CodeIgniter-为什么用相同的密钥加密会产生不同的结果? [英] CodeIgniter - Why does encrypting with the same key produce different results?
问题描述
我经常使用codeigniter,但是我并不真正理解为什么当我在版本3中使用加密库时,即使使用相同的salt / key,加密字符串也不会出现相同的情况。
I use codeigniter a lot, however I am not really understanding why when I use the encryption library in version 3 the encryption string never comes out the same, even using the same salt/key.
因此,我已将用户密码存储为加密字符串,该字符串使用自己的密钥进行加密。密钥存储在数据库中。但是当他们登录时,我想对输入的密码进行加密以检查字符串是否匹配,它们永远不会匹配!
So I have stored a user password as an encrypted string, which uses their own key to encrypt. The key is stored in the database. But when they come to login, and i want to encrypt the entered password to check the strings match, they never do match!
似乎库总是吐出不同的加密内容字符串,无论密钥是否相同,如果我无法将存储的加密密码与他们在登录时输入的密码进行匹配,这将如何有用?
It seems the library always spits out different encrypted strings, no matter if the key is the same or not, how is this going to be useful if I can't match the stored encrypted password to the password they enter at login?
例如,密码是12456与关键a0956f251b9d957071005a2d11e4630a
For example, password is 12456 with key a0956f251b9d957071005a2d11e4630a
SAVED密码是:0e6effa48949d6bf19e84530bc86e9a1407086b3b88fc368b6f8b7b53304b313eeebdb695c9cca10b3e7072f608bf4137e7fcc7d24fed54df2b6dcba3f94dcb6Tm05Qmay9G8JuUXps6UstWebmBmJ71BcIPgrW78OvSY =
SAVED PASSWORD IS: 0e6effa48949d6bf19e84530bc86e9a1407086b3b88fc368b6f8b7b53304b313eeebdb695c9cca10b3e7072f608bf4137e7fcc7d24fed54df2b6dcba3f94dcb6Tm05Qmay9G8JuUXps6UstWebmBmJ71BcIPgrW78OvSY=
口令生成FROM USER LOGIN
PASSWORD GENERATED FROM USER LOGIN
6b893dac92155bc663b126b805c7189214ac4667b226f0c6fc22cf0c6bcca5e897c49961e8852ade1c3e85cbecab89df76ea7891727af6bf0bcc232b75d0d441LLUMZgOy4zLwAypuVQuK0lKTXrlXYptKpVdByytH2D8 =
6b893dac92155bc663b126b805c7189214ac4667b226f0c6fc22cf0c6bcca5e897c49961e8852ade1c3e85cbecab89df76ea7891727af6bf0bcc232b75d0d441LLUMZgOy4zLwAypuVQuK0lKTXrlXYptKpVdByytH2D8=
935c8f564c4a5ecb53510faa835eca8622069c34d534df6b9c2ea52de2d9bea5976128f6ff8 3a572ac677be4ebd690bc18e488518c2eed8b1b40a16c9e61d6b2hbKJ6B1VDuLPCXBeDDFzvrlSBIYCtN19M6dQGZRCvUE =
935c8f564c4a5ecb53510faa835eca8622069c34d534df6b9c2ea52de2d9bea5976128f6ff83a572ac677be4ebd690bc18e488518c2eed8b1b40a16c9e61d6b2hbKJ6B1VDuLPCXBeDDFzvrlSBIYCtN19M6dQGZRCvUE=
b8e020c7c10d564cfc3a9cc4d50b85ea3422422b73a2dd79930ead1fb601493279ba97645584d6dfa188e62f5eba5dc66d0dafdb7a82c08bf847bc84fc0718daSOVRrDlFmVMB / 12ok9kR68ekXJcJvw0yfo / cnU9ojtI =
b8e020c7c10d564cfc3a9cc4d50b85ea3422422b73a2dd79930ead1fb601493279ba97645584d6dfa188e62f5eba5dc66d0dafdb7a82c08bf847bc84fc0718daSOVRrDlFmVMB/12ok9kR68ekXJcJvw0yfo/cnU9ojtI=
见它们是不同的每次我尝试对用户进行加密输入?
see they are different every time I try to encrypt the user input? It's not making any sense.
同样,如果我尝试使用已加密的相同密钥解密数据库中的密码,我将一无所获,无法解密密码。
Likewise, if I try to decode the password in the database, with the same key it was encrypted with, I get nothing back, no decrypted password.
那么,有人知道这里发生了什么吗?
So, does anyone know what is going on here?
推荐答案
随机化加密是实现语义安全所必需的安全属性。如果加密不是随机的,则攻击者可能仅通过观察密文来检测以前是否发送过消息(的前缀)。通常,您不希望攻击者除了长度以外不了解明文。
Randomized encryption is a security property necessary to achieve semantic security. If the encryption would not be randomized then an attacker might detect whether (prefixes of) messages were previously sent only by observing the ciphertexts. You generally don't want the attacker to know anything about the plaintexts except the length.
加密功能始终具有相应的解密功能。看来您只是在使用两种功能中的一种。您绝对不应加密用户的密码。您需要使用散列代替,而使用一些强大的 PBKDF2 ,bcrypt,scrypt和Argon2 。由于哈希函数是单向函数,因此您将无法解密哈希。为了验证您的用户,可以再次通过哈希函数运行密码,以便与存储在数据库中的哈希进行比较。查看更多:如何安全地对密码进行哈希处理?
An encryption function has always a corresponding decryption function. It seems that you're only using one way of the two functions. You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: How to securely hash passwords?
这篇关于CodeIgniter-为什么用相同的密钥加密会产生不同的结果?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
