php mcrypt:为什么要在字符串输入中添加空格? [英] php mcrypt: why to add spaces on string input?

问题描述

几个网站上都有一个mcrypt片段:

There's a mcrypt snippet on several webs:

https://stackoverflow.com/a/11538728/408872

http://www. techbees.org/best-way-to-use-php-php-encrypt-and-decrypt/

$key = 'password to (en/de)crypt';
$string = ' string to be encrypted '; // note the spaces

$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");

echo 'Encrypted:' . "\n";
var_dump($encrypted);

echo "\n";

echo 'Decrypted:' . "\n";
var_dump($decrypted); // spaces are preserved

有人知道为什么在$ string上引入多余的空格吗?

Anybody knows why extra spaces are introduced on $string?

推荐答案

您提供的所有源都几乎使用完全相同的代码.我只能假设他们彼此偷了代码.因此，并非只有几个站点在执行此操作，它很可能是单个站点，而其他真正不了解正在发生的事情的站点只是继承了这个站点.

The sources you have provided all use nearly exactly the same code. I can only assume they stole the code from each other. So it's not several sites doing this, it was most likely a single site, and the others who didn't really understand what was going on simply inherited this.

没有好的理由在对字符串进行加密之前在其上添加额外的空格，它不会以任何方式增强加密的强度，也不会使其变得更好".

There is no good reason to add additional spaces to a string prior to encrypting it, it does not enhance the strength of the cryptography in any way, it doesn't make it "better".

我的猜测是，在这些示例中，已经证明了像trim这样的功能不会影响加密流的内容. (我个人不明白为什么需要证明这一点-在我看来，这完全合乎逻辑)

My guess would be that in these examples, it has been done to show that functions like trim do not affect the contents of an encrypted stream. (I personally don't understand why this needs to be proved - it seems entirely logical to me)

如果您接受base64编码的加密数据(可能是来自表单提交)，则很可能会修剪所提交的数据以删除留在此处的用户的烦恼，我怀疑有人担心修剪该加密数据会破坏原始的明文.

If you're accepting a base64 encoded encrypted data (perhaps from a form submission), you will most likely trim the submitted data to remove any chaff the user left in there, I suspect someone somewhere was concerned that trimming the encrypted data would break the original plaintext.

请注意，如果此字符串未使用base64编码，则完全有可能损坏密文.由于密文将以二进制形式表示，因此它的末尾可能会有空格字符，可以将其剪裁掉，从而导致损坏.

Note, if this string wasn't base64 encoded, it would be entirely possible to damage the ciphertext. Since the ciphertext would be represented in binary form, it is possible that it would have whitespace characters at the end, which could be trimmed off causing corruption.

md5(key)和初始化向量的md5(md5(key))都是实现此目标的 可怕的 方式.

md5(key) for the key, and md5(md5(key)) for the initialisation vector are both terrible terrible ways to implement this.

首先，AES 256应该具有256位密钥.如果要使用密码短语，请使用hash('sha256', $passphrase, true).最后的true使其以二进制而不是十六进制编码的形式返回结果，这很重要，因此实际上您在密钥中获得了尽可能多的熵.

Firstly, AES 256 should have a 256 bit key. If you want to use a passphrase, then use hash('sha256', $passphrase, true). The final true makes it return the result as binary, not hex encoded, and this is important so you actually get as much entropy as possible in your key.

第二，初始化向量永远都不能重复使用.对于相同的键，md5(md5(key))将始终产生相同的值.如果攻击者设法获得多个密文，这将大大削弱您的加密.

Secondly, initialisation vectors should not be re-used, ever. md5(md5(key)) will always produce the same value, for the same key. This weakens your encryption considerably if an attacker manages to obtain several ciphertexts.

这篇关于php mcrypt:为什么要在字符串输入中添加空格?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！