使用openssl_encrypt将Mcrypt替换为3DES-ECB加密 [英] Use openssl_encrypt to replace Mcrypt for 3DES-ECB encryption
问题描述
我有一个使用mycrypt的加密方法,密码为3des
,模式为ecb
:
mcrypt_module_open ( MCRYPT_3DES, '', 'ecb', '' )
现在,我想使用openssl_encrypt
对其进行加密,但在openssl_get_cipher_methods()
列表中没有找到des3-ecb
.
现在我想使用
openssl_encrypt
对其进行加密,并且在openssl_get_cipher_methods()
列表中找不到des3-ecb
.
是des-ede3
.具有分组密码的对称加密需要某种操作模式.如果您查看列表,将会看到类似des-ede3
,des-ede3-cbc
,des-ede3-cfb
和des-ede3-ofb
的内容. CBC,CFB和OFB都已命名,并且未命名密码必须是唯一的其他常见操作模式:ECB.
请勿使用 ECB模式 .它是确定性的,因此在语义上并不安全.您至少应该使用随机模式,例如 CBC 或CTR .最好对您的密文进行身份验证,以免像填充oracle攻击这样的攻击.可以使用GCM或EAX等经过身份验证的模式,也可以使用 encrypt-then-MAC 方案来完成.
如今不要使用三重DES.即使您使用最大的密钥大小192位,它最多也只能提供112位的安全性.如果使用较短的密钥大小,则仅提供56或57位的安全性. AES速度更快(处理器具有特殊的AES-NI指令集),并且具有最低的128位密钥大小,因此更加安全.对于3DES,最大密文大小也有实际限制.请参阅 3DES和AES的安全性比较.
I have an encryption method with mycrypt and the cipher is 3des
, mode ecb
:
mcrypt_module_open ( MCRYPT_3DES, '', 'ecb', '' )
Now I want to encrypt it using openssl_encrypt
, and I did not find des3-ecb
in openssl_get_cipher_methods()
list.
now I want to encrypt it use
openssl_encrypt
, and I did not finddes3-ecb
inopenssl_get_cipher_methods()
list.
It's des-ede3
. Symmetric encryption with a block cipher needs some kind of mode of operation. If you look through the list, you will see something like des-ede3
, des-ede3-cbc
, des-ede3-cfb
and des-ede3-ofb
. CBC, CFB and OFB are all named and the unnamed cipher must be the only other common mode of operation: ECB.
Never use ECB mode. It's deterministic and therefore not semantically secure. You should at the very least use a randomized mode like CBC or CTR. It is better to authenticate your ciphertexts so that attacks like a padding oracle attack are not possible. This can be done with authenticated modes like GCM or EAX, or with an encrypt-then-MAC scheme.
Don't use Triple DES nowadays. It only provides at best 112 bit of security even if you use the largest key size of 192 bit. If a shorter key size is used, then it only provides 56 or 57 bits of security. AES would be faster (processors have a special AES-NI instruction set) and even more secure with the lowest key size of 128 bit. There is also a practical limit on the maximum ciphertext size with 3DES. See Security comparison of 3DES and AES.
这篇关于使用openssl_encrypt将Mcrypt替换为3DES-ECB加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!