Summary of using PHP openssl encryption extension

This article mainly introduces a summary of the use of PHP's openssl encryption extension. Interested friends can refer to it. I hope it will be helpful to everyone.

Introduction

In the history of the development of the Internet, security has always been a subject that developers attach great importance to. In order to achieve data transmission security, we Need to ensure: data source (non-forged request), data integrity (not modified), data privacy (encrypted text, cannot be read directly), etc. Although there is already an HTTPS protocol implemented by the SSL/TLS protocol, it relies on the correct implementation of the browser on the client and is very inefficient. Therefore, general sensitive data (such as transaction payment information, etc.) still require us to use encryption methods. to manually encrypt.

Although it is not necessary for ordinary WEB developers to have an in-depth understanding of some underlying security-related technologies, it is necessary to learn the basics of encryption and use existing encryption-related tools. Due to work needs, I read some encryption-related articles and completed this article based on my own experience.

Encryption Basics

Before learning how to use encryption, we need to understand some basic knowledge related to encryption.

Encryption algorithms are generally divided into two types: symmetric encryption algorithms and asymmetric encryption algorithms.

Symmetric encryption

The symmetric encryption algorithm is that the sender and receiver of the message use the same key, and the sender uses the key to encrypt the file , the recipient uses the same key to decrypt and obtain the information. Common symmetric encryption algorithms are: des/aes/3des.

The characteristics of symmetric encryption algorithms are: fast, the file size does not change much before and after encryption, but the storage of the key is a big problem, because the sender of the message If the key of either party is lost, the information transmission will become unsafe.

Asymmetric encryption

The opposite of symmetric encryption is asymmetric encryption. The core idea of ​​asymmetric encryption is to use a pair of opposite keys. , divided into public key and private key. The private key is kept safely and the public key is made public. The public key and the private key are a pair. If the public key is used to encrypt data, only the corresponding private key can be used to decrypt it; if the private key is used to encrypt the data, then only the corresponding public key can be used to decrypt it. Just use the recipient's public key to encrypt the data before sending it. Common asymmetric encryption algorithms include RSA/DSA:

Although asymmetric encryption does not have key storage problems, it requires a large amount of calculation and the encryption speed is very slow. Sometimes we need to block large pieces of data. encryption.

Digital signature

In order to ensure the integrity of the data, a hash value needs to be calculated through a hash function. This hash value Known as a digital signature. Its characteristics are:

•No matter how big the original data is, the length of the result is the same;
•The input is the same, and the output is the same;
•Small changes to the input will make a big difference in the result. changes;
•The encryption process is irreversible, and the original data cannot be obtained through the hash value;

Common digital signature algorithms include md5, hash1 and other algorithms.

openssl extension for PHP

openssl extension uses openssl encryption extension package, which encapsulates multiple PHP related to encryption and decryption function, which greatly facilitates the encryption and decryption of data. Commonly used functions are:

Symmetric encryption related:

string openssl_encrypt (string $data, string $method, string $password)

Where $data is the data to be encrypted, $method is the method to be used for encryption, $password is the key to be used, and the function returns the encrypted data;

The $method list can Use openssl_get_cipher_methods() to get it. We choose one of them to use. The $method list is in the shape of:

##

Array(
  0 => aes-128-cbc,  // aes加密
  1 => des-ecb,    // des加密
  2 => des-ede3,   // 3des加密
  ...
  )

The decryption function is string openssl_encrypt ( string $ data, string $method, string $password)

Asymmetric encryption related:

openssl_get_publickey();openssl_pkey_get_public();   // 从证书导出公匙；
openssl_get_privatekey();openssl_pkey_get_private();  // 从证书导出私匙；

They You only need to pass in the certificate file (usually a .pem file);

openssl_public_encrypt(string $data , string &$crypted , mixed $key [, int $padding = OPENSSL\_PKCS1\_PADDING ] )

Use the public key to encrypt the data, where $data is the data to be encrypted; $ crypted is a reference variable, and the encrypted data will be put into this variable; $key is the public key data to be passed in; because when the encrypted data is grouped, it may not be exactly an integer multiple of the number of encryption bits. Therefore, $padding is needed. The options for $padding are OPENSSL_PKCS1_PADDING and OPENSSL_NO_PADDING, which are PKCS1 padding or no padding respectively.

The opposite of this method is (the incoming parameters are consistent):

openssl_private_encrypt()； // 使用私匙加密；
openssl_private_decrypt()； // 使用私匙解密；
openssl_private_decrypt()； // 使用公匙解密；

There are also signature and verification functions:

bool openssl_sign ( string $data , string &$signature , mixed $priv_key_id [, mixed $signature_alg = OPENSSL_ALGO_SHA1 ] )
int openssl_verify ( string $data , string $signature , mixed $pub_key_id [, mixed $signature_alg = OPENSSL_ALGO_SHA1 ] )

签名函数：$data为要签名的数据；$signature为签名结果的引用变量；$priv_key_id为签名所使用的私匙;$signature_alg为签名要使用的算法，其算法列表可以使用<span style="font-family:NSimsun">openssl_get_md_methods ()</span>得到，形如：

array(
  0 => MD5,
  1 => SHA1,
  2 => SHA256,
  ...
)

验签函数：与签名函数相对，只不过它要传入与私匙对应的公匙；其结果为签名验证结果，1为成功，0为失败，-1则表示错误；

加密实例

以下是一个非对称加密使用的小例子：

// 获取公匙
$pub_key = openssl_get_publickey('test.pem');

$encrypted = '';
// 对数据分块加密
for ($offset = 0, $length = strlen($raw_msg); $offset < $length; $offset += $key_size){  
  $encryptedBlock = &#39;&#39;;
  $data = substr($raw_msg, $offset, $key_size)
  if (!openssl_public_encrypt($data, $encryptedBlock, $pub_key, OPENSSL_PKCS1_PADDING)){
    return &#39;&#39;;
  } else {
    $encrypted .= $encryptedBlock;
 }
 return $encrypted;

而对称加密就非常简单了，直接使用ssl_encrypt()函数即可；

当然一些接口可能会对加密方法进行不同的要求，如不同的padding,加密块大小等等，这些就需要使用者自己调整了。

因为我们是在HTTP协议之上处理的数据，所以数据加密完成后，就可以直接发送了，不用再考虑底层的传输，使用cURL或SOAP扩展方法，就可以直接请求接口啦。

结语

密码学是一个十分高深的学科，它理论艰深，概念繁多，作为一个WEB开发人员，虽然不需要我们去研究其底层实现，但是学会使用封装好的方法很有利于我们开发。甚至了解其基本实现，也可以触类旁通，对算法等有新的理解。

以上就是本篇文的全部内容，希望能对大家的学习有所帮助。

相关推荐：

php实现获取当前url地址的方法

php实现36进制与10进制转换功能的方法

PHP全功能无变形图片裁剪操作类与用法详解

The above is the detailed content of Summary of using PHP openssl encryption extension. For more information, please follow other related articles on the PHP Chinese website!