用编码和解码保护用户数据？ [英] User data protection with encoding and decoding?

问题描述

我正在使用CMS系统，并且希望添加一项功能来保护用户数据。当然，密码是经过哈希处理的，只能使用强行强制解码。但是现在有关其余数据，例如它们的邮件地址。我希望有一个功能，当用户注册时可以对邮件地址进行编码，每次发送邮件时都可以对其进行解码。现在，散列的问题在于，您无法轻易地将其转换回（我认为），至少使用md5和sh1以及类似算法无法实现，因此这不是我想要的。

I'm working on a CMS system and I want to add a feature to protect user's data. Of course passwords are hashed and could only be decoded using brute forcing. But now it's about the rest of the data, for example their mail address. I would like to have a function which encodes a mail address when a user registers which could be decoded each time a mail should be send. Now the problem with hashing is that you can't easily convert it back (I think), at least with md5 and sh1 and similar algorithms this is not possible so this is not what I want.

我想拥有一个特征，可以在编码和解码过程中使用盐。这意味着我在网络应用程序中的某个位置存储了一个随机字符串，该字符串在此过程中用作种子或盐，因此，如果该随机字符串不同，结果将有所不同，这使得解码一次更加困难黑客（例如）闯入数据库并窃取了数据。

I would like to have a feature that salt could be used in the en- and decoding process. This means that I have a random string stored somewhere in the web aplication, which is used as 'seed' or 'salt' for this process, so the result will be different if that random string is different, this makes it harder to decode once hackers (for example) broke into the database and stole the data.

我在PHP中看到了一个名为 base64_encode（）和 base64_decode（），这些函数可以非常轻松地对数据进行编码和解码。这些功能的问题在于没有'salt'参数，而且我认为它的保护性不是很好。有一个功能可以通过编码和解码功能以及盐参数来提供更多保护，从而起到类似作用吗？

I saw a function in PHP called base64_encode() and base64_decode(), these functions can en- and decode the data very easy. The problem with these functions is that there's no 'salt' parameter and I don't think it's very good as protection. Is there's a function which does something similair with more protection with a en- and decode feature, and with a salt parameter?

在此先感谢
TimVisée

Thanks in advance, Tim Visée

推荐答案

让我解释一下编码，哈希和加密之间的区别。

Let me explain you difference between encoding, hashing and encrypting.

• 编码只是表示数据的一种方式，因此对安全性无济于事。 base64用于将8位数据表示编码为6位，即用于在电子邮件正文中进行传输。


• 散列是单向转换数据，通常具有以下属性：
  
  
  
  • 很多（实际上是无限的）不同数据字符串具有相同的哈希。您可以对任意长度的字符串进行散列，但是产生的散列始终具有有限的长度，因此很干净，并非每个输入字符串都可以具有唯一的散列。
  
  
  • 尽管散列速度很快，但可以猜测原始数据使用指定的哈希值计算比尝试所有可能的组合更简单。
  
  
  • 您正在寻找加密。加密的数据只能使用适当的密钥来读取。
  
  
  • encoding is just a way of representing data, thus it doesn't help you with security. base64 serves for encoding 8-bit data representation to 6-bit, i.e. for transferring in e-mail bodies. Not useful for you.
  • hashing is an one-way transforming of data usually with these properties:
    • many (actually infinite) different data strings have the same hash. You can hash a string of any length, but the produced hash has always limited length, so it's clean that not every input string can have unique hash.
    • while hashing is fast, guessing original data with specified hash cannot be calculated simplier than trying all possible combinations.
    • encrypting is what you are looking for. encrypted data can be read only with a proper key.

    但是，我不知道在加密数据库中的数据方面没有什么意义。如果有人看到您的PHP源代码和数据库，则可以轻松读取密钥并解密数据。仅当有人窃取了原始数据库并且仍然无法访问您的源代码时，它才能为您提供帮助，但这非常少见，并且Web程序员通常不这样做。

    However, I don't see a big point in encrypting data in your database. If someone sees your PHP source code and database, he can easily read the key and decrypt data. It can only help you if someone steals the raw database and still not have access to your source code, but it's quitely rare and web programmers don't usually do it.

    这篇关于用编码和解码保护用户数据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！