更安全的加密方式 [英] The safer way to encrypt
问题描述
与我的最后一个问题相关,我有一个新的。 p>
通过https发送加密数据是一种更安全的方法。
-
使用 signAndEncrypt 函数与openssl_pkcs7_encrypt并通过form element发送返回数组...
$ encryptedData =----- BEGIN PKCS7 -----。 str_replace(\\\
,,< br /> $ encryptedDataReturn ['encrypted_data'])。----- END PKCS7 -----;
$ encryptedRequest =<<<< PPHTML
< html>
< header>
< / header>
< body onload =document.getElementById('paypal_form')。submit();>
< br />< br />< br />< br />
< center>
< h2>请稍候,您的订单正在处理中,您
将被重定向到paypal网站。
< / h2>
< / center>
< form id =paypal_formmethod =POSTaction ={$ this-> gatewayUrl}>
< input type =hiddenname =cmdvalue =_ s-xclick>
< input type =hiddenname =encryptedvalue =$ encryptedData>
< / form>
< / body>
< / html>
PPHTML;
或使用这样的卷曲
2。
$ curlOptions = array(
CURLOPT_URL => Config :: MERCHANT_SANDBOX_SIGNATURE_ENDPOINT,
CURLOPT_VERBOSE => 1,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_CAINFO => $ this-> publicCertificate,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_POST => 1,
CURLOPT_HEADER => true,
CURLOPT_POSTFIELDS => http_build_query($ data)
);
$ ch = curl_init();
curl_setopt_array($ ch,$ curlOptions);
//发送我们的请求 - $ response将保存API响应
$ response = curl_exec($ ch);
我试图找到将数据发送到paypal api的最安全的方式。
首先我混合了这两个功能,并将加密的nvp添加到 CURLOPT_POSTFIELDS 中。但是,这给了我一些贝宝的错误。所以我做了双重加密。当我离开postfields未加密,paypal api给我成功。
我的问题:
1。使用 curl 与公开证书是否足够安全?
2。可以使用 pkcs7 加密(或类似的加密)与 curl ?
3。我是否正确假设不可能加密postfields,然后通过curl / https发送数据到paypal,因为当我这样做,paypal给我失败的回应?
请帮助。
问候ninchen
当谈到crypto&安全,你的第一个答案应该是做任何标准的。这是一个理由的标准,可以预期是相当安全的。如果发现漏洞,则需要进行更新,否则其他人都会更新。尝试一个聪明的技巧来更安全通常意味着你最终会得到的东西不那么简单。
请参阅此答案进行扩展讨论。
Related to my last question i have a new one.
What is a safer way to send encrypted data via https.
using signAndEncrypt function with openssl_pkcs7_encrypt and send return array via form element...
$encryptedData = "-----BEGIN PKCS7-----" . str_replace("\n", "", <br/> $encryptedDataReturn['encrypted_data']) ."-----END PKCS7-----"; $encryptedRequest=<<<PPHTML <html> <header> </header> <body onload="document.getElementById('paypal_form').submit();"> <br/><br/><br/><br/> <center> <h2>Please wait, your order is being processed and you will be redirected to the paypal website. </h2> </center> <form id="paypal_form" method="POST" action="{$this->gatewayUrl}"> <input type="hidden" name="cmd" value="_s-xclick"> <input type="hidden" name="encrypted" value="$encryptedData"> </form> </body> </html>PPHTML;
or using curl like this
2.
$curlOptions = array (
CURLOPT_URL => Config::MERCHANT_SANDBOX_SIGNATURE_ENDPOINT,
CURLOPT_VERBOSE => 1,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_CAINFO => $this->publicCertificate,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_POST => 1,
CURLOPT_HEADER => true,
CURLOPT_POSTFIELDS => http_build_query($data)
);
$ch = curl_init();
curl_setopt_array($ch,$curlOptions);
//Sending our request - $response will hold the API response
$response = curl_exec($ch);
I'am trying to find the safest way to send data to the paypal api.
First i mixed both of the functions, and added the encrypted nvp to the CURLOPT_POSTFIELDS. But that gave me a bunch of errors from paypal. So i have done a double encryption. When i leave the postfields unencrypted, the paypal api gives me success.
My Questions:
1. Is it secure enough, to use curl with public certificate ?
2. Is it possible to use the pkcs7 encryption (or similar encryption) with curl?
3. Am I right in assuming that it isnt possible to encrypt the postfields, before send data via curl/https to paypal, because when i do that, paypal give me failure responses?
Please help.
Greetings ninchen
When it comes to crypto & security, your first answer should be to do whatever is standard. It's standard for a reason, and can be expected to be reasonably secure. If vulnerabilities are discovered, you'll need to update, but then again so will everyone else. Trying a clever trick to be "more secure" usually means that you end up with something that is less so.
See this answer for an extended discussion.
这篇关于更安全的加密方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
