从 phpseclib 2 升级到 3
[英]Upgrading from phpseclib 2 to 3
问题描述
I inherited a project years ago and and we started randomly having issues with phpseclib 2.x not decrypting anymore just a few days ago and I'm pulling my hair out on this one.
几年前我继承了一个项目,几天前我们开始随机遇到 phpseclib 2.x 不再解密的问题,我正在为这个问题烦恼。 No code changed in our projects but the decrypt function literally stopped working, encryption is fine, but even in a test environment decrypting does nothing, and the errors are none or basically so vague they are useless.我们的项目中没有更改代码,但解密 function 字面上停止工作,加密很好,但即使在测试环境中,解密也没有任何作用,并且错误是没有的,或者基本上是模糊的,它们是无用的。 So, we went to 3.0 but the original developer of this project didn't use an initialization vector as it wasn't required in version 2, it is required in version 3.所以,我们去了 3.0,但这个项目的原始开发人员没有使用初始化向量,因为它在版本 2 中不是必需的,它在版本 3 中是必需的。
My question is how do we decrypt using AES with no IV in version 3?我的问题是我们如何在版本 3 中使用没有 IV 的 AES 进行解密? I can't find anywhere in the documentation how to do this and phpseclib throws an error if I don't provide an IV.我在文档中找不到如何执行此操作的任何地方,如果我不提供 IV,phpseclib 会抛出错误。
So basically, before:所以基本上,之前:
$aes = new AES();
$aes->setKey('secret_key');
$enc_data = $aes->encrypt('abcdefg');
$dec_data = $aes->decrypt($enc_data);
New version:新版本:
$aes = new AES('cbc'); //or whatever cipher
$aes->setIV('something');
$aes->setKey('secret_key');
$enc_data = $aes->encrypt('abcdefg');
$dec_data = $aes->decrypt($enc_data);
Now in 3.0, AES requires a cypher to be declared which looks like CBC was the default in 2, but I cannot see what to do if no IV was added in 2.0 and it needs to be added in 3.0.现在在 3.0 中,AES 需要声明一个 cypher, 看起来 CBC是 2 中的默认值,但是如果 2.0 中没有添加 IV 而我需要在 3.0 中添加它,我看不出该怎么办。 I have tried but can't add '', passing no argument at all, null, etc., so it's like if someone didn't use an initialization vector using version 2, they can't decrypt using 3...?我试过但不能添加 '',根本不传递任何参数,null 等,所以如果有人没有使用版本 2 的初始化向量,他们就不能使用 3 解密......? I looked through the 2.0 documentation and it defaults to and empty string from what I can tell, I can't pass that in 3.0.我查看了 2.0 文档,据我所知,它默认为空字符串,我无法在 3.0 中传递它。
Has anyone run into this?有人遇到过这个吗? Anyone have a good idea on how to fix it?任何人都知道如何解决它? I completely removed 2.0 from this server and re-added it and I still can't decrypt with it, I'm guessing some update in apache or php broke something but I can't reproduce it on my other servers.我从这个服务器上完全删除了 2.0 并重新添加了它,但我仍然无法用它解密,我猜 apache 或 php 中的某些更新破坏了某些东西,但我无法在我的其他服务器上重现它。
1 个解决方案
解决方案1
4 2022-04-06 21:09:55
In V2, CBC and a zero IV are used by default, ie an IV with 16 0x00 values.在 V2 中,默认使用 CBC 和零 IV,即具有 16 个 0x00 值的 IV。 In V3, mode and IV must be explicitly specified.在 V3 中,模式和 IV必须明确指定。
The following codes therefore result in the same ciphertext:因此,以下代码会产生相同的密文:
With V2:使用 V2:
$key = hex2bin("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f");
$plaintext = "The quick brown fox jumps over the lazy dog";
$aes = new AES();
$aes->setKey($key);
$enc_data = $aes->encrypt($plaintext);
$dec_data = $aes->decrypt($enc_data);
print(bin2hex($enc_data) . PHP_EOL); // bce46469e2f7ab6b7ea767bd3252529a843ba24e890e567ef600c4a6e1051ffc2012305e362438463838fad4043c22a6
print($dec_data . PHP_EOL); // The quick brown fox jumps over the lazy dog
With V3:使用 V3:
$key = hex2bin("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f");
$iv = hex2bin("00000000000000000000000000000000");
$plaintext = "The quick brown fox jumps over the lazy dog";
$aes = new AES('cbc');
$aes->setKey($key);
$aes->setIV($iv);
$enc_data = $aes->encrypt($plaintext);
$dec_data = $aes->decrypt($enc_data);
print(bin2hex($enc_data) . PHP_EOL); // bce46469e2f7ab6b7ea767bd3252529a843ba24e890e567ef600c4a6e1051ffc2012305e362438463838fad4043c22a6
print($dec_data . PHP_EOL); // The quick brown fox jumps over the lazy dog
Note that a static IV, like a zero IV, is insecure.请注意,static IV 与零 IV 一样是不安全的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.