加密:使用初始化向量vs键? [英] Encryption: Use of initialization vector vs key?
问题描述
我使用PHP的 mcrypt 库和 AES-256 (rijndael)算法, +初始化向量运行。
I am using PHP's mcrypt library and the AES-256 (rijndael) algorithm, which requires both a key + initialization vector to run.
我的逻辑brainside不是真的这样。 不只是一个键足够吗?
My logical brainside isn't really going along with this. Isn't just one key enough?
理论情景:
如果我加密的敏感数据存储在数据库中,只有所有者应该能够解密,使用用户哈希密码来将密钥或初始化向量用于他或她的数据是合适的吗?
Theoretical scenario:
If I had encrypted sensitive data stored in a database, which only the owner should be able to decrypt, would it be appropriate to use the users hashed password to either the key or the initialization vector to his or her data?
应该认为密钥比初始化向量更私密还是其他方式?
推荐答案
不,实际上在大多数实现中IV是至关重要的。 IV也被认为是对公众使用是安全的,例如IV以WEP和WPA1 / WPA2的纯文本传输。当使用相同的密钥+ iv来加密相同的纯文本时,出现问题。密文将是相同的,除非你使用IV。如果攻击者可以使用此密钥加密任意纯文本,然后查看密文。这是一个更快的方式,暴力破解攻击者获得的其他密文。
No, in fact an IV is vital in most implementations. The IV is also considered to be safe for public use, for instance the IV is transmitted in plain text for WEP and WPA1/WPA2. The problem arises when this same key+iv is used to encrypt the same plain text. The cipher texts will be identical, unless you use an IV. If an attacker can encrypt arbitrary plain text with this key, and then view the cipher text. This is a much faster way of brute forcing other cipher text that the attacker has obtained.
不仅如此,IV必须是随机的,否则将违反< a href =http://cwe.mitre.org/data/definitions/329.html> CWE-329 。这是一个问题的原因是更微妙和我最初没有得到它。您没有提及,但我希望您使用 CBC或CMAC模式
Not only that, the IV must be random or you would be in violation of CWE-329. The reason why this is a problem is a bit more subtle and I didn't get it at first. You didn't mention this, but i hope you are using either the CBC or CMAC modes
对密码使用散列函数与使用String2Key函数几乎相同。这是一个坚实的设计,只要攻击者不能使用SQL Injection获取密钥。
The use of a hash function on a password is nearly identical to using a String2Key function. This is a solid design so long as an attacker can't use SQL Injection to obtain the key.
这篇关于加密:使用初始化向量vs键?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
