$pad = ord($data[($len = strlen($data)) - 1]);
// $data = rtrim($data, "\0..\32");
return substr($data, 0, $len - $pad);
}
public function encode($data) {
return $this->encoding === self::ENCODE_BASE64 ? base64_encode($data) : bin2hex($data);
}
public function decode($data) {
return $this->encoding === self::ENCODE_BASE64 ? base64_decode($data) : pack("H*", $data);
}
public function sign($data) {
$hash = hash_hmac('sha256', $data, $this->keySignature, true);
return substr($hash, 0, $this->signatureLength);
}
public function check($data) {
$signature = substr($data, 0, $this->signatureLength);
$data = substr($data, $this->signatureLength);
$hash = hash_hmac('sha256', $data, $this->keySignature, true);
// return $signature === substr($hash, 0, $this->signatureLength);
return $this->compare($signature, substr($hash, 0, $this->signatureLength));
}
public function rand($no) {
return mcrypt_create_iv($no, MCRYPT_DEV_URANDOM);
}
/**
* Prevent Timing Attacks
* @param string $a
* @param string $b
* @return boolean
*/
public function compare($a, $b) {
if (strlen($a) !== strlen($b)) {
return false;
}
$result = 0;
for($i = 0; $i < strlen($a); $i ++) {
$result |= ord($a[$i]) ^ ord($b[$i]);
}
return $result == 0;
}
}
类数据加密{
私钥加密;
私人签名;
私人的$ivSize;
private$cipher=MCRYPT_RIJNDAEL_128;
private$mode=MCRYPT\u mode\u CBC;
私人$signatureLength=10;
private$encoding=2;//我更喜欢十六进制
const ENCODE_BASE64=1;
const ENCODE_HEX=2;
函数构造($encryptionKey=null,$signatureKey=null){
//设置关键点
$this->keyEncryption=empty($encryptionKey)?mcrypt_create_iv(32,mcrypt_DEV_uradom):$encryptionKey;
$this->keySignature=empty($signatureKey)?mcrypt_create_iv(32,mcrypt_DEV_uradom):$signatureKey;
//静脉注射
$this->ivSize=mcrypt\u get\u iv\u size($this->cipher,$this->mode);
}
公共函数getKeys(){
返回数组(
“加密”=>this->keyEncryption,
“签名”=>this->keySignature
);
}
公共函数setMode($mode){
$this->mode=$mode;
}
公共函数setCipher($cipher){
$this->cipher=$cipher;
}
公共函数setEncoding($encode){
$this->encoding=$encode;
}
公共函数加密($data){
//将PKCS7填充添加到数据
$block=mcrypt\u get\u block\u size($this->cipher,$this->mode);
$pad=$block-(strlen($data)%$block);
$data.=str_重复(chr($pad),$pad);
$iv=$this->rand($this->ivSize);
$cipherData=mcrypt_encrypt($this->cipher,$this->keyEncryption,$data,$this->mode,$iv);
$finalData=$iv.$cipherData;
//防止oracle攻击
$finalData=$this->sign($finalData)。$finalData;
返回$this->encode($finalData);
}
公共函数解密($data){
$data=$this->decode($data);
//检查完整性
如果(!$this->检查($data)){
返回false;
}
$data=substr($data,$this->signatureLength);
//中断数据
$iv=substr($data,0,$this->ivSize);
$cipherData=substr($data,$this->ivSize);
$data=mcrypt_decrypt($this->cipher,$this->keyecryption,$cipherData,$this->mode,$iv);
//拆下PKCS7衬垫
$block=mcrypt\u get\u block\u size($this->cipher,$this->mode);
$pad=ord($data[($len=strlen($data))-1]);
//$data=rtrim($data,“\0..\32”);
返回substr($data,0,$len-$pad);
}
公共函数编码($data){
返回$this->encoding==self::ENCODE_BASE64?BASE64_ENCODE($data):bin2hex($data);
}
公共函数解码($data){
返回$this->encoding===self::ENCODE_BASE64?BASE64_decode($data):pack(“H*”,$data);
}
公共功能标志($data){
$hash=hash_hmac('sha256',$data,$this->keySignature,true);
返回substr($hash,0,$this->signatureLength);
}
公共功能检查($data){
$signature=substr($data,0,$this->signatureLength);
$data=substr($data,$this->signatureLength);
$hash=hash_hmac('sha256',$data,$this->keySignature,true);
//返回$signature==substr($hash,0,$this->signatureLength);
返回$this->compare($signature,substr($hash,0,$this->signatureLength));
}
公共职能兰特($no){
返回mcrypt_create_iv($no,mcrypt_DEV_uradom);
}
/**
*防止定时攻击
*@param string$a
*@param字符串$b
*@返回布尔值
*/
公共职能比较($a$b){
if(strlen($a)!==strlen($b)){
返回false;
}
$result=0;
对于($i=0;$i
难道你没有忘记url解码吗?查询字符串中的值被正确地url解码了。我将其与加密函数的直接输出进行了比较,两个值都是相同的。url编码时两个字符串也是相同的。使用IV
和ECB编码
,使用ECB
I显然是错误的首先,使用CBC
@kwe:那么不要使用加密。如果你不理解它(或不熟悉它),就不要使用它。故事结束。使用一个库(比如Zend\Crypt)。但是按照你自己的方式去做是危险的,会留下错误的安全感……删除t