I am asking this question again, because my last question wasn't answered properly I am making a CMS, and i have made an encryption system(using cryptoJs), to provide a bit more security to website owners that don't use ssl or tls. But when i decrypt the code in php i get this:
éû*ö^ÿçÿ/Œæ”‰0äU
I have tried to see if it is hex, but when i tried transitioning it from hex to UTF-8, it gave me only gibrish as well.
My system works this way: every time a user goes onto a page, two random strings that are each 100 characters long are created. These strings are adk(Aes decryption key) and keyT. The adk is the secret pass phrase of the key, and the keyT will be the name of the cookie used to store the key.
Random string creation script(PHP):
$characters = "QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm0123456789";
$charactersLength = strlen($characters);
$adk = "";
for($i=0;$i<100;$i++)
{
$adk .= $characters[rand(0, $charactersLength - 1)];
}
$_SESSION['adk'] = $adk;
$characters2 = "QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm0123456789";
$charactersLength2 = strlen($characters);
$keyT = "";
for($i=0;$i<100;$i++)
{
$keyT .= $characters2[rand(0, $charactersLength2 - 1)];
}
$_SESSION['keyT'] = $keyT;
I am also using a CryptoJS extension, to create cryptographically safe randoms, instead of using Math.random()
CryptoJS Extension(Javascript):
/*
* The MIT License (MIT)
*
* Copyright (c) 2015 artjomb
*/
(function(C){
var WordArray = C.lib.WordArray;
var crypto = window.crypto;
var TypedArray = Int32Array;
if (TypedArray && crypto && crypto.getRandomValues) {
WordArray.random = function(nBytes){
var array = new TypedArray(Math.ceil(nBytes / 4));
crypto.getRandomValues(array);
return new WordArray.init(
[].map.call(array, function(word){
return word
}),
nBytes
);
};
} else {
console.log("No cryptographically secure randomness source available");
}
})(CryptoJS);
Password encryption script(Javascript&PHP):
function savePassword()
{
password = document.getElementById("ap").value;
var salt = CryptoJS.lib.WordArray.random(128/8);
var iv = CryptoJS.lib.WordArray.random(128/8);
var key = CryptoJS.PBKDF2(<?php echo '"'.$_SESSION['adk'].'"'; ?>, salt, { keySize: 256/32, iterations: 900 });
password = CryptoJS.AES.encrypt(password, key, { iv: iv });
var pB64 = password.ciphertext.toString(CryptoJS.enc.Base64);
var ivB64 = password.iv.toString(CryptoJS.enc.Base64);
var kB64 = password.key.toString(CryptoJS.enc.Base64);
document.cookie=<?php echo '"'.$_SESSION['keyT'].'="'; ?> + kB64 + "; path=/";
document.cookie="encrIv=" + ivB64 + "; path=/";
$(document).ready(function()
{
$("#ap").slideToggle("slow");
$("#sp").slideToggle("slow");
$("#tempBr").remove();
$("#apText").slideToggle("slow");
$("#nb").slideToggle("slow");
$("#sp").remove();
$("#ap").text(pB64);
});
}
The iv and key are put into cookies, but the password will be posted to the next page in a form, where it will be stored into a session.
Form textbox(HTML):
<input type="password" id="ap" name="ap" class="textbox" placeholder="Administrator password" />
Encrypted password storing script(PHP):
$ap = $_POST['ap'];
include_once("../scripts/session_start.php");
$_SESSION['ap'] = $ap;
Decryption script(PHP):
<?php
include_once("scripts/session_start.php");
$keyT = $_SESSION['keyT'];
$toDecrypt = $_SESSION['ap'];
$iv = $_COOKIE['encrIv'];
$key = $_COOKIE[$keyT];
$toDecrypt = base64_decode($toDecrypt);
$iv = base64_decode($iv);
$key = base64_decode($key);
$decrypted = rtrim( mcrypt_decrypt( MCRYPT_RIJNDAEL_128, $key, $toDecrypt, MCRYPT_MODE_CBC, $iv ), "\t\0" );
echo $decrypted;
?>
答案 0 :(得分:0)
I am sorry for this hurried answer - I'll clean it up later tomorrow - but the long and the short of it is, getting CryptoJS and PHP to work together wasn't easy.
First of all you have to get the right AES mode (they aren't the same between GoogleCode CryptoJS and PHP mcrypt), then there are quirks with padding and IV.
The code below has been working for some eighteen months now. PHP and JS code jumbled together.
public static function aesEncrypt($password, $plaintext, $js = true) {
$key = self::getAesKey($password, !$js);
// Build $iv and $iv_base64.
// We use a block size of 128 bits (AES compliant) and CBC mode.
// (Note: ECB mode is inadequate as IV is not used.)
if (!function_exists('mcrypt_create_iv')) {
die('FATAL: php5-mcrypt package does not seem to be installed');
}
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_DEV_URANDOM);
return base64_encode(
$iv // S a l t e d _ _
. (true === $js ? hex2bin('53616c7465645f5f0000000000000000') : '')
. mcrypt_encrypt(MCRYPT_RIJNDAEL_128,
$key,
// Add a payload of 32 spaces.
str_repeat(' ', true === $js ? 32 : 0) . $plaintext,
MCRYPT_MODE_CBC,
$iv
)
);
$encrypt = Crypto::aesEncrypt(
PASSWORD
MESSAGE
);
<script src="/static/js/aes.js"></script>
<script src="/static/js/sha256.js"></script>
<script>
// Decode the base64 data so we can separate iv and crypt text.
var rawData = atob('{$encrypt}'); // Base64, IV plus naked ciphertext
var iv = CryptoJS.enc.Latin1.parse(rawData.substring(0, 16));
var encrypt = CryptoJS.enc.Latin1.parse(rawData.substring(16));
document.getElementById('password').onkeydown = function(e) {
if (13 === e.keyCode) {
decrypt();
}
};
function hex2a(hex) {
var str = '';
for (var i = 0; i < hex.length; i += 2)
str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
return str;
}
function decrypt() {
var passw = document.getElementById('password').value;
var key = CryptoJS.SHA256(passw);
var plain = CryptoJS.AES.decrypt({ ciphertext: encrypt }, key, { iv: iv });
// Skip first 16 + 32 bytes of decrypted text.
document.getElementById('details').innerHTML = hex2a(plain.toString().substr(96));
}
答案 1 :(得分:0)
我找到了一个解决方法,加密的密码将存储到cookie中,以后由cryptoJS解密。