douju8113 2013-06-06 00:42
浏览 37

添加加密方法?

Encryption is a topic that I have literally no experience with whatsoever until I actually learn about it at University next year (excluding basic knowledge of simple cyphers). I'll hopefully understand them better in the future, but for now I'd just llike to implement them into my apps without knowing the inner details.

Scenario

I'm trying to secure one of my PHP/NodeJS apps by adding encryption to it. I'm doing this so I can share data between NodeJS and PHP in a secure manner.

PHP server -> Needs to be able to encrypt and decrypt data

NodeJS server -> Only needs to be able to decrypt data

Possible solutions

I've spent hours searching for a decent solution to my problem. I've tried many code samples, but this seems to be the best code sample that I've come across and tested so far.

As you can see from the code, decryption methods have been built for both NodeJs and PHP. Both appear to work very well so far from what I've tested. That's half of my problem solved already. :-)

What I'm trying to do now, is figure our how to implement an encryption function with PHP code. I've tried this:

print "Encrypted: " . base64_encode(openssl_encrypt("Hello world", 'aes-256-cbc', $password));

but I get the output of: aUZaNnFlWWV5M0dObTE1U3pxMENwdz09 when I should in fact be getting the value of edata as output: U2FsdGVkX18M7K+pELP06c4d5gz7kLM1CcqJBbubW/Q=

Does anyone know why this output is different? I'm obviously doing something wrong, but I just can't figure out what I should be doing as there is so much going on in that PHP code... If someone could give me a little guidance that would be great. Thanks!

  • 写回答

1条回答 默认 最新

  • douzhi2012 2018-11-01 22:20
    关注

    but I get the output of: aUZaNnFlWWV5M0dObTE1U3pxMENwdz09 when I should in fact be getting the value of edata as output: U2FsdGVkX18M7K+pELP06c4d5gz7kLM1CcqJBbubW/Q=

    There are two things to keep in mind:

    1. Unless you specify OPENSSL_RAW_DATA, openssl_encrypt() will automatically base64 encode the output for you, so the second output is double-encoded.

    2. The Node.js snippet you linked above does some funky stuff to generate a key and IV, and your PHP snippet doesn't do this at all.

      var rounds = 3;
var data00 = password + salt;

console.log("Data00 (Base64): " + new Buffer(data00, "binary").toString("base64"));

md5_hash = new Array();
md5_hash[0] = crypto.createHash("md5").update(data00).digest("binary");

var result = md5_hash[0];
console.log("MD5-Hash[0] (Base64): " + new Buffer(result, "binary").toString("base64"));

for (i = 1; i < rounds; i++) {
    md5_hash[i] = crypto.createHash("md5").update(md5_hash[i - 1] + data00).digest("binary");
    result += md5_hash[i];
    console.log("Result (Base64): " + new Buffer(result, "binary").toString("base64"));
}

      Conversely, your PHP snippet uses a naked $password variable and doesn't pass an IV at all, which generates an error:

      php > $password = 'password';
php > echo base64_encode(openssl_encrypt("Hello world", 'aes-256-cbc', $password));
PHP Warning:  openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended in php shell code on line 1
NlpwenNFNCtJYjhjOWNIYkNHazZCZz09

    So those are your immediate sources of failure:

    • Your key is different.
    • The Node.js snippet uses an IV, you do not. You need an IV for AES-CBC.

    But also: AES-CBC is not secure by itself. See this answer for what to do instead.

    评论

报告相同问题?

悬赏问题

  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 unity第一人称射击小游戏,有demo,在原脚本的基础上进行修改以达到要求
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line