We're developing a service that will accept a POST
request. Some of the POST
data will need to be encrypted before the POST
as it will be stored in hidden fields on a form.
我们正在开发一种接受POST请求的服务。一些POST数据需要在POST之前加密,因为它将存储在表单上的隐藏字段中。
The application is written in C#, but we want third party clients to be able to easily integrate with it. We find that most clients use PHP, Classic ASP or VB.Net.
该应用程序是用C#编写的,但我们希望第三方客户能够轻松地与它集成。我们发现大多数客户使用PHP,Classic ASP或VB.Net。
The third parties should only be doing the encryption. We'd do the decryption. There is no two-way communication.
第三方应该只进行加密。我们做解密。没有双向沟通。
What are the most compatible combinations of encryption algorithm, padding mode and other options?
什么是最兼容的加密算法,填充模式和其他选项的组合?
8 个解决方案
#1
4
Assuming that you have a safe way of sharing a key (whether RSA encryption of it, retrieval over an SSH or HTTPS link, or callling the other developer on a secured phone line), any of the major modern encryptions (like AES, as mentioned by @Ed Haber) would be suitable. I would second his suggestion of AES. There should be libraries for PHP, VB, Ruby, etc.
假设您有一种安全的方式来共享密钥(无论是RSA加密,通过SSH或HTTPS链接检索,还是在安全电话线上调用其他开发人员),任何主要的现代加密(如AES,如上所述)通过@Ed Haber)是合适的。我会提出他的AES建议。应该有PHP,VB,Ruby等的库。
However, remember that with "no two-way communication" you will have to find an out-of-channel method for securely getting the symmetric key to the encrypting party.
但是,请记住,通过“无双向通信”,您将不得不找到一种用于安全地将对称密钥加密到加密方的信道外方法。
#2
3
If you mean that it should be impossible for third-parties to decrypt data, then you will want to use an asymmetric encryption algorithm such as RSA. This will the third-party to encrypt data with your public key, and then only you can decrypt the data with your private key, which you do not disclose. There should be implementations of RSA available for all the languages you mentioned.
如果您的意思是第三方不可能解密数据,那么您将需要使用非对称加密算法,例如RSA。这将是第三方使用您的公钥加密数据,然后只有您可以使用您未公开的私钥解密数据。应该为您提到的所有语言提供RSA实现。
If you don't care if the third-party can decrypt the data, then AES is the way to go. You will have one key which you share with the third-parties. This key is used both for encryption and decryption.
如果您不在乎第三方是否可以解密数据,那么AES就是您的选择。您将拥有一个与第三方共享的密钥。该密钥用于加密和解密。
#3
2
I would use AES for the bulk data encryption and RSA for encrypting the AES Key. If the data is small enough then just encrypt the whole thing with RSA.
我会使用AES进行批量数据加密,使用RSA进行加密AES密钥。如果数据足够小,那么只需用RSA加密整个数据。
#4
2
埃德哈伯说
I would use AES for the bulk data encryption and RSA for encrypting the AES Key. If the data is small enough then just encrypt the whole thing with RSA.
我会使用AES进行批量数据加密,使用RSA进行加密AES密钥。如果数据足够小,那么只需用RSA加密整个数据。
I think this is a good solution. What I would do is have your application publish an API for getting a public RSA key. When I third party wants to send you something it gets the public key. It then generates a session key to do the actual encryption using a block cipher, (ie AES), and sends the key to you by encrypting with your public key. You decrypt the session key with your private key. The third party then encrypts the data it wants to send you with AES (using a padding scheme that you also publish) and sends it to you. You decrypt it using the session key.
我认为这是一个很好的解决方案。我要做的是让您的应用程序发布用于获取公共RSA密钥的API。当我第三方想要发送给你的东西时,它会得到公钥。然后它生成一个会话密钥,使用分组密码(即AES)进行实际加密,并通过使用您的公钥加密将密钥发送给您。您使用私钥解密会话密钥。然后,第三方使用AES(使用您也发布的填充方案)加密要发送给您的数据并将其发送给您。您使用会话密钥解密它。
There are some problems with the method above. Since you are not sending any information (other than publishing your public key, you cannot control how the session key is generated. This means that third parties can use very insecure ways to of generating the session key and you will never know. A second problem is everyone who wants to send you data has to pad data for AES in the same way you do. So you will have to make sure every one co-ordinates. The second issue isn't to big, but the first could be a problem especially if you don't trust the third parties all that much to generate really good session keys from a good cryptographically secure random number generator
上述方法存在一些问题。由于您没有发送任何信息(除了发布您的公钥之外,您无法控制会话密钥的生成方式。这意味着第三方可以使用非常不安全的方式生成会话密钥,而您永远不会知道。第二个问题每个想要发送数据的人都必须像你一样填写AES的数据。所以你必须确保每个人的协调。第二个问题不是很大,但第一个问题可能是一个问题特别是如果你不信任第三方那么多,从一个好的加密安全随机数生成器生成真正好的会话密钥
#5
1
You could very easily implement your own XOR key-based bit encryption. With a little thought and ingenuity, you can come up with something that's more than suitable for you application.
您可以非常轻松地实现自己的基于XOR密钥的位加密。通过一点思考和独创性,您可以提出一些非常适合您应用的东西。
Here's a PHP example:
这是一个PHP示例:
function XOREncryption($InputString, $KeyPhrase){
$KeyPhraseLength = strlen($KeyPhrase);
for ($i = 0; $i < strlen($InputString); $i++){
$rPos = $i % $KeyPhraseLength;
$r = ord($InputString[$i]) ^ ord($KeyPhrase[$rPos]);
$InputString[$i] = chr($r);
}
return $InputString;
}
#6
1
ColdFusion has the encrypt and decrypt functions capable of handling a range of algorithms and encodings, including the AES recommended above.
ColdFusion具有加密和解密功能,能够处理一系列算法和编码,包括上面推荐的AES。
Information at: http://www.cfquickdocs.com/cf8/?getDoc=encrypt#Encrypt
信息:http://www.cfquickdocs.com/cf8/?getDoc = encrypt#Encrypt
Quick example code:
快速示例代码:
Key = generateSecretKey( 'AES' , 128 )
EncryptedText = encrypt( Text , Key , 'AES' , 'Hex' )
Text = decrypt( EncryptedText , Key, 'AES' , 'Hex' )
Similar functionality is available with this library for PHP:
http://www.chilkatsoft.com/p/php_aes.asp
此库适用于PHP的类似功能:http://www.chilkatsoft.com/p/php_aes.asp
...and Java, Python, Ruby, and others...
http://www.example-code.com/java/crypt2_aes_matchPhp.asp
http://www.example-code.com/python/aes_stringEncryption.asp
...以及Java,Python,Ruby和其他... http://www.example-code.com/java/crypt2_aes_matchPhp.asp http://www.example-code.com/python/aes_stringEncryption.asp
#7
0
Sounds like RSA is the algorithm for you.
听起来像RSA是你的算法。
#8
0
Why not have your server exposed over HTTPS? That way, any client which can handle HTTPS can consume the service securely.
为什么不通过HTTPS公开您的服务器?这样,任何可以处理HTTPS的客户端都可以安全地使用该服务。
#1
4
Assuming that you have a safe way of sharing a key (whether RSA encryption of it, retrieval over an SSH or HTTPS link, or callling the other developer on a secured phone line), any of the major modern encryptions (like AES, as mentioned by @Ed Haber) would be suitable. I would second his suggestion of AES. There should be libraries for PHP, VB, Ruby, etc.
假设您有一种安全的方式来共享密钥(无论是RSA加密,通过SSH或HTTPS链接检索,还是在安全电话线上调用其他开发人员),任何主要的现代加密(如AES,如上所述)通过@Ed Haber)是合适的。我会提出他的AES建议。应该有PHP,VB,Ruby等的库。
However, remember that with "no two-way communication" you will have to find an out-of-channel method for securely getting the symmetric key to the encrypting party.
但是,请记住,通过“无双向通信”,您将不得不找到一种用于安全地将对称密钥加密到加密方的信道外方法。
#2
3
If you mean that it should be impossible for third-parties to decrypt data, then you will want to use an asymmetric encryption algorithm such as RSA. This will the third-party to encrypt data with your public key, and then only you can decrypt the data with your private key, which you do not disclose. There should be implementations of RSA available for all the languages you mentioned.
如果您的意思是第三方不可能解密数据,那么您将需要使用非对称加密算法,例如RSA。这将是第三方使用您的公钥加密数据,然后只有您可以使用您未公开的私钥解密数据。应该为您提到的所有语言提供RSA实现。
If you don't care if the third-party can decrypt the data, then AES is the way to go. You will have one key which you share with the third-parties. This key is used both for encryption and decryption.
如果您不在乎第三方是否可以解密数据,那么AES就是您的选择。您将拥有一个与第三方共享的密钥。该密钥用于加密和解密。
#3
2
I would use AES for the bulk data encryption and RSA for encrypting the AES Key. If the data is small enough then just encrypt the whole thing with RSA.
我会使用AES进行批量数据加密,使用RSA进行加密AES密钥。如果数据足够小,那么只需用RSA加密整个数据。
#4
2
埃德哈伯说
I would use AES for the bulk data encryption and RSA for encrypting the AES Key. If the data is small enough then just encrypt the whole thing with RSA.
我会使用AES进行批量数据加密,使用RSA进行加密AES密钥。如果数据足够小,那么只需用RSA加密整个数据。
I think this is a good solution. What I would do is have your application publish an API for getting a public RSA key. When I third party wants to send you something it gets the public key. It then generates a session key to do the actual encryption using a block cipher, (ie AES), and sends the key to you by encrypting with your public key. You decrypt the session key with your private key. The third party then encrypts the data it wants to send you with AES (using a padding scheme that you also publish) and sends it to you. You decrypt it using the session key.
我认为这是一个很好的解决方案。我要做的是让您的应用程序发布用于获取公共RSA密钥的API。当我第三方想要发送给你的东西时,它会得到公钥。然后它生成一个会话密钥,使用分组密码(即AES)进行实际加密,并通过使用您的公钥加密将密钥发送给您。您使用私钥解密会话密钥。然后,第三方使用AES(使用您也发布的填充方案)加密要发送给您的数据并将其发送给您。您使用会话密钥解密它。
There are some problems with the method above. Since you are not sending any information (other than publishing your public key, you cannot control how the session key is generated. This means that third parties can use very insecure ways to of generating the session key and you will never know. A second problem is everyone who wants to send you data has to pad data for AES in the same way you do. So you will have to make sure every one co-ordinates. The second issue isn't to big, but the first could be a problem especially if you don't trust the third parties all that much to generate really good session keys from a good cryptographically secure random number generator
上述方法存在一些问题。由于您没有发送任何信息(除了发布您的公钥之外,您无法控制会话密钥的生成方式。这意味着第三方可以使用非常不安全的方式生成会话密钥,而您永远不会知道。第二个问题每个想要发送数据的人都必须像你一样填写AES的数据。所以你必须确保每个人的协调。第二个问题不是很大,但第一个问题可能是一个问题特别是如果你不信任第三方那么多,从一个好的加密安全随机数生成器生成真正好的会话密钥
#5
1
You could very easily implement your own XOR key-based bit encryption. With a little thought and ingenuity, you can come up with something that's more than suitable for you application.
您可以非常轻松地实现自己的基于XOR密钥的位加密。通过一点思考和独创性,您可以提出一些非常适合您应用的东西。
Here's a PHP example:
这是一个PHP示例:
function XOREncryption($InputString, $KeyPhrase){
$KeyPhraseLength = strlen($KeyPhrase);
for ($i = 0; $i < strlen($InputString); $i++){
$rPos = $i % $KeyPhraseLength;
$r = ord($InputString[$i]) ^ ord($KeyPhrase[$rPos]);
$InputString[$i] = chr($r);
}
return $InputString;
}
#6
1
ColdFusion has the encrypt and decrypt functions capable of handling a range of algorithms and encodings, including the AES recommended above.
ColdFusion具有加密和解密功能,能够处理一系列算法和编码,包括上面推荐的AES。
Information at: http://www.cfquickdocs.com/cf8/?getDoc=encrypt#Encrypt
信息:http://www.cfquickdocs.com/cf8/?getDoc = encrypt#Encrypt
Quick example code:
快速示例代码:
Key = generateSecretKey( 'AES' , 128 )
EncryptedText = encrypt( Text , Key , 'AES' , 'Hex' )
Text = decrypt( EncryptedText , Key, 'AES' , 'Hex' )
Similar functionality is available with this library for PHP:
http://www.chilkatsoft.com/p/php_aes.asp
此库适用于PHP的类似功能:http://www.chilkatsoft.com/p/php_aes.asp
...and Java, Python, Ruby, and others...
http://www.example-code.com/java/crypt2_aes_matchPhp.asp
http://www.example-code.com/python/aes_stringEncryption.asp
...以及Java,Python,Ruby和其他... http://www.example-code.com/java/crypt2_aes_matchPhp.asp http://www.example-code.com/python/aes_stringEncryption.asp
#7
0
Sounds like RSA is the algorithm for you.
听起来像RSA是你的算法。
#8
0
Why not have your server exposed over HTTPS? That way, any client which can handle HTTPS can consume the service securely.
为什么不通过HTTPS公开您的服务器?这样,任何可以处理HTTPS的客户端都可以安全地使用该服务。