如何比较php的密码

时间:2017-01-31 14:02:27

标签: php encryption

我在Android中使用了一个用于加密密码的库并将其输入数据库。现在创建一个php页面我想比较一个但不知道怎么做的密码,因为他们在比较之前不知道如何加密它。

在java代码中,我将此用于此库(https://github.com/simbiose/Encryption):

的crypt
final String key = "my_secret";
final String salt = "my_secret";
final byte[] iv = new byte[16];

我试过这个但是没有用

    <?php

class MCrypt {

    private $hex_iv = '0000000000000000'; # converted JAVA byte code in to HEX and placed it here               
    private $key = 'my_secret'; #Same as in JAVA

    function __construct() {
        $this->key = hash('sha256', $this->key, true);
    }

    function encrypt($str) {       
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
        mcrypt_generic_init($td, $this->key, $this->hexToStr($this->hex_iv));
        $block = mcrypt_get_block_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
        $pad = $block - (strlen($str) % $block);
        $str .= str_repeat(chr($pad), $pad);
        $encrypted = mcrypt_generic($td, $str);
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);        
        return base64_encode($encrypted);
    }

    function decrypt($code) {        
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
        mcrypt_generic_init($td, $this->key, $this->hexToStr($this->hex_iv));
        $str = mdecrypt_generic($td, base64_decode($code));
        $block = mcrypt_get_block_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);        
        return $this->strippadding($str);               
    }

    /*
      For PKCS7 padding
     */

    private function addpadding($string, $blocksize = 16) {
        $len = strlen($string);
        $pad = $blocksize - ($len % $blocksize);
        $string .= str_repeat(chr($pad), $pad);
        return $string;
    }

    private function strippadding($string) {
        $slast = ord(substr($string, -1));
        $slastc = chr($slast);
        $pcheck = substr($string, -$slast);
        if (preg_match("/$slastc{" . $slast . "}/", $string)) {
            $string = substr($string, 0, strlen($string) - $slast);
            return $string;
        } else {
            return false;
        }
    }
function hexToStr($hex)
{
    $string='';
    for ($i=0; $i < strlen($hex)-1; $i+=2)
    {
        $string .= chr(hexdec($hex[$i].$hex[$i+1]));
    }
    return $string;
}
}

$encryption = new MCrypt();
echo $encryption->encrypt('asd') . "<br/>";
?>

请帮助我,如果我无法比较密码,我无法继续我的项目:(

1 个答案:

答案 0 :(得分:1)

不加密密码,当攻击者获得管理员权限时,他也会获得加密密钥。

使用随机盐在HMAC上迭代大约100毫秒的持续时间并使用哈希值保存盐。使用password_hash / password_verifyPBKDF2(又名Rfc2898DeriveBytes),Bcrypt和类似函数等功能。

重点是让攻击者花费大量时间通过暴力破解密码。

有关详细信息,请参阅:

    Jim Fenton的
  1. Toward Better Password Requirements

  2. DRAFT NIST Special Publication 800-63B Digital Authentication Guideline

  3. Sophos的
  4. NIST’s new password rules – what you need to know

  5. Sophos的
  6. How to store your users’ passwords safely