Lazy Beginner’s Chapter on PHP Encryption and Decryption (API Security Enhancement Chapter 1)

  1. Lazy
  2. introduction

These two points are enough to show that this article does not want any technical content of high-end atmosphere. I tell you, it is all water. There can be no prime numbers, elliptic curve encryption, Duffy-Herman, etc. There can be no prime numbers.

First, I don’t understand, second, you don’t understand anyway.

However, I still want to say one thing first, that is, many mud legs have always regarded md5 as an encryption algorithm, but in fact md5 is an information digest algorithm (actually a hash), not an encryption algorithm, because md5 is irreversible, but encryption and decryption is a reversible process, so it is better not to make such low-level mistakes in the future.

Encryption technology has always been a unique field and branch in the technical circle, and some of its principles are not easy to understand. Without a good foundation in mathematics, it is even difficult to study it. However, as an article on hydrology, it is not a big problem to use only one to practice without studying the principle.

Encryption falls into two broad categories:

  • Symmetric encryption, common algorithms include DES, 3DES, AES, etc. It is said that AES is the latest and most commonly used algorithm compared with others
  • Asymmetric encryption, RSA, DSA, ECDH, etc

Symmetric encryption is to use the same key to encrypt and decrypt information in crude language. For example, the Fü hrer is about to operate the Eastern Front. He sent a telegram to guderian, which probably means “Get out of my way and let me operate! Immediately hit Kiev south! ” However, the Fü hrer was afraid that zhukov would see the news, so the Fü hrer used a strong key 123456 to encrypt the passage, and then the passage became akjdslfjalwjglajwg. After receiving this mess, guderian used 123456 to decrypt it and got the clear text: “Get out of my way and let me operate! Immediately hit Kiev south! ” However, zhukov could not think of the super key 123456 because he scratched his skull. Therefore, zhukov was doomed to face the challenge and eventually led to the rape of 600,000 Soviet troops in Kiev. However, there is a problem inside that is how the head of state told guderian that the private key was 123456.

  1. The two discussed it in advance, secretly the day before June 22, 1941. . .
  2. The two did not discuss it in advance, but after guderian arrived in the eastern front, the head of state made a phone call, sent a telegram, QQ and WeChat. . . . . .

For zhukov, if the other party adopts Scheme 1, then he has no good idea but to wait for the undercover agents lurking beside guderian to return to 123456. Since the key was exposed, a new key must be exchanged. The Fü hrer can only go through route 2 to tell guderian about the new key at the moment. What’s pressing now is how to encrypt the key. The answer isno. At this time, the problem falls into the contradiction that encryption is the first step to encryption. Therefore, this key is destined to be transmitted in clear text. As long as it is transmitted in clear text, zhukov will definitely have a chance to get the key.

Asymmetric encryption is to solve this problem. The secret key is exchanged but still not exposed. It’s a rip-off. As for the Fü hrer and guderian, they now generate a pair of their own public and private keys respectively. What needs to be emphasized here is that:

  1. The public key and the private key are generated in pairs. They are connected by some mysterious mathematical principle. I don’t know exactly what it is.
  2. The data encrypted by the public key can only be decrypted by the corresponding private key. The data encrypted by the private key can only be decrypted by the corresponding public key
  3. The public key can be issued to anyone, but the private key is secretly hidden in your crotch. Don’t lose it.

At the moment, it is simple. The head of state gives his public key to guderian, then guderian gives his public key to the head of state, and then secretly keeps his private key. One day, the Fü hrer told guderian, “Don’t do it, don’t listen to me every day!” , and then use the public key issued by guderian encryption, and then let the air force to the eastern front directly still flyers, throwing all over the floor, guderian saw after took out his private key from his crotch decryption, and then immediately leave home to rest, before going back with the head of state’s public key encryption of the following message “silly force, I still don’t serve!” And then let the air force go back and scatter all over Berlin. when the head of state saw it, he took out his private key from his crotch and decrypted it: “lie in the trough. . 。” . Although this pair of hands were careless in handing out leaflets, zhukov could only stand by and be helpless. Since the private key used for decryption will never circulate outside, the probability of disclosure is 0.

However, one thing is worth explaining, that is, whether symmetric encryption or asymmetric encryption, can’t resist the use of a machine to guess the private key by force and violence. One year can’t do two years, two years can’t do twenty years, twenty years can’t do a hundred years, always can guess, this is no way to one thing. You can search for the 768bit RSA incident by KO, right?

Next, we stripped a symmetric encryption library from gayhub and tried an aes symmetric encryption algorithm. The address is as follows:

Gitcone directly into the directory, then test the code as follows:

require 'GibberishAES.php';
$pass   = '123456';
$string = '你好,古德里安,我是希特勒,你赶紧给我滚回来...';
$encrypted_string = GibberishAES::enc( $string, $pass );
$decrypted_string = GibberishAES::dec( $encrypted_string, $pass );
echo PHP_EOL."加密后的:".$encrypted_string.PHP_EOL;
echo "解密后的:".$decrypted_string.PHP_EOL.PHP_EOL;

Save as test.php, run the results as follows:

Then we will run the above code 100,000 times to see how long it takes:

require 'GibberishAES.php';
$pass   = '123456';
$string = '你好,古德里安,我是希特勒,你赶紧给我滚回来...';
$start_time = microtime( true );
for( $i = 1; $i <= 100000; $i++ ) {
  $encrypted_string = GibberishAES::enc( $string, $pass );
  $decrypted_string = GibberishAES::dec( $encrypted_string, $pass );
$end_time = microtime( true );
echo "一共耗时:".( $end_time -  $start_time ).PHP_EOL;

Save as test.php, run the results as follows:

Then, let’s go to gayhub and pick up an asymmetric encrypted library, such as this: …

Let’s rip off the code and write a demo ourselves to try it out, as follows:

$publicKey = '
-----END PUBLIC KEY-----
$privateKey = '
require 'RSA.php';
$rsa       = new RSA( $publicKey, $privateKey );
$data      = '你好,古德里安,我是希特勒,你赶紧给我滚回来...';
$encrypted = $rsa->encrypt( $data );
$decrypted = $rsa->decrypt( $encrypted );
echo "加密过后的:".$encrypted.PHP_EOL;
echo "解密过后的:".$decrypted.PHP_EOL;

Save it for test.php and run it, as shown in the following figure:

Then we will run the above code over and over again 100,000 times to see how long it will take. Only the key parts of the code will be pasted here:

require 'RSA.php';
$rsa       = new RSA( $publicKey, $privateKey );
$data      = '你好,古德里安,我是希特勒,你赶紧给我滚回来...';
$start = microtime( true );
for( $i = 1; $i <= 100000; $i++ ) {
  $encrypted = $rsa->encrypt( $data );
  $decrypted = $rsa->decrypt( $encrypted );
$end = microtime( true );
echo "一共耗时:".( $end - $start ).PHP_EOL;

Then, the operation results are shown in the following figure (actually, due to the long waiting time, I simply went to brush my teeth and wash my face):

Don’t be surprised, has the titanium alloy dog’s eye been blinded? Blind also useless, this is true, the code is no problem, is to take such a long time, there is no way.

Then the problem comes, excavator science … symmetric encryption is not safe, asymmetric encryption is deadly, is there any good way?

Nonsense, of course … …

Recently, a WeChat public number was opened, and all articles were posted here first.