Lazy Beginner’s Chapter on PHP Encryption and Decryption (API Security Enhancement Chapter 1)

  1. Lazy
  2. introduction

These two points are enough to show that this article does not want any technical content of high-end atmosphere. I tell you, it is all water. There can be no prime numbers, elliptic curve encryption, Duffy-Herman, etc. There can be no prime numbers.

First, I don’t understand, second, you don’t understand anyway.

However, I still want to say one thing first, that is, many mud legs have always regarded md5 as an encryption algorithm, but in fact md5 is an information digest algorithm (actually a hash), not an encryption algorithm, because md5 is irreversible, but encryption and decryption is a reversible process, so it is better not to make such low-level mistakes in the future.

Encryption technology has always been a unique field and branch in the technical circle, and some of its principles are not easy to understand. Without a good foundation in mathematics, it is even difficult to study it. However, as an article on hydrology, it is not a big problem to use only one to practice without studying the principle.

Encryption falls into two broad categories:

  • Symmetric encryption, common algorithms include DES, 3DES, AES, etc. It is said that AES is the latest and most commonly used algorithm compared with others
  • Asymmetric encryption, RSA, DSA, ECDH, etc

Symmetric encryption is to use the same key to encrypt and decrypt information in crude language. For example, the Fü hrer is about to operate the Eastern Front. He sent a telegram to guderian, which probably means “Get out of my way and let me operate! Immediately hit Kiev south! ” However, the Fü hrer was afraid that zhukov would see the news, so the Fü hrer used a strong key 123456 to encrypt the passage, and then the passage became akjdslfjalwjglajwg. After receiving this mess, guderian used 123456 to decrypt it and got the clear text: “Get out of my way and let me operate! Immediately hit Kiev south! ” However, zhukov could not think of the super key 123456 because he scratched his skull. Therefore, zhukov was doomed to face the challenge and eventually led to the rape of 600,000 Soviet troops in Kiev. However, there is a problem inside that is how the head of state told guderian that the private key was 123456.

  1. The two discussed it in advance, secretly the day before June 22, 1941. . .
  2. The two did not discuss it in advance, but after guderian arrived in the eastern front, the head of state made a phone call, sent a telegram, QQ and WeChat. . . . . .

For zhukov, if the other party adopts Scheme 1, then he has no good idea but to wait for the undercover agents lurking beside guderian to return to 123456. Since the key was exposed, a new key must be exchanged. The Fü hrer can only go through route 2 to tell guderian about the new key at the moment. What’s pressing now is how to encrypt the key. The answer isno. At this time, the problem falls into the contradiction that encryption is the first step to encryption. Therefore, this key is destined to be transmitted in clear text. As long as it is transmitted in clear text, zhukov will definitely have a chance to get the key.

Asymmetric encryption is to solve this problem. The secret key is exchanged but still not exposed. It’s a rip-off. As for the Fü hrer and guderian, they now generate a pair of their own public and private keys respectively. What needs to be emphasized here is that:

  1. The public key and the private key are generated in pairs. They are connected by some mysterious mathematical principle. I don’t know exactly what it is.
  2. The data encrypted by the public key can only be decrypted by the corresponding private key. The data encrypted by the private key can only be decrypted by the corresponding public key
  3. The public key can be issued to anyone, but the private key is secretly hidden in your crotch. Don’t lose it.

At the moment, it is simple. The head of state gives his public key to guderian, then guderian gives his public key to the head of state, and then secretly keeps his private key. One day, the Fü hrer told guderian, “Don’t do it, don’t listen to me every day!” , and then use the public key issued by guderian encryption, and then let the air force to the eastern front directly still flyers, throwing all over the floor, guderian saw after took out his private key from his crotch decryption, and then immediately leave home to rest, before going back with the head of state’s public key encryption of the following message “silly force, I still don’t serve!” And then let the air force go back and scatter all over Berlin. when the head of state saw it, he took out his private key from his crotch and decrypted it: “lie in the trough. . 。” . Although this pair of hands were careless in handing out leaflets, zhukov could only stand by and be helpless. Since the private key used for decryption will never circulate outside, the probability of disclosure is 0.

However, one thing is worth explaining, that is, whether symmetric encryption or asymmetric encryption, can’t resist the use of a machine to guess the private key by force and violence. One year can’t do two years, two years can’t do twenty years, twenty years can’t do a hundred years, always can guess, this is no way to one thing. You can search for the 768bit RSA incident by KO, right?

Next, we stripped a symmetric encryption library from gayhub and tried an aes symmetric encryption algorithm. The address is as follows:

https://github.com/ivantcholakov/gibberish-aes-php

Gitcone directly into the directory, then test the code as follows:

<?php
require 'GibberishAES.php';
$pass   = '123456';
$string = '你好,古德里安,我是希特勒,你赶紧给我滚回来...';
GibberishAES::size(256);
$encrypted_string = GibberishAES::enc( $string, $pass );
$decrypted_string = GibberishAES::dec( $encrypted_string, $pass );
echo PHP_EOL."加密后的:".$encrypted_string.PHP_EOL;
echo "解密后的:".$decrypted_string.PHP_EOL.PHP_EOL;

Save as test.php, run the results as follows:

Then we will run the above code 100,000 times to see how long it takes:

require 'GibberishAES.php';
$pass   = '123456';
$string = '你好,古德里安,我是希特勒,你赶紧给我滚回来...';
GibberishAES::size(256);
$start_time = microtime( true );
for( $i = 1; $i <= 100000; $i++ ) {
  $encrypted_string = GibberishAES::enc( $string, $pass );
  $decrypted_string = GibberishAES::dec( $encrypted_string, $pass );
}
$end_time = microtime( true );
echo "一共耗时:".( $end_time -  $start_time ).PHP_EOL;

Save as test.php, run the results as follows:

Then, let’s go to gayhub and pick up an asymmetric encrypted library, such as this:

https://github.com/vlucas/pik …

Let’s rip off the code and write a demo ourselves to try it out, as follows:

<?php
$publicKey = '
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7o9A47JuO3wgZ/lbOIOs
Xc6cVSiCMsrglvORM/54StFRvcrxMi7OjXD6FX5fQpUOQYZfIOFZZMs6kmNXk8xO
hgTmdMJcBWolQ85acfAdWpTpCW29YMvXNARUDb8uJKAApsISnttyCnbvp7zYMdQm
HiTG/+bYaegSXzV3YN+Ej+ZcocubUpLp8Rpzz+xmXep3BrjBycAE9z2IrrV2rlwg
TTxU/B8xmvMsToBQpAbe+Cv130tEHsyW4UL9KZY1M9R+UHFPPmORjBKxSZvjJ1mS
UbUYN6PmMry35wCaFCfQoyTDUxBfxTGYqjaveQv4sxx0uvoiLXHt9cAm5Q8KJ+8d
FwIDAQAB
-----END PUBLIC KEY-----
';
$privateKey = '
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7o9A47JuO3wgZ/lbOIOsXc6cVSiCMsrglvORM/54StFRvcrx
Mi7OjXD6FX5fQpUOQYZfIOFZZMs6kmNXk8xOhgTmdMJcBWolQ85acfAdWpTpCW29
YMvXNARUDb8uJKAApsISnttyCnbvp7zYMdQmHiTG/+bYaegSXzV3YN+Ej+Zcocub
UpLp8Rpzz+xmXep3BrjBycAE9z2IrrV2rlwgTTxU/B8xmvMsToBQpAbe+Cv130tE
HsyW4UL9KZY1M9R+UHFPPmORjBKxSZvjJ1mSUbUYN6PmMry35wCaFCfQoyTDUxBf
xTGYqjaveQv4sxx0uvoiLXHt9cAm5Q8KJ+8dFwIDAQABAoIBAHkWS3iHy/3zjjtY
TV4NL8NZqO5splGDuqXEMbKzenl3b8cnKHAxY/RVIQsh3tZb9CV8P/Lfj1Fi+nLt
a7mAXWcXO6aONMkmzI1zQ2NL3opoxTRc+GAWd0BW5hcoMBK1CD+ciHkLqAH5xsFc
UFxSc5qfTkb79GMlQZYD/Hk2WwHyj7hAkyxip4ye1EOnH5h8H7vIUjwp+H6Rmt5w
FTiVJbokhzwiczChUJVWgnowegL/qFV+yNfHGGKqVdIQfKdCsHR6jAuKCww5QniN
qDEi/M2Az0R4qfVmf38uMvOJTWaxp08JV4qRyNdh6hhbj+nY1EZ8haOiC7tjz2mJ
XqqKQfkCgYEA95yb5ezTBF4Pbr589OnU6VFdM88BCrKKvSWE8D1fzZZTsXur5k/x
cOwfio4RkmJwMnjuzZN6nvL5QddfcmPWQAoepHR8eA9yhIz57YWgrqE9ZXI8DgMy
SFuy5EkV5vudjDIr7kBXaGuUh3ErZfglyrV/rUfydGdTWyY8phMq/6MCgYEA9qQj
7kb5uyU8nrXoDqKPpy6ijEpVilgy4VR7RuB2vMh74wKI1QQYED+PxfcHe5RP8WGF
Bl+7VnmrGka4xJWeN7GKW4GRx5gRAzg139DXkqwPlXyM3ZR3pLd8wtbxTmJrcPby
A6uNRhGPpuyhDs5hx9z6HvLoCs+O0A9gDaChM/0CgYEAycRguNPpA2cOFkS8l+mu
p8y4MM5eX/Qq34QiNo0ccu8rFbXb1lmQOV7/OK0Znnn+SPKITRX+1mTRPZidWx4F
aLuWSpXtEvwrad1ijuzTiVk0KWUTkKuEHrgyJplzcnvX3nTHnWXqk9kN9+v83CN/
0BVji7TT2YyUvPKEeyOlZxcCgYABFm42Icf+JEblKEYyslLR2OnMlpNT/dmTlszI
XjsH0BaDxMIXtmHoyG7434L/74J+vQBaK9fmpLi1b/RmoYZGFplWl/atm6UPj5Ll
PsWElw+miBsS6xGv/0MklNARmWuB3wToMTx5P6CTit2W9CAIQpgzxLxzN8EYd8jj
pn6vfQKBgQCHkDnpoNZc2m1JksDiuiRjZORKMYz8he8seoUMPQ+iQze66XSRp5JL
oGZrU7JzCxuyoeA/4z36UN5WXmeS3bqh6SinrPQKt7rMkK1NQYcDUijPBMt0afO+
LH0HIC1HAtS6Wztd2Taoqwe5Xm75YW0elo4OEqiAfubAC85Ec4zfxw==
-----END RSA PRIVATE KEY-----
';
require 'RSA.php';
$rsa       = new RSA( $publicKey, $privateKey );
$data      = '你好,古德里安,我是希特勒,你赶紧给我滚回来...';
$encrypted = $rsa->encrypt( $data );
$decrypted = $rsa->decrypt( $encrypted );
echo "加密过后的:".$encrypted.PHP_EOL;
echo "解密过后的:".$decrypted.PHP_EOL;

Save it for test.php and run it, as shown in the following figure:

Then we will run the above code over and over again 100,000 times to see how long it will take. Only the key parts of the code will be pasted here:

<?php
require 'RSA.php';
$rsa       = new RSA( $publicKey, $privateKey );
$data      = '你好,古德里安,我是希特勒,你赶紧给我滚回来...';
$start = microtime( true );
for( $i = 1; $i <= 100000; $i++ ) {
  $encrypted = $rsa->encrypt( $data );
  $decrypted = $rsa->decrypt( $encrypted );
}
$end = microtime( true );
echo "一共耗时:".( $end - $start ).PHP_EOL;

Then, the operation results are shown in the following figure (actually, due to the long waiting time, I simply went to brush my teeth and wash my face):

Don’t be surprised, has the titanium alloy dog’s eye been blinded? Blind also useless, this is true, the code is no problem, is to take such a long time, there is no way.

Then the problem comes, excavator science … symmetric encryption is not safe, asymmetric encryption is deadly, is there any good way?

Nonsense, of course … …

Recently, a WeChat public number was opened, and all articles were posted here first.

图片描述