mcrypt似乎不是100%可逆的
[英]mcrypt seem to be not 100% reversible
问题描述
I've 336 'Client' in my database 
我的数据库中有336个“客户”
I tried this code to encrypt and then decrypt some data 我尝试使用此代码encrypt然后decrypt一些数据
The esit is: Right: 323 - Wrong: 13 本质是:正确:323-错误:13
What's the reason because mcrypt is not fully reversible ? 是什么原因导致mcrypt不完全可逆?
EDIT: Please don't try to change the nature of the problem, ask to my question or I'll downvote your answers. 编辑:请不要尝试更改问题的性质,询问我的问题,否则我将投票否决您的答案。 The problem it's this algorithm seems to be not 100% reversible and this is the problem, THE PROBLEM IS NOT WHY I'M USING IT 这个算法的问题似乎不是100%可逆的,这就是问题,不是我要使用它的问题
$wrong = $right = 0;
foreach ($clients as $c) {
$string_to_encode = trim($c->first_field . ":::" . $c->last_field);
$mc_key = Yii::app()->params["rijndael_key"];
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv_1 = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypt = trim(mcrypt_encrypt(
MCRYPT_RIJNDAEL_256,
$mc_key,
$string_to_encode,
MCRYPT_MODE_ECB,
$iv_1));
$token = urlencode(base64_encode($crypt));
$string_to_decode = base64_decode(urldecode($token));
$string_decoded = trim(mcrypt_decrypt(
MCRYPT_RIJNDAEL_256,
$mc_key,
$string_to_decode,
MCRYPT_MODE_ECB,
$iv_1));
if ($string_to_encode != $string_decoded) {
echo $string_to_encode . PHP_EOL;
echo "***** ERROR ! ***** " . PHP_EOL;
echo $string_to_encode . PHP_EOL;
echo $string_decoded . PHP_EOL;
$wrong ++;
} else {
$right ++;
}
}
echo "Right $right - Wrong $wrong" . PHP_EOL;
An exmple of differences from plain and decoded string [please note that I changed login name .... ] 与纯字符串和解码后的字符串有一些差异[请注意,我更改了登录名....]
customer.email@alice.it:::11734
customer.email@alice.it:::11z͉\wo����y�+� �>�d��x�
The algo is not 100% reversibile. 该算法不是100%可逆的。 This is the problem, this is the question... obviously I'll not use this in production... it's only a case to demo to YOU that this algo has some problem 这是问题,这是问题...很明显,我不会在生产中使用它...这只是向您演示该算法有问题的一种情况
3 个解决方案
解决方案1
3 已采纳 2013-11-29 17:01:37
Others have mentioned it but you are trimming the results of encryption. 其他人提到了它,但是您正在修剪加密结果。 The cipher text will appear randomly and some of the items you are encrypting will produce whitespace at the end. 密文将随机出现,并且您正在加密的某些项目将在末尾产生空格。
If you trim the cipher text you are losing information and the string will not decode properly. 如果修剪密文,则会丢失信息,并且字符串将无法正确解码。
解决方案2
2 2013-11-29 16:22:18
Instead of encrypting your password, hash them . 不用加密密码,而是对它们进行哈希处理 。
Advantages: 好处:
- PHP(5.5+) has a native API for password hashing and verifying. PHP(5.5+)具有用于密码哈希和验证的本机API。
- Hashing is always irreversible. 散列总是不可逆的。 If your database gets stolen, an attacker can never get the plain text password directly. 如果您的数据库被盗,攻击者将永远无法直接获得纯文本密码。
- Proper Hashing+Salting solves 99% of attack vectors on passwords. 正确的哈希+盐渍解决了99%的密码攻击向量。
解决方案3
0 2013-11-29 16:32:08
It's already been addressed that you shouldn't use a two-way encryption algorithm for saving passwords, but instead a one-way hashing algorithm. 已经解决了,您不应使用双向加密算法来保存密码,而应使用单向哈希算法。
You're trimming your data ciphertext. 您正在修整数据密文。 Remove trim() around mcrypt_encrypt() and you'll be fine. 删除mcrypt_encrypt() trim()周围的mcrypt_encrypt()即可。
That said, you have another problem. 也就是说,您还有另一个问题。 You generate IVs, but ECB mode doesn't use IVs, so those are useless. 您生成了IV,但是ECB模式不使用IV,因此它们是无用的。 A more secure approach to keep your ciphertext more unpredictable is to switch to CBC mode. 保持密文更加不可预测的更安全方法是切换到CBC模式。 When you do this, keep in mind that the IVs should be identical when encrypting and decrypting (ie $iv_1 and $iv_2 should be identical). 执行此操作时,请记住,加密和解密时IV应当相同(即$iv_1和$iv_2应该相同)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.