Introduction to the Lazy Man about PHP Encryption and Decryption (API Security Enhancement Part 1)

Keywords: PHP github REST git

  1. Slacker
  2. Introduction

These two points are enough to show that this article does not want to have any high-end atmospheric technology content, I tell you, it's all water. There can't be any prime number, elliptic curve cryptography, Diffy-Herman or anything, there can't be.

First of all, I don't understand it. Second, you don't understand it anyway.

But let's start by saying that many muddy legs always treat md5 as an encryption algorithm, but in fact md5 is an information digest algorithm (in fact, hash), not an encryption algorithm, because md5 is irreversible, but encryption and decryption is a reversible process, so it's better not to make such a low-level error in the future.

Encryption technology has always been a unique field and branch in the technical circle, and some of its principles are not readily understandable. If there is no good mathematical foundation, I am afraid it is very difficult to study. However, as a hydrology article, it is not a big problem to study the principle and only use it for practice.

Encryption falls into two categories:

  • Symmetric encryption, common algorithms are DES, 3DES, AES and so on. It is said that AES is the newest and most commonly used algorithm of Biao.
  • Asymmetric encryption, RSA, DSA, ECDH, etc.

Symmetric encryption uses the same key to encrypt and decrypt information in rough language. For example, the Fuehrer had to operate the battlefield on the Eastern Front and sent a telegram to Guderian, which roughly meant, "You give me a break, let me operate!" Immediately go south to Kiev!" But the Fuehrer was afraid that Zhukov would read the message, so the Fuehrer encrypted it with a strong key 123456, and then it became akjdslfjalwjglajwg. Guderian receives this messy stuff, decrypts it with 123456, and gets the plaintext: "You give me a break, let me operate! Immediately go south to Kiev!" However, because Zhukov scratched his skull and did not expect the super key 123456, Zhukov was doomed to be confused and eventually led to the rape of 600,000 Soviet troops in Kiev. But there's a question about how the head of state told Guderian that his private key was 123456.

  1. The two men consulted ahead of time, and secretly consulted the day before June 22, 1941...
  2. The two men did not negotiate ahead of time, but when Guderian arrived at the Eastern Line, the Fuehrer made phone calls, telegrams, QQ and Wechat....

For Zhukov, if the other side adopted Plan 1, then he had nothing to do but wait for the secret agent lurking next to Guderian to return to 123456 undercover. Because the key has been exposed, so a new key must be replaced. The Head of State can only go to Way 2 to tell Guderian the new key at this time. Now the funny thing is coming, how to encrypt the key. The answer is No. At this point, the problem falls into the contradiction that if you want to encrypt, you must encrypt first. Therefore, the key is destined to be transmitted in plaintext. As long as it is transmitted in plaintext, Zhukov will have a chance to get the key.

Asymmetric encryption is the solution to this problem. Keys are exchanged to keep them hidden. Or the head of state and Guderian, who now generate their own public and private keys, respectively. Here we need to emphasize that:

  1. The public key and the private key are generated in pairs. They are connected by some mysterious mathematical principle. I don't know what they are.
  2. Data encrypted by public key can only be decrypted by corresponding private key; data encrypted by private key can only be decrypted by corresponding public key.
  3. Public keys can be given to anyone, but private keys can be secretly hidden in your crotch, so don't lose them.

Now it's easy. The head of state gives his public key to Goodrich, then Goodrich gives his public key to the head of state, and then secretly keeps his private key. One day, the Fuehrer told Guderian, "Don't do it, you don't listen to me every day!" Then encrypted with the public key issued by Guderian, and then let the Air Force to the East Line directly still flyers, throwing all over the ground. Guderian saw it and took out his private key from his crotch to decrypt it. Then he immediately asked for leave and went home to rest. Before returning, he encrypted the following message with the head of state's public key: "Silly, Lao Tzu is not waiting!" Then the Air Force was sent back to scatter it in Berlin. When the Head of State saw it, he took out his private key from his crotch and decrypted it: "Bedroom...". Although both sides are very careless handbills, Zhukov can only be in the side of a face, unable to love. Because the private key used for decryption is never circulated, the probability of leakage is zero.

However, it is worth pointing out that neither symmetric encryption nor asymmetric encryption can withstand the violent guessing of private keys by machine. One year can't last two years, two years can't last twenty years, twenty years can't last a hundred years. We can always guess that there is no way to do this. You can search for events about 768 bit RSA being KO, right?

Next, we pick up a symmetric encryption library from gayhub and try an aes symmetric encryption algorithm. The address is as follows:

https://github.com/ivantcholakov/gibberish-aes-php

Direct git clone to the directory, and then test the code as follows:

<?php
require 'GibberishAES.php';
$pass   = '123456';
$string = 'Hello, Gudrian, this is Hitler. Get back to me now....';
GibberishAES::size(256);
$encrypted_string = GibberishAES::enc( $string, $pass );
$decrypted_string = GibberishAES::dec( $encrypted_string, $pass );
echo PHP_EOL."After encryption:".$encrypted_string.PHP_EOL;
echo "After decryption:".$decrypted_string.PHP_EOL.PHP_EOL;

Save it as test.php and run it as follows:

Then we run the code over and over 100,000 times to see how long it takes:

require 'GibberishAES.php';
$pass   = '123456';
$string = 'Hello, Gudrian, this is Hitler. Get back to me now....';
GibberishAES::size(256);
$start_time = microtime( true );
for( $i = 1; $i <= 100000; $i++ ) {
  $encrypted_string = GibberishAES::enc( $string, $pass );
  $decrypted_string = GibberishAES::dec( $encrypted_string, $pass );
}
$end_time = microtime( true );
echo "It takes a total of time:".( $end_time -  $start_time ).PHP_EOL;

Save it as test.php and run it as follows:

Then we go to the gayhub and pick up an asymmetrically encrypted library, such as this:

https://github.com/vlucas/pik...

Let's scrape down the code and write a demo for ourselves. Here's what it looks like:

<?php
$publicKey = '
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7o9A47JuO3wgZ/lbOIOs
Xc6cVSiCMsrglvORM/54StFRvcrxMi7OjXD6FX5fQpUOQYZfIOFZZMs6kmNXk8xO
hgTmdMJcBWolQ85acfAdWpTpCW29YMvXNARUDb8uJKAApsISnttyCnbvp7zYMdQm
HiTG/+bYaegSXzV3YN+Ej+ZcocubUpLp8Rpzz+xmXep3BrjBycAE9z2IrrV2rlwg
TTxU/B8xmvMsToBQpAbe+Cv130tEHsyW4UL9KZY1M9R+UHFPPmORjBKxSZvjJ1mS
UbUYN6PmMry35wCaFCfQoyTDUxBfxTGYqjaveQv4sxx0uvoiLXHt9cAm5Q8KJ+8d
FwIDAQAB
-----END PUBLIC KEY-----
';
$privateKey = '
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7o9A47JuO3wgZ/lbOIOsXc6cVSiCMsrglvORM/54StFRvcrx
Mi7OjXD6FX5fQpUOQYZfIOFZZMs6kmNXk8xOhgTmdMJcBWolQ85acfAdWpTpCW29
YMvXNARUDb8uJKAApsISnttyCnbvp7zYMdQmHiTG/+bYaegSXzV3YN+Ej+Zcocub
UpLp8Rpzz+xmXep3BrjBycAE9z2IrrV2rlwgTTxU/B8xmvMsToBQpAbe+Cv130tE
HsyW4UL9KZY1M9R+UHFPPmORjBKxSZvjJ1mSUbUYN6PmMry35wCaFCfQoyTDUxBf
xTGYqjaveQv4sxx0uvoiLXHt9cAm5Q8KJ+8dFwIDAQABAoIBAHkWS3iHy/3zjjtY
TV4NL8NZqO5splGDuqXEMbKzenl3b8cnKHAxY/RVIQsh3tZb9CV8P/Lfj1Fi+nLt
a7mAXWcXO6aONMkmzI1zQ2NL3opoxTRc+GAWd0BW5hcoMBK1CD+ciHkLqAH5xsFc
UFxSc5qfTkb79GMlQZYD/Hk2WwHyj7hAkyxip4ye1EOnH5h8H7vIUjwp+H6Rmt5w
FTiVJbokhzwiczChUJVWgnowegL/qFV+yNfHGGKqVdIQfKdCsHR6jAuKCww5QniN
qDEi/M2Az0R4qfVmf38uMvOJTWaxp08JV4qRyNdh6hhbj+nY1EZ8haOiC7tjz2mJ
XqqKQfkCgYEA95yb5ezTBF4Pbr589OnU6VFdM88BCrKKvSWE8D1fzZZTsXur5k/x
cOwfio4RkmJwMnjuzZN6nvL5QddfcmPWQAoepHR8eA9yhIz57YWgrqE9ZXI8DgMy
SFuy5EkV5vudjDIr7kBXaGuUh3ErZfglyrV/rUfydGdTWyY8phMq/6MCgYEA9qQj
7kb5uyU8nrXoDqKPpy6ijEpVilgy4VR7RuB2vMh74wKI1QQYED+PxfcHe5RP8WGF
Bl+7VnmrGka4xJWeN7GKW4GRx5gRAzg139DXkqwPlXyM3ZR3pLd8wtbxTmJrcPby
A6uNRhGPpuyhDs5hx9z6HvLoCs+O0A9gDaChM/0CgYEAycRguNPpA2cOFkS8l+mu
p8y4MM5eX/Qq34QiNo0ccu8rFbXb1lmQOV7/OK0Znnn+SPKITRX+1mTRPZidWx4F
aLuWSpXtEvwrad1ijuzTiVk0KWUTkKuEHrgyJplzcnvX3nTHnWXqk9kN9+v83CN/
0BVji7TT2YyUvPKEeyOlZxcCgYABFm42Icf+JEblKEYyslLR2OnMlpNT/dmTlszI
XjsH0BaDxMIXtmHoyG7434L/74J+vQBaK9fmpLi1b/RmoYZGFplWl/atm6UPj5Ll
PsWElw+miBsS6xGv/0MklNARmWuB3wToMTx5P6CTit2W9CAIQpgzxLxzN8EYd8jj
pn6vfQKBgQCHkDnpoNZc2m1JksDiuiRjZORKMYz8he8seoUMPQ+iQze66XSRp5JL
oGZrU7JzCxuyoeA/4z36UN5WXmeS3bqh6SinrPQKt7rMkK1NQYcDUijPBMt0afO+
LH0HIC1HAtS6Wztd2Taoqwe5Xm75YW0elo4OEqiAfubAC85Ec4zfxw==
-----END RSA PRIVATE KEY-----
';
require 'RSA.php';
$rsa       = new RSA( $publicKey, $privateKey );
$data      = 'Hello, Gudrian, this is Hitler. Get back to me now....';
$encrypted = $rsa->encrypt( $data );
$decrypted = $rsa->decrypt( $encrypted );
echo "After encryption:".$encrypted.PHP_EOL;
echo "After decryption:".$decrypted.PHP_EOL;

Save it as test.php and run it as follows:

Then we run the above code 100,000 times over and over again to see how long it takes. Only the key parts of the code are posted here:

<?php
require 'RSA.php';
$rsa       = new RSA( $publicKey, $privateKey );
$data      = 'Hello, Gudrian, this is Hitler. Get back to me now....';
$start = microtime( true );
for( $i = 1; $i <= 100000; $i++ ) {
  $encrypted = $rsa->encrypt( $data );
  $decrypted = $rsa->decrypt( $encrypted );
}
$end = microtime( true );
echo "It takes a total of time:".( $end - $start ).PHP_EOL;

Then, the results are shown in the following figure (actually, because the waiting time is too long, I simply brush my teeth and wash my face):

Not surprisingly, has the titanium alloy dog's eye been blinded? It's no use being blind. It's true. There's no problem with the code. It takes so long. There's no way.

So the problem arises. Excavator science... Symmetric encryption is unsafe, and asymmetric encryption is life-threatening. Is there any good way?

Nonsense, of course...

Recently, a Wechat Public Number was opened, and all articles were posted here first.

Posted by justbane on Sat, 27 Apr 2019 17:00:36 -0700