PHP的加密和解密使用C#从POST方法数据方法、数据、PHP、POST
我试图用钥匙到从应用程序通过使用POST Method.The POST方法来加密字符串发送脚本无法正常工作的关键encryption.But请帮助我。
I'm trying to encrypt string using the key send from an application by using POST Method.The POST Method sends the key for encryption.But the script is not working correctly please help me out.
推荐答案
它不工作的原因是你的填充是错误的。 PKCS7是垫长度重复(即00000010 00000010,如果你的填充2个字节)的字节值。它不是字符串值0202,它似乎没有任何PHP函数做正确的,所以我sugest您使用的操作,并不需要填充的AA模式。 OFB是由C#和PHP的支持。
The reason it doesn't work is your padding is wrong. PKCS7 is the byte value of the pad length repeated(i.e. 00000010 00000010 if your padding 2 bytes). It is not the string value "0202", It appears there aren't any php functions that do this correctly, so I'd sugest you use a a mode of operation that does not need padding. OFB is supported by both c# and php.
您可以不使用固定的IV。对于CBC模式,其相当不安全的,因为OFB,它完全是不安全的。使用 mcrypt_create_iv 每次获得一个新的随机的。然后,只需prePEND的四,当你发送密文(不需要进行加密)。作为一个说明,一个问题,你可能已经打的是PHP的使用字符串和C#使用byts为四,您可能不会得到正确的转换即使是现在。我可能会使用十六进制的功能,隐蔽到/从,只是可以肯定的。
YOU CANNOT USE A Fixed IV. For cbc mode, its fairly insecure, for OFB, its completely insecure. Use mcrypt_create_iv to get a new random one each time. Then just prepend the IV to the ciphertext when you send it ( it does not need to be encrypted). As a note, one problem you may already have hit is that php uses a string and C# uses byts for the IV and you may not be getting the correct conversion even now . I'd probably use hex and the functions to covert to/from that just to be sure.
其次,你需要使用的东西来检测,当人们使用自己的数据篡改,否则他们可能会通过读取错误codeS /时序问题的密文底层加密库。 Hmacs运作良好,此处 PHP和这里的 C#。 HMAC您IV +密文信息和prePEND输出到它。在另一端,运行在相同的数据的C#同等功能,然后比较HMAC值。如果他们是相同的,则安全,如果不是,则拒绝
Second, you need to use something to detect when people tamper with your data, otherwise they potentially read the cipher text via error codes/ timing issues in the underlying crypto libraries. Hmacs work well and are supported here for php and here for c#. HMAC your IV+ciphertext message and prepend the output to it . On the other end, run the c# equivalent function over the same data, and then compare the HMAC values. If they are the same,you safe, if not, reject.
