使用PHP加密和解密密码的最佳方式？ [英] Best way to use PHP to encrypt and decrypt passwords?

问题描述

可能重复：

PHP 2路加密：我需要存储可以检索的密码

我计划在我的网站上存储我的用户的外国帐户信息，又名rapidshare用户名和密码等...我想保留信息安全，但是我知道如果我的哈希信息，我无法检索它以备后用。

I plan to store foreign account information for my users on my website, aka rapidshare username and passwords, etc... I want to keep information secure, but I know that if I hash their information, I can't retrieve it for later use.

Base64是可解密的，所以没有任何意义，使用这只是简单的。
我的想法是争夺用户，并在之前和之后通过它获得base64ed，即使你解密之后，如果你尝试解密，你会得到一些有趣的文字。有没有一个php函数接受值，这将使一个唯一的争夺字符串，并解除争夺，以后，当值被重新计算？

Base64 is decrypt-able so there's no point using that just plain off. My idea is to scramble the user and pass before and after it gets base64ed that way even after you decrypt it, you get some funny looking text if you try to decrypt. Is there a php function that accepts values that will make an unique scramble of a string and de-scramble it later when the value is reinputed?

任何建议？

推荐答案

您不应该加密密码，而应该使用像bcrypt这样的算法进行哈希。 此答案说明如何在PHP中正确实施密码散列。仍然如此，您将如何加密/解密：

You should not encrypt passwords, instead you should hash them using an algorithm like bcrypt. This answer explains how to properly implement password hashing in PHP. Still, here is how you would encrypt/decrypt:

$key = 'password to (en/de)crypt';
$string = ' string to be encrypted '; // note the spaces

要加密：

$iv = mcrypt_create_iv(
    mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC),
    MCRYPT_DEV_URANDOM
);

$encrypted = base64_encode(
    $iv .
    mcrypt_encrypt(
        MCRYPT_RIJNDAEL_128,
        hash('sha256', $key, true),
        $string,
        MCRYPT_MODE_CBC,
        $iv
    )
);

解密：

$data = base64_decode($encrypted);
$iv = substr($data, 0, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC));

$decrypted = rtrim(
    mcrypt_decrypt(
        MCRYPT_RIJNDAEL_128,
        hash('sha256', $key, true),
        substr($data, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC)),
        MCRYPT_MODE_CBC,
        $iv
    ),
    "\0"
);

---

警告：以上示例加密信息，但是它不验证密文以防止篡改。 您应该不依赖于未经身份验证的加密为了安全，特别是因为提供的代码容易受到填充oracle攻击。

---

Warning: The above example encrypts information, but it does not authenticate the ciphertext to prevent tampering. You should not rely on unauthenticated encryption for security, especially since the code as provided is vulnerable to padding oracle attacks.

另请参见：

• https://stackoverflow.com/a/30189841/2224584


• https://stackoverflow.com/a/30166085/2224584


• https://stackoverflow.com/a/30159120/2224584

• https://stackoverflow.com/a/30189841/2224584
• https://stackoverflow.com/a/30166085/2224584
• https://stackoverflow.com/a/30159120/2224584

此外，不要仅仅使用密码作为加密密钥。 加密密钥是随机字符串。

Also, don't just use a "password" for an encryption key. Encryption keys are random strings.

在3v4l.org上演示：

echo 'Encrypted:' . "\n";
var_dump($encrypted); // "m1DSXVlAKJnLm7k3WrVd51omGL/05JJrPluBonO9W+9ohkNuw8rWdJW6NeLNc688="

echo "\n";

echo 'Decrypted:' . "\n";
var_dump($decrypted); // " string to be encrypted "

这篇关于使用PHP加密和解密密码的最佳方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！