I'm trying to encrypt string using the key send from an application by using POST Method.The POST Method sends the key for encryption.But the script is not working correctly please help me out.
我正在尝试使用POST方法使用来自应用程序的密钥发送来加密字符串.POST方法发送加密密钥。但是脚本工作不正常请帮助我。
1 个解决方案
#1
1
The reason it doesn't work is your padding is wrong. PKCS7 is the byte value of the pad length repeated(i.e. 00000010 00000010 if your padding 2 bytes). It is not the string value "0202", It appears there aren't any php functions that do this correctly, so I'd sugest you use a a mode of operation that does not need padding. OFB is supported by both c# and php.
它不起作用的原因是你的填充是错误的。 PKCS7是重复填充长度的字节值(即如果填充2字节,则为00000010 00000010)。它不是字符串值“0202”,似乎没有任何PHP函数正确执行此操作,因此我会使用不需要填充的操作模式。 OFB由c#和php都支持。
YOU CANNOT USE A Fixed IV. For cbc mode, its fairly insecure, for OFB, its completely insecure. Use mcrypt_create_iv to get a new random one each time. Then just prepend the IV to the ciphertext when you send it ( it does not need to be encrypted). As a note, one problem you may already have hit is that php uses a string and C# uses byts for the IV and you may not be getting the correct conversion even now . I'd probably use hex and the functions to covert to/from that just to be sure.
你不能使用固定IV。对于cbc模式,它相当不安全,对于OFB来说,它是完全不安全的。使用mcrypt_create_iv每次都获得一个新的随机数。然后在发送时将IV添加到密文(它不需要加密)。作为一个注释,你可能已经遇到的一个问题是php使用字符串而C#使用了byts来进行IV,你甚至可能无法获得正确的转换。我可能会使用十六进制和函数来转换为/从中确定。
Second, you need to use something to detect when people tamper with your data, otherwise they potentially read the cipher text via error codes/ timing issues in the underlying crypto libraries. Hmacs work well and are supported here for php and here for c#. HMAC your IV+ciphertext message and prepend the output to it . On the other end, run the c# equivalent function over the same data, and then compare the HMAC values. If they are the same,you safe, if not, reject.
其次,您需要使用某些东西来检测人们何时篡改您的数据,否则他们可能会通过底层加密库中的错误代码/时间问题读取密文。 Hmacs运行良好,这里支持php和c#。 HMAC您的IV +密文消息并将输出添加到它。另一方面,在相同数据上运行c#等效函数,然后比较HMAC值。如果它们是相同的,那么你是安全的,如果没有,拒绝。
#1
1
The reason it doesn't work is your padding is wrong. PKCS7 is the byte value of the pad length repeated(i.e. 00000010 00000010 if your padding 2 bytes). It is not the string value "0202", It appears there aren't any php functions that do this correctly, so I'd sugest you use a a mode of operation that does not need padding. OFB is supported by both c# and php.
它不起作用的原因是你的填充是错误的。 PKCS7是重复填充长度的字节值(即如果填充2字节,则为00000010 00000010)。它不是字符串值“0202”,似乎没有任何PHP函数正确执行此操作,因此我会使用不需要填充的操作模式。 OFB由c#和php都支持。
YOU CANNOT USE A Fixed IV. For cbc mode, its fairly insecure, for OFB, its completely insecure. Use mcrypt_create_iv to get a new random one each time. Then just prepend the IV to the ciphertext when you send it ( it does not need to be encrypted). As a note, one problem you may already have hit is that php uses a string and C# uses byts for the IV and you may not be getting the correct conversion even now . I'd probably use hex and the functions to covert to/from that just to be sure.
你不能使用固定IV。对于cbc模式,它相当不安全,对于OFB来说,它是完全不安全的。使用mcrypt_create_iv每次都获得一个新的随机数。然后在发送时将IV添加到密文(它不需要加密)。作为一个注释,你可能已经遇到的一个问题是php使用字符串而C#使用了byts来进行IV,你甚至可能无法获得正确的转换。我可能会使用十六进制和函数来转换为/从中确定。
Second, you need to use something to detect when people tamper with your data, otherwise they potentially read the cipher text via error codes/ timing issues in the underlying crypto libraries. Hmacs work well and are supported here for php and here for c#. HMAC your IV+ciphertext message and prepend the output to it . On the other end, run the c# equivalent function over the same data, and then compare the HMAC values. If they are the same,you safe, if not, reject.
其次,您需要使用某些东西来检测人们何时篡改您的数据,否则他们可能会通过底层加密库中的错误代码/时间问题读取密文。 Hmacs运行良好,这里支持php和c#。 HMAC您的IV +密文消息并将输出添加到它。另一方面,在相同数据上运行c#等效函数,然后比较HMAC值。如果它们是相同的,那么你是安全的,如果没有,拒绝。