保护PHP的Web服务 [英] Securing webservices of PHP
问题描述
我正在android中开发一个使用php webservices调用的小项目.
I'm developing a small project in android which is using php webservices' call.
我希望我的Web服务受到保护,但是通过使用GET/POST请求方法,我认为它并没有受到太大保护.谷歌搜索后,我在"phpseclib"中获得了RSA实现,它也有很好的文档.但是我很困惑,所以想在这里发布.
I want my webservices to be protected, however by using GET/POST request methods I don't think its much protected. After googling I got RSA implementation in "phpseclib", Its having good documentation as well. But I'm confused so much, so thought post this here.
基本上我需要的是:
- 在Android中,我将使用将加密的参数合并到一个字符串中"的URL进行调用.(我先在json中编码参数,然后再加密).
- 我将从php中提取这些参数,并进行相应处理.
json字符串: {user_id:xyz@gmail.com,passwd:Password!}
加密为: XsjkhkjwehrkanmNXmnskjawrhjlljahdhuw
例如. http://my.domain.com/webservices/call.php?params = Xsjkhkjwehrkanm,NXmnskjawrhjlljahdhuw 在php中,我将从该$ _GET ['params']
eg. http://my.domain.com/webservices/call.php?params=Xsjkhkjwehrkanm,NXmnskjawrhjlljahdhuw In php, I'l extract userID and Password, from that $_GET['params"']
这在b ase64_encode(),base64_decode()中是可能的,但 base64 编码器只会混淆字符串,实际上不会加密.
This is possible in base64_encode(), base64_decode(), but base64 encoder will just obfuscate the string, it won't encrypt actually.
我需要公钥/私钥机制.
I need public/private key mechanism.
但是我尝试过此操作:( https://launchkey.com/docs/api/encryption/php/phpseclib )
However I've tried this: (https://launchkey.com/docs/api/encryption/php/phpseclib)
<?
function rsa_encrypt($key, $message) {
$rsa = new Crypt_RSA();
$rsa->loadKey($key);
$encrypted = base64_encode($rsa->encrypt($message));
return $encrypted;
}
?>
它不返回任何$加密的字符串.
Its not returning any $encrypted string.
任何帮助将不胜感激.
谢谢..!:)
推荐答案
如果您不熟悉加密,则应按照注释中的建议,采用简单的方法,仅使用HTTPS.
If you're new to encryption, you should go the simple route and just go with HTTPS, as suggested in comments.
此外,正如注释中所建议的那样,不要通过GET从网页发送密码,因为该密码会显示在地址栏中,并且路过的人可以在屏幕上读取密码.
Also, as suggested in comments, don't send the passwords via GET from a web page because that shows in the address bar and passers by can read that off the screen.
HTTPS(SSL/TLS)为Web服务器和客户端之间的整个连接提供端到端加密.这样一来,您就可以用明文形式发送所有数据,而不必担心,因为它们是在较低级别进行加密的.
HTTPS (SSL/TLS) provides end to end encryption of the entire connection between the web server and the client. This allows you to send all your data in clear text and not worry about it because it's being encrypted at a lower level.
由于它不是调用您的Web服务器的Web浏览器,因此您甚至不需要为SSL证书付费.您可以创建一个自签名证书.只需确保在每个连接上验证签名即可防止中间人攻击.不过,这有点棘手,因此,如果您还不熟悉它,只需支付SSL证书的费用,然后让Android为您负责证书验证.
Since it's not a web browser calling your web server, you don't even need to pay for an SSL certificate. You can create a self-signed certificate. Just ensure you verify the signature on every connection to prevent man in the middle attacks. This is a bit trickier though, so again, if you're new to this, just pay for the SSL certificate and let Android take care of the certificate verification for you.
针对您的直接问题:
您可能已经发现,编码不是加密.Base64是编码,不提供安全性.
Encoding is not encryption, as you may have discovered. Base64 is encoding and provides no security.
您不能简单地生成RSA公钥/私钥对,使用私钥加密数据并将其发送到服务器.您必须首先与服务器共享您的公钥.好吧,任何窃听公共密钥的人都可以对其进行解密.
You cannot simply generate an RSA public/private key pair, encrypt data with the private key, and send it to your server. You have to first share your public key with the server. Well, anyone who sniffs the public key off the wire can decrypt it.
您可能会让客户端生成一个随机对称密钥,并使用服务器的公共密钥对其进行加密.然后,服务器将使用私钥对其进行解密,并具有一个共享的秘密密钥,该密钥可用于加密数据并将其发送给您.
You could potentially have the client generate a random symmetric key and encrypt it with the server's public key. The server would then decrypt it with the private key, and have a shared secret key to use to encrypt data and send it to you.
问题在于,攻击者可能只是将所有数据重播到服务器以查看相同的输出.服务器需要生成这些随机的东西,以确保它们实际上是随机的,因此您将无法使用生成密钥的服务器,但是如果服务器仅使用私钥进行加密,则拥有公钥的任何人都可以对其进行解密.
The problem with that is an attacker could simply replay all your data to a server to see the same output. These random things need to be generated by the server to ensure they're actually random, so you're stuck with the server generating the key, but if the server simply encrypts with the private key, anyone with the public key could decrypt it.
因此,您需要一种安全地推导共享密钥的方法,一种复杂的数学方法来共享服务器和客户端都可以用来计算同一共享密钥的某些数据.
So, you'd need some method of securely deriving a shared secret key, some complicated mathematical way of sharing some data that both the server and the client could use to calculate the same shared key.
您可以自己执行此操作,但是当您只能使用SSL时,您将调用复杂的过程和函数.
You could do this yourself, but you'll be calling complicated procedures and functions, when you could just use SSL, which does the same thing for you.
这篇关于保护PHP的Web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
