将我的加密库从Mcrypt升级到OpenSSL
乜安志
问题内容:
问题答案:
我正在使用以下通常引用的库进行加密。我想将其从Mcrypt升级到OpenSSL,以便不再使用不推荐使用的库。
<?php
namespace Utilities\Encryption;
/**
* A class to handle secure encryption and decryption of arbitrary data
*
* Note that this is not just straight encryption. It also has a few other
* features in it to make the encrypted data far more secure. Note that any
* other implementations used to decrypt data will have to do the same exact
* operations.
*
* Security Benefits:
*
* - Uses Key stretching
* - Hides the Initialization Vector
* - Does HMAC verification of source data
*
*/
class Encryption {
/**
* @var string $cipher The mcrypt cipher to use for this instance
*/
protected $cipher = '';
/**
* @var int $mode The mcrypt cipher mode to use
*/
protected $mode = '';
/**
* @var int $rounds The number of rounds to feed into PBKDF2 for key generation
*/
protected $rounds = 100;
/**
* Constructor!
*
* @param string $cipher The MCRYPT_* cypher to use for this instance
* @param int $mode The MCRYPT_MODE_* mode to use for this instance
* @param int $rounds The number of PBKDF2 rounds to do on the key
*/
public function __construct($cipher, $mode, $rounds = 100) {
$this->cipher = $cipher;
$this->mode = $mode;
$this->rounds = (int) $rounds;
}
/**
* Decrypt the data with the provided key
*
* @param string $data The encrypted datat to decrypt
* @param string $key The key to use for decryption
*
* @returns string|false The returned string if decryption is successful
* false if it is not
*/
public function decrypt($data, $key) {
$salt = substr($data, 0, 128);
$enc = substr($data, 128, -64);
$mac = substr($data, -64);
list ($cipherKey, $macKey, $iv) = $this->getKeys($salt, $key);
if ($mac !== hash_hmac('sha512', $enc, $macKey, true)) {
return false;
}
$dec = mcrypt_decrypt($this->cipher, $cipherKey, $enc, $this->mode, $iv);
$data = $this->unpad($dec);
return $data;
}
/**
* Encrypt the supplied data using the supplied key
*
* @param string $data The data to encrypt
* @param string $key The key to encrypt with
*
* @returns string The encrypted data
*/
public function encrypt($data, $key) {
$salt = mcrypt_create_iv(128, MCRYPT_DEV_URANDOM);
list ($cipherKey, $macKey, $iv) = $this->getKeys($salt, $key);
$data = $this->pad($data);
$enc = mcrypt_encrypt($this->cipher, $cipherKey, $data, $this->mode, $iv);
$mac = hash_hmac('sha512', $enc, $macKey, true);
return $salt . $enc . $mac;
}
/**
* Generates a set of keys given a random salt and a master key
*
* @param string $salt A random string to change the keys each encryption
* @param string $key The supplied key to encrypt with
*
* @returns array An array of keys (a cipher key, a mac key, and a IV)
*/
protected function getKeys($salt, $key) {
$ivSize = mcrypt_get_iv_size($this->cipher, $this->mode);
$keySize = mcrypt_get_key_size($this->cipher, $this->mode);
$length = 2 * $keySize + $ivSize;
$key = $this->pbkdf2('sha512', $key, $salt, $this->rounds, $length);
$cipherKey = substr($key, 0, $keySize);
$macKey = substr($key, $keySize, $keySize);
$iv = substr($key, 2 * $keySize);
return array($cipherKey, $macKey, $iv);
}
/**
* Stretch the key using the PBKDF2 algorithm
*
* @see http://en.wikipedia.org/wiki/PBKDF2
*
* @param string $algo The algorithm to use
* @param string $key The key to stretch
* @param string $salt A random salt
* @param int $rounds The number of rounds to derive
* @param int $length The length of the output key
*
* @returns string The derived key.
*/
protected function pbkdf2($algo, $key, $salt, $rounds, $length) {
$size = strlen(hash($algo, '', true));
$len = ceil($length / $size);
$result = '';
for ($i = 1; $i <= $len; $i++) {
$tmp = hash_hmac($algo, $salt . pack('N', $i), $key, true);
$res = $tmp;
for ($j = 1; $j < $rounds; $j++) {
$tmp = hash_hmac($algo, $tmp, $key, true);
$res ^= $tmp;
}
$result .= $res;
}
return substr($result, 0, $length);
}
protected function pad($data) {
$length = mcrypt_get_block_size($this->cipher, $this->mode);
$padAmount = $length - strlen($data) % $length;
if ($padAmount == 0) {
$padAmount = $length;
}
return $data . str_repeat(chr($padAmount), $padAmount);
}
protected function unpad($data) {
$length = mcrypt_get_block_size($this->cipher, $this->mode);
$last = ord($data[strlen($data) - 1]);
if ($last > $length) return false;
if (substr($data, -1 * $last) !== str_repeat(chr($last), $last)) {
return false;
}
return substr($data, 0, -1 * $last);
}
}
更新:我一直在尝试通过将库转换为OpenSSL来解密使用OpenSSL使用Mcrypt加密的字符串。
然后,我使用上面的代码使用密钥对字符串加密,并尝试使用下面的代码和相同的密钥解密该值。但是我只是得到一个空白的答复。如果我注释掉:
$ data = $ this-> unpad($ dec)
在解密函数中,我得到了一个字符串,但它只是混杂字符(很像第一次加密时的样子。)
<?php
namespace Utilities\Encryption;
/**
* A class to handle secure encryption and decryption of arbitrary data
*
* Note that this is not just straight encryption. It also has a few other
* features in it to make the encrypted data far more secure. Note that any
* other implementations used to decrypt data will have to do the same exact
* operations.
*
* Security Benefits:
*
* - Uses Key stretching
* - Hides the Initialization Vector
* - Does HMAC verification of source data
*
*/
class EncryptionOpenSsl {
/**
* @var string $cipher The mcrypt cipher to use for this instance
*/
protected $cipher = '';
/**
* @var int $mode The mcrypt cipher mode to use
*/
protected $mode = '';
/**
* @var int $rounds The number of rounds to feed into PBKDF2 for key generation
*/
protected $rounds = 100;
/**
* Constructor!
*
* @param string $cipher The MCRYPT_* cypher to use for this instance
* @param int $mode The MCRYPT_MODE_* mode to use for this instance
* @param int $rounds The number of PBKDF2 rounds to do on the key
*/
public function __construct($cipher, $rounds = 100) {
$this->cipher = $cipher;
// $this->mode = MCRYPT_MODE_CBC;
$this->rounds = (int) $rounds;
}
/**
* Decrypt the data with the provided key
*
* @param string $data The encrypted datat to decrypt
* @param string $key The key to use for decryption
*
* @returns string|false The returned string if decryption is successful
* false if it is not
*/
public function decrypt($data, $key) {
$salt = substr($data, 0, 128);
$enc = substr($data, 128, -64);
$mac = substr($data, -64);
list ($cipherKey, $macKey, $iv) = $this->getKeys($salt, $key);
if ($mac !== hash_hmac('sha512', $enc, $macKey, true)) {
return false;
}
$dec = openssl_decrypt($enc, $this->cipher, $key, OPENSSL_RAW_DATA, $iv);
// $dec = mcrypt_decrypt($this->cipher, $cipherKey, $enc, $this->mode, $iv);
$data = $this->unpad($dec);
return $data;
}
/**
* Encrypt the supplied data using the supplied key
*
* @param string $data The data to encrypt
* @param string $key The key to encrypt with
*
* @returns string The encrypted data
*/
public function encrypt($data, $key) {
$salt = mcrypt_create_iv(128, MCRYPT_DEV_URANDOM);
list ($cipherKey, $macKey, $iv) = $this->getKeys($salt, $key);
$data = $this->pad($data);
$enc = mcrypt_encrypt($this->cipher, $cipherKey, $data, $this->mode, $iv);
$mac = hash_hmac('sha512', $enc, $macKey, true);
return $salt . $enc . $mac;
}
/**
* Generates a set of keys given a random salt and a master key
*
* @param string $salt A random string to change the keys each encryption
* @param string $key The supplied key to encrypt with
*
* @returns array An array of keys (a cipher key, a mac key, and a IV)
*/
protected function getKeys($salt, $key) {
$ivSize = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);
$keySize = mcrypt_get_key_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);
$length = 2 * $keySize + $ivSize;
$key = $this->pbkdf2('sha512', $key, $salt, $this->rounds, $length);
$cipherKey = substr($key, 0, $keySize);
$macKey = substr($key, $keySize, $keySize);
$iv = substr($key, 2 * $keySize);
return array($cipherKey, $macKey, $iv);
}
/**
* Stretch the key using the PBKDF2 algorithm
*
* @see http://en.wikipedia.org/wiki/PBKDF2
*
* @param string $algo The algorithm to use
* @param string $key The key to stretch
* @param string $salt A random salt
* @param int $rounds The number of rounds to derive
* @param int $length The length of the output key
*
* @returns string The derived key.
*/
protected function pbkdf2($algo, $key, $salt, $rounds, $length) {
$size = strlen(hash($algo, '', true));
$len = ceil($length / $size);
$result = '';
for ($i = 1; $i <= $len; $i++) {
$tmp = hash_hmac($algo, $salt . pack('N', $i), $key, true);
$res = $tmp;
for ($j = 1; $j < $rounds; $j++) {
$tmp = hash_hmac($algo, $tmp, $key, true);
$res ^= $tmp;
}
$result .= $res;
}
return substr($result, 0, $length);
}
protected function pad($data) {
$length = mcrypt_get_block_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);
$padAmount = $length - strlen($data) % $length;
if ($padAmount == 0) {
$padAmount = $length;
}
return $data . str_repeat(chr($padAmount), $padAmount);
}
protected function unpad($data) {
$length = mcrypt_get_block_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);
$last = ord($data[strlen($data) - 1]);
if ($last > $length) return false;
if (substr($data, -1 * $last) !== str_repeat(chr($last), $last)) {
return false;
}
return substr($data, 0, -1 * $last);
}
}
问题答案:
解密程序的以下代码对我有用:
public function decrypt($data, $key) {
$salt = substr($data, 0, 128);
$enc = substr($data, 128, -64);
$mac = substr($data, -64);
list ($cipherKey, $macKey, $iv) = $this->getKeys($salt, $key);
if ($mac !== hash_hmac('sha512', $enc, $macKey, true)) {
return false;
}
$dec = openssl_decrypt($enc, $this->cipher, $cipherKey, OPENSSL_RAW_DATA, $iv);
return $dec;
}
测试:
$keys = [
'this is a secret key.',
'G906m70p(IhzA5T&5x7(w0%a631)u)%D6E79cIYJQ!iP2U(xT13q6)tJ6gZ3D2wi&0")7cP5',
chr(6) . chr(200) . chr(16) . 'my key ' . chr(3) . chr(4) . chr(192) . chr(254) . ' zyx0987!!',
'and finally one more key to test with here:',
];
$data = [
'A',
'This is a test',
'now test encrypting something a little bit longer with 1234567890.',
'$length = mcrypt_get_block_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC); $last = ord($data[strlen($data) - 1]);',
'Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec sit amet pharetra urna. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Ut fringilla, quam sed eleifend eleifend, justo turpis consectetur tellus, quis tristique eros erat at nibh. Nunc dictum neque vel diam molestie fermentum. Pellentesque dignissim dui quis tortor eleifend, ut maximus elit egestas. Donec posuere odio et auctor porta. Quisque placerat condimentum maximus. Curabitur luctus dolor eget sem luctus, in dignissim tortor venenatis. Mauris eget nulla nisl.',
];
$failures = 0;
foreach ($data as $datum) {
foreach ($keys as $key) {
$enc = new Encryption(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);
$encrypted = $enc->encrypt($datum, $key);
$dec = new EncryptionOpenSsl('bf-cbc');
$decrypted = $dec->decrypt($encrypted, $key);
if (strcmp($datum, $decrypted) !== 0) {
echo "Encryption with key '$key' of '$datum' failed. '$decrypted' != '$datum'<br><br>\n\n";
$failures++;
}
}
}
if ($failures) {
echo "$failures tests failed.<br>\n";
} else {
echo "ALL OKAY<br>\n";
}
如果您可以确定它也适用,那么我可以整理答案并添加最终的工作代码。
类似资料:
-
我正在使用下面常用的库进行加密。我想从Mcrypt将其升级到OpenSSL,这样我就不再使用已弃用的库。 我试图找出这是否可能。我对此做了一些研究,但我发现了相互矛盾的信息: 这篇文章说不可能用OpenSSL解密用Mcrypt加密的数据。https://stackoverflow.com/a/19748494/5834657 但是,这篇文章说可以使用填充。我的函数似乎使用了填充。这是使其工作所需的
-
我有一个收集数据的表单,然后提交给SagePay,传递数据。在我们需要更新到PHP 7.2之前,这一直工作得很好,由于不再支持mcrypt,我们正在切换到OpenSSL。 收集数据的表单工作正常,但是传输数据不加密,交易失败。 函数文件中的代码: $crypt数据在mcrypt版本中一样在隐藏字段中发送,我只需要一些帮助即可使加密正常工作。 前情提要。 这是我做的第一个OpenSSL加密,如果有任
-
在我将我的系统从Ubuntu 13.04升级到13.10之后,apache、mysql和php配置出现了几个问题。 我解决了大部分问题,但我似乎无法让mCrypt库正常工作。软件包已安装,因此我不需要获取它。服务器工作正常,一切正常,但当我尝试使用Laravel4运行时,我得到一条消息,需要mCrypt。 我做了,输出是我尝试把到但是它没有工作。 有什么想法吗?
-
我正在将我的django项目从1.8升级到2.2.0(使用virtualenv中的Python 3.6)。我做了以下更改。 将on_delete添加到所有外键字段 将url反向导入更改为来自django。URL反向导入 在所有应用程序的url文件中包含路径/re_path而不是url 将设置文件中的MIDDLEWARE_CLASSES导入更改为MIDDLEWARE={} 我试图运行服务器,但它仍然
-
我面临的问题与更新facebook SDK从4.7到4.35 实现'com。脸谱网。android:facebook android sdk:4.35.0' 错误输出为 无法复制C:\用户\泰\下载\项目\karufx-android-更新\app\构建\中间体\转换\desugar\调试\138.jar备份文件夹,构建将继续,但下次修改此文件时将导致冷交换。 和 意外输入:ImmutableJa
-
当我将Umbraco 4.11.6升级到4.11.9时,我遇到了一个问题。我将/bin、/install、/umbraco、/umbraco_client文件夹从umbraco4.11.9复制到umbraco4.11.6进行升级(在此输入链接描述)。 输入不是有效的Base-64字符串,因为它包含非Base-64字符、两个以上填充字符或填充字符中的非法字符。 在执行当前web请求期间生成了未处理的