lua aes加密 [英] lua aes encryption
问题描述
我在网络上发现了一个lua aes解决方案。并且对它的安全性有一些担忧。
I found a "lua aes" solution on the web a while ago. And have some concern about its safety.
它指出:
- - 不要使用真正的加密,因为密码在加密时很容易查看。
-- Do not use for real encryption, because the password is easily viewable while encrypting.
它在其文件加密测试脚本。
It says this at its "file encryption test" script.
我的问题是:
为什么,它与加密字符串有什么不同将其写入文件?
Why is that, how is it any different from encrypting a string and writing it to a file?
加密时如何可见?加密后是否可以查看?
How could it be viewable while encryption? Is it viewable after encryption too?
基本上是否可以安全使用?
Basically, Is it safe to use or not?
有没有人谁能证实这个谁使用过?我邮寄了原始开发人员,但电子邮件地址无效。
Is there anyone who can confirm this who has used it? I mailed the original developer but the email address was invalid.
我应该使用它吗?
推荐答案
我认为推荐的原因有两个:
I assume there are two reasons why that recommendation was made:
- 字符串在Lua中是不可变的,所以没有办法在创建一个不同的数据
时覆盖一个字符串。 - 在Lua中,对象被垃圾回收。垃圾回收器仅在程序
中的某些点运行,并且应用程序无法告知垃圾收集器何时不再对该对象引用。在此之前,密码字符串将保留在内存中的第1点。
查看Java的情况,类似于Lua:
See Java's case, which is similar to Lua:
正如你可以看到的那样,使用 char 数组而不是字符串是存储密码的更好方式,因为数组是可变的,并且可以在完成后重新初始化为零。
As you can see there, using char arrays instead of strings is a better way to store passwords, since arrays are mutable and can be reinitialized to zero when done.
最接近Lua相当于一个 char 数组是一个填充数字的表。这里,密码存储为表,而不是字符串,其中表中的每个元素由每个字符的整数表示形式组成。例如,pass成为 {0x70,0x61,0x73,0x73} 。在包含密码的表被用于加密或解密之后,它在零件无法被程序无效之前被填满,最终收集垃圾。
The closest Lua equivalent to a char array is a table filled with numbers. Here the password is stored as a table, rather than a string, where each element in the table consists of the integer representation of each character. For example, "pass" becomes {0x70,0x61,0x73,0x73}. After the table containing the password is used to encrypt or decrypt, it is filled with zeros before it's unreachable by the program and eventually gets garbage collected.
根据您的意见,我可能会误会。也许文件加密测试将密码与加密文件一起存储在纯文本中,允许任何人访问该文件,甚至攻击者能够对其进行简单的解密。上述要点仍然适用。然而,这仍然是一个猜测;我不知道你的意思,除非你提供一个链接到你提到的加密库。
According to your comment, I may have misunderstood. Maybe the "file encryption test" stores the password in plain text along with the encrypted file, allowing anyone with access to the file, even attackers, the ability to trivially decrypt it. The points above still apply, though. This is still only a guess, however; I can't know exactly what you mean unless you provide a link to the encryption library you mention.
我有看看AES库,并且由于用户通过命令行或终端以明文形式输入密码来启动Lua程序,所以出现密码易于查看的担心,即使输出的程序只包含密文。提供密码的一种更安全的方法是不显示输入(如在 sudo 中所做的那样),或者用点或星号掩码输入(如在许多网页)。
I've taken a look at the AES library and the concern about the password being "easily viewable" occurs because the user types the password in plain text, through the command line or terminal, in order to start the Lua program, even though the output of the program contains only cipher text. A slightly more secure way of providing the password would be not to show the input (as is done in sudo) or to mask the input with dots or stars (as is done in many Web pages).
或上述给出的点可能是唯一合乎逻辑的解释。
Either that or the points given above are perhaps the only logical explanation.
这篇关于lua aes加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
