如何在PHP中的GET请求中传递加密的字符串?

时间:2017-02-12 16:24:46

标签: php http encryption hash cryptography

我正在使用以下类(使用继承)加密字符串

class UnsafeCrypto {

const METHOD = 'aes-256-ctr';

/**
 * Encrypts (but does not authenticate) a message
 * 
 * @param string $message - plaintext message
 * @param string $key - encryption key (raw binary expected)
 * @param boolean $encode - set to TRUE to return a base64-encoded 
 * @return string (raw binary)
 */
public static function encrypt($message, $key, $encode = false)
{
    $nonceSize = openssl_cipher_iv_length(self::METHOD);
    $nonce = openssl_random_pseudo_bytes($nonceSize);

    $ciphertext = openssl_encrypt(
        $message,
        self::METHOD,
        $key,
        OPENSSL_RAW_DATA,
        $nonce
    );

    // Now let's pack the IV and the ciphertext together
    // Naively, we can just concatenate
    if ($encode) {
        return base64_encode($nonce.$ciphertext);
    }
    return $nonce.$ciphertext;
}

/**
 * Decrypts (but does not verify) a message
 * 
 * @param string $message - ciphertext message
 * @param string $key - encryption key (raw binary expected)
 * @param boolean $encoded - are we expecting an encoded string?
 * @return string
 */
public static function decrypt($message, $key, $encoded = false)
{
    if ($encoded) {
        $message = base64_decode($message, true);
        if ($message === false) {
            throw new Exception('Encryption failure');
        }
    }

    $nonceSize = openssl_cipher_iv_length(self::METHOD);
    $nonce = mb_substr($message, 0, $nonceSize, '8bit');
    $ciphertext = mb_substr($message, $nonceSize, null, '8bit');

    $plaintext = openssl_decrypt(
        $ciphertext,
        self::METHOD,
        $key,
        OPENSSL_RAW_DATA,
        $nonce
    );

    return $plaintext;
 }
}

继承如下的课程。

class SaferCrypto extends UnsafeCrypto {
const HASH_ALGO = 'sha256';

/**
 * Encrypts then MACs a message
 * 
 * @param string $message - plaintext message
 * @param string $key - encryption key (raw binary expected)
 * @param boolean $encode - set to TRUE to return a base64-encoded string
 * @return string (raw binary)
 */
public static function encrypt($message, $key, $encode = false)
{
    list($encKey, $authKey) = self::splitKeys($key);

    // Pass to UnsafeCrypto::encrypt
    $ciphertext = parent::encrypt($message, $encKey);

    // Calculate a MAC of the IV and ciphertext
    $mac = hash_hmac(self::HASH_ALGO, $ciphertext, $authKey, true);

    if ($encode) {
        return base64_encode($mac.$ciphertext);
    }
    // Prepend MAC to the ciphertext and return to caller
    return $mac.$ciphertext;
}

/**
 * Decrypts a message (after verifying integrity)
 * 
 * @param string $message - ciphertext message
 * @param string $key - encryption key (raw binary expected)
 * @param boolean $encoded - are we expecting an encoded string?
 * @return string (raw binary)
 */
public static function decrypt($message, $key, $encoded = false)
{
    list($encKey, $authKey) = self::splitKeys($key);
    if ($encoded) {
        $message = base64_decode($message, true);
        if ($message === false) {
            throw new Exception('Encryption failure');
        }
    }

    // Hash Size -- in case HASH_ALGO is changed
    $hs = mb_strlen(hash(self::HASH_ALGO, '', true), '8bit');
    $mac = mb_substr($message, 0, $hs, '8bit');

    $ciphertext = mb_substr($message, $hs, null, '8bit');

    $calculated = hash_hmac(
        self::HASH_ALGO,
        $ciphertext,
        $authKey,
        true
    );

    if (!self::hashEquals($mac, $calculated)) {
        throw new Exception('Encryption failure');
    }

    // Pass to UnsafeCrypto::decrypt
    $plaintext = parent::decrypt($ciphertext, $encKey);

    return $plaintext;
}

/**
 * Splits a key into two separate keys; one for encryption
 * and the other for authenticaiton
 * 
 * @param string $masterKey (raw binary)
 * @return array (two raw binary strings)
 */
protected static function splitKeys($masterKey)
{
    // You really want to implement HKDF here instead!
    return [
        hash_hmac(self::HASH_ALGO, 'ENCRYPTION', $masterKey, true),
        hash_hmac(self::HASH_ALGO, 'AUTHENTICATION', $masterKey, true)
    ];
}

/**
 * Compare two strings without leaking timing information
 * 
 * @param string $a
 * @param string $b
 * @ref https://paragonie.com/b/WS1DLx6BnpsdaVQW
 * @return boolean
 */
protected static function hashEquals($a, $b)
{
    if (function_exists('hash_equals')) {
        return hash_equals($a, $b);
    }
    $nonce = openssl_random_pseudo_bytes(32);
    return hash_hmac(self::HASH_ALGO, $a, $nonce) === hash_hmac(self::HASH_ALGO, $b, $nonce);
 }
}

加密字符串如下。

$email = 'myemail@domain.com';
$key = 'Some key';
$encrypted_email = $encrypted = SaferCrypto::encrypt($message, $key);

字符串加密如下:

 óÜCu!>Ò·<x0½“—J ‡l¿Ø ;ƒ;›OøVP#ï 1 Sjñ,(ñúrÛòv–~ºyÍg ÷–´´iƒû

如果我使用urlencode($string)传递此数据,则数据未被解密,因为哈希不匹配,因为hashEquals方法正在抛出异常。

在GET请求中传递加密字符串的正确方法是什么?

1 个答案:

答案 0 :(得分:0)

目前尚不清楚,问题是什么,但您可以使用base64_encode($encrypted_email)将字符串像HDo1FaXabDHjfxBkpx7YBHNGVeZ/G8FvI2BoxES2rUu3lvNWRo5G0PImiv9IhENv一样传递给smth。

<a href="?enc=<?=base64_encode($encrypted_email)?>">link</a>

接收时,解码

$encrypted_email = base64_decode($_GET['enc']);