Perl / PHP / ColdFusion中的TripleDES [英] TripleDES in Perl/PHP/ColdFusion

问题描述

最近，出现了一个问题，即使用付款处理器挂接API，请求使用TripleDES标准将要加密的字符串用作令牌。我们的应用程序运行使用ColdFusion，它有一个加密标签 - 支持TripleDES - 然而我们得到的结果不是付款处理器所期望的结果。

首先，这里是付款处理者期望的结果令牌。

  AYOF + kRtg239Mnyc8QIarw == 
  

下面是我们使用的ColdFusion的代码片段，

 <！--- Coldfusion Crypt（这里是怪物）---> 
< cfset theKey =123412341234123412341234> 
< cfset theString =username = test123> 
< cfset strEncodedEnc = Encrypt（theString，theKey，DESEDE，Base64）> 
<！--- 
生成的字符串（strEncodedEnc）：tc / Jb7E9w + HpU2Yvn5dA7ILGmyNTQM0h 
 ---> 
  

正如你所看到的，这不是返回我们希望的字符串。寻求解决方案，我们为此过程抛弃了ColdFusion，并尝试在PHP中重现令牌。

现在我知道，各种语言以不同的方式实现加密 - 例如在过去管理C＃应用程序和PHP后端之间的加密，我不得不玩填充以使两个人谈论，但我的经验，PHP通常行为，当涉及到加密标准。 / p>

无论如何，我们尝试的PHP源码和结果字符串。

  / * PHP马戏团（这里是大象）* / 
 $ theKey =123412341234123412341234; 
 $ theString =username = test123; 
 $ strEncodedEnc = base64_encode（mcrypt_ecb（MCRYPT_3DES，$ theKey，$ theString，MCRYPT_ENCRYPT））; 
 / * 
结果字符串（strEncodedEnc）：sfiSu4mVggia8Ysw98x0uw == 
 * / 
  

$ b b

你可以清楚地看到，我们有另一个字符串，它不同于付款处理器和ColdFusion生成的字符串。提示头对头整合技术。

与付款处理员进行多次来回通信（很多很多的代表说，我们不能帮助编码问题，你必须做错了，阅读手册），我们最终升级到一个有几个脑细胞的人，揉在一起，谁能够退后，实际看看和诊断问题。 / p>

他同意，我们的CF和PHP尝试没有产生正确的字符串。在快速搜索之后，他还同意不是我们的来源，而是两个语言如何实现他们的TripleDES标准的愿景。

进入办公室上午，我们在Perl遇到了一封带有一段源代码片段的电子邮件。这是他们直接用来产生预期令牌的代码。

 ＃！/ usr / bin / perl 
＃Perl Crypt Calamity（这里是... something）
 use strict; 
使用CGI; 
使用MIME :: Base64; 
 use Crypt :: TripleDES; 
 
 my $ cgi = CGI-> new（）; 
 my $ param = $ cgi-> Vars（）; 
 
 $ param-> {key} =123412341234123412341234; 
 $ param-> {string} =username = test123; 
 my $ des = Crypt :: TripleDES-> new（）; 
 
 my $ enc = $ des-> encrypt3（$ param-> {string}，$ param-> {key}）; 
 $ enc = encode_base64（$ enc）; 
 $ enc =〜s / \\\
 // gs; 
 
＃result string（enc）：AYOF + kRtg239Mnyc8QIarw == 
  

，我们有它。三种语言，它们在文档中称为TripleDES标准加密的三种实现，以及三种完全不同的结果字符串。

我的问题是，从您对这三种语言的体验和他们的TripleDES算法的实现，你能够得到任何两个他们给同样的响应，如果是这样，你必须做出什么调整代码才能得到结果？

我知道这是一个非常明确的问题，但我想为我们必须执行的每个测试阶段给出明确和精确的设置。

我还会在以后对这个主题进行一些更多的调查工作，并将发布任何我提出这个问题的结果，以便其他人可以避免这种头痛。

解决方案

不应该使用Perl的TripleDES。它有这么多奇怪的事情，你会有乐趣。

你的第一个问题是Perl的键是十六进制的，你需要将它们转换为二进制。尝试使用PHP，

  $ theKey =123412341234123412341234; 
 $ key = pack（'H *'，str_pad（$ theKey，16 * 3，'0'））; 
 $ strEncodedEnc = base64_encode（mcrypt_ecb（MCRYPT_3DES，$ key，$ theString，MCRYPT_ENCRYPT））; 
 echo $ strEncodedEnc，\\\
; 
  

结果是，

  AYOF + kRtg239Mnyc8QIarw == 
  

办法。我忘了细节。你很幸运这个例子（它是16个字符）。

Recently a problem arose regarding hooking up an API with a payment processor who were requesting a string to be encrypted to be used as a token, using the TripleDES standard. Our Applications run using ColdFusion, which has an Encrypt tag - that supports TripleDES - however the result we were getting back was not what the payment processor expected.

First of all, here is the resulting token the payment processor were expecting.

AYOF+kRtg239Mnyc8QIarw==

And below is the snippet of ColdFusion we were using, and the resulting string.

<!--- Coldfusion Crypt (here be monsters) --->
<cfset theKey="123412341234123412341234">
<cfset theString = "username=test123">
<cfset strEncodedEnc = Encrypt(theString, theKey, "DESEDE", "Base64")>
<!---
 resulting string(strEncodedEnc): tc/Jb7E9w+HpU2Yvn5dA7ILGmyNTQM0h
--->

As you can see, this was not returning the string we were hoping for. Seeking a solution, we ditched ColdFusion for this process and attempted to reproduce the token in PHP.

Now I'm aware that various languages implement encryption in different ways - for example in the past managing encryption between a C# application and PHP back-end, I've had to play about with padding in order to get the two to talk, but my experience has been that PHP generally behaves when it comes to encryption standards.

Anyway, on to the PHP source we tried, and the resulting string.

/* PHP Circus (here be Elephants) */
$theKey="123412341234123412341234";
$theString="username=test123";
$strEncodedEnc=base64_encode(mcrypt_ecb (MCRYPT_3DES, $theKey, $theString, MCRYPT_ENCRYPT));
/*
 resulting string(strEncodedEnc): sfiSu4mVggia8Ysw98x0uw==
*/

As you can plainly see, we've got another string that differs from both the string expected by the payment processor AND the one produced by ColdFusion. Cue head-against-wall integration techniques.

After many to-and-fro communications with the payment processor (lots and lots of reps stating 'we can't help with coding issues, you must be doing it incorrectly, read the manual') we were finally escalated to someone with more than a couple of brain-cells to rub together, who was able to step back and actually look at and diagnose the issue.

He agreed, our CF and PHP attempts were not resulting in the correct string. After a quick search, he also agreed that it was not neccesarily our source, but rather how the two languages implemented their vision of the TripleDES standard.

Coming into the office this morning, we were met by an email with a snippet of source code, in Perl. This is was the code they were directly using on their end to produce the expected token.

#!/usr/bin/perl
# Perl Crypt Calamity (here be...something)
use strict;
use CGI;
use MIME::Base64;
use Crypt::TripleDES;

my $cgi = CGI->new();
my $param = $cgi->Vars();

$param->{key} = "123412341234123412341234";
$param->{string} = "username=test123";
my $des = Crypt::TripleDES->new();

my $enc = $des->encrypt3($param->{string}, $param->{key});
$enc = encode_base64($enc);
$enc =~ s/\n//gs;

# resulting string (enc): AYOF+kRtg239Mnyc8QIarw==

So, there we have it. Three languages, three implementations of what they quote in the documentation as TripleDES Standard Encryption, and three totally different resulting strings.

My question is, from your experience of these three languages and their implementations of the TripleDES algorithm, have you been able to get any two of them to give the same response, and if so what tweaks to the code did you have to make in order to come to the result?

I understand this is a very drawn out question, but I wanted to give clear and precise setting for each stage of testing that we had to perform.

I'll also be performing some more investigatory work on this subject later, and will post any findings that I come up with to this question, so that others may avoid this headache.

解决方案

The Perl's TripleDES should never be used. It does so many weird things and you are going to have fun.

Your first problem is that the keys in Perl are hex and you need to convert them into binary. Try this in PHP,

$theKey="123412341234123412341234";
$key = pack('H*', str_pad($theKey, 16*3, '0'));
$strEncodedEnc=base64_encode(mcrypt_ecb (MCRYPT_3DES, $key, $theString, MCRYPT_ENCRYPT));
echo $strEncodedEnc, "\n";

The result is,

AYOF+kRtg239Mnyc8QIarw==

Then you have to pad it in a weird way. I forgot the details. You are lucky with this sample (it's 16 chars).

这篇关于Perl / PHP / ColdFusion中的TripleDES的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！