用php加密大文件的最佳方法 [英] Best approach to encrypt big files with php
问题描述
我正在php开发一个项目,需要加密用户上传的文件。这个文件可能是从1mb到200mb或更少。在网络上搜索,我得出结论,最好的方式是分割文件,例如4096字节。所以我加密每个块,并附加到完整的加密文件。我实际上在CBC模式下使用mcrypt和AES-256加密。
I'm developing a project in php where it's needed to encrypt files uploaded by users. This files could be from 1mb to 200mb more or less. Searching on the web, I came to the conclusion that the best way to do it was dividing files in chunks of, example, 4096 bytes. So I encrypt every chunk and append it to the full encrypted file. I'm actually using mcrypt and AES-256 encryption in CBC mode.
所以,我的问题是:
1)我必须创建一个新的初始向量对于每个块,还是可以将前一个块的最后一个块的最后16个字节作为当前块的第一个块的初始向量?这将导致只有一个iv在加密文件的开头附加,而不是每个块在一个加密的块之前附加一个iv。
So, my questions are: 1) I have to create a new initial vector for every chunk, or can I get the last 16bytes of the last block of a previous chunk as the initial vector of the first block of the current chunk? This will result in having just one iv to append at the beginning of the encrypted file, and not one iv for every chunk to append before the encrpyted chunk.
2)在命令添加HMAC认证。这个问题与前一个问题有关。我应该为整个文件添加它还是单独添加每个块。在这种情况下,对于整个文件来说,这是一个问题,因为它通常是在文件的起始处被添加的,在加密文件完成之前,我无法计算hmac。
2) In order to add a HMAC authentication. This question is linked to the previous one. Should I add it for the whole file or individually for every chunk. In this case, doing it for the whole file is a problem since it is usually added at the beggining of the file, and I cannot calculate the hmac until the encrypted file is complete.
3)与此相关。对于文件下载,是否解密(以块为单位)并将文件同时发送给用户是个好主意,或者最好先解密并稍后再发送?
3) Related to this. For file download, is it a good idea to decrypt (in chunks) and send file to the user simultaneously or is it better to decrypt first and send later?
谢谢
推荐答案
您应该加密文件流,让PHP处理所有内容。特别是加密过滤器与 stream_filter_append 做你想要的。然后,您将只读取明文文件的块,并将其写入输出文件流。过滤器导致加密发生。
You should encrypt the file stream and let PHP handle everything. In particular encryption filters combined with stream_filter_append to do what you want. Then you would just read chunks of the plaintext file and write them to the output file stream. The filter causes the encryption to happen.
这样你就不会重新发明轮子,并且正在使用可能已经被审计的代码以用于安全问题。
This way you aren't reinventing the wheel and are using code that has likely been audited for security issues.
对于hmac,大多数库允许您在hmac中添加数据,直到调用finalize或类似的方式。然后,您将读取密文的块,将它们添加到hmac。重复一遍,直到整个密文已添加到hmac并完成它。
For hmac, most libraries let you keep adding data to the hmac until you call finalize or something like that. Then you would read in chunks of ciphertext, add them to the hmac. Repeat until the entire ciphertext has been added to the hmac and finalize it.
或者,在服务器上安装openssl,并从内部调用openssl函数PHP。您可以使用认证密码模式等。
Or, install openssl on the server and call openssl functions from within PHP. You could use an authenticated cipher mode, etc.
这篇关于用php加密大文件的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
