with strip_tags remove ejemplo php encryption

php - remove - strip_tags wordpress



¿Cómo cifro una cadena en PHP? (5)

Advertencia de seguridad: el cifrado sin autenticación es vulnerable a algo que se llama un ataque de texto cifrado elegido. Vea la respuesta de Eugene para una solución que ofrece cifrado autenticado.

Si está utilizando PHP> = 5.3, el nuevo openssl_encrypt podría ayudarlo: permite el cifrado de datos utilizando una amplia gama de métodos de cifrado.

Esos datos se pueden descifrar posteriormente con openssl_decrypt , que, obviamente, hace exactamente lo contrario.

Y si quieres saber qué funciones cifradas puedes usar, openssl_get_cipher_methods será útil ;-)
Hay muchos de esos, parece ^^


Aquí hay una parte del código que publiqué en mi blog hace algún tiempo, que debe demostrar el uso de esas tres funciones:

$methods = openssl_get_cipher_methods(); var_dump($methods); $textToEncrypt = "he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski"; $secretKey = "glop"; echo ''<pre>''; foreach ($methods as $method) { $encrypted = openssl_encrypt($textToEncrypt, $method, $secretKey); $decrypted = openssl_decrypt($encrypted, $method, $secretKey); echo $method . '': '' . $encrypted . '' ; '' . $decrypted . "/n"; } echo ''</pre>'';

La salida que obtuve al escribir esto fue algo así:

bf-ecb: /nyRYCzQPE1sunxSBclxXBd7p7gl1fUnE80gBCS1NM4s3wS1Eho6rFHOOR73V9UtnolYW+flbiCwIKa/DYh5CQ== ; he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski bf-ofb: M9wwf140zhwHo98k8sj2MEXdogqXEQ+TjN81pebs2tmhNOsfU3jvMy91MBM76dWM7GVjeh95p8oDybDt ; he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski cast5-cbc: xKgdC1y654PFYW1rIjdevu8MsQOegvJoZx0KmMwb8aCHFmznxIQVy1yvAWR3bZztvGCGrM84WkpbG33pZcxUiQ== ; he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski cast5-cfb: t8ABR9mPvocRikrX0Kblq2rUXHiVnA/OnjR/mDJDq8+/nn6Z9yfPbpcpRat0lYqfVAcwlypT4A4KNq4S ; he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski cast5-ecb: xKgdC1y654NIzRl9gJqbhYKtmJoXBoFpgLhwgdtPtYB7VZ1tRHLX0MjErtfREMJBAonp48zngSiTKlsKV0/WhQ== ; he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski cast5-ofb: t8ABR9mPvofCv9+AKTcRO4Q0doYlavn8zRzLvV3dZk0niO7l20KloA4nUll4VN1B5n89T/IuGh9piPte ; he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski des-cbc: WrCiOVPU1ipF+0trwXyVZ/6cxiNVft+TK2+vAP0E57b9smf9x/cZlQQ4531aDX778S3YJeP/5/YulADXoHT/+Q== ; he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski des-cfb: cDDlaifQN+hGOnGJ2xvGna7y8+qRxwQG+1DJBwQm/4abKgdZYUczC4+aOPGesZM1nKXjgoqB4+KTxGNo ; he who doesn''t do anything, doesn''t go wrong -- Zeev Suraski


Y si no está utilizando PHP 5.3, es posible que desee consultar la sección Mcrypt del manual y funciones como mcrypt_encrypt ;-)

Esta es una interfaz para la biblioteca mcrypt, que admite una amplia variedad de algoritmos de bloque como DES, TripleDES, Blowfish (predeterminado), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 y GOST en CBC, Cifras OFB, CFB y ECB.

Quiero hacer una función de cifrado que debería tener alguna clave secreta. Algo como lo siguiente:

function encrypt($string) { $key = "mastermind"; $enc = encryptfunc($string, $key); return $enc; }

Lo mismo debería solicitar el descifrado.

Aquí hay una buena biblioteca de PHP que puede ayudarlo a cifrar y descifrar cadenas, disponible a través de Composer y fácil de usar también:

https://github.com/CoreProc/crypto-guard

Aquí hay una muestra:

<?php require ''vendor/autoload.php''; use Coreproc/CryptoGuard/CryptoGuard; // This passphrase should be consistent and will be used as your key to encrypt/decrypt // your string $passphrase = ''whatever-you-want''; // Instantiate the CryptoGuard class $cryptoGuard = new CryptoGuard($passphrase); $stringToEncrypt = ''test''; // This will spit out the encrypted text $encryptedText = $cryptoGuard->encrypt($stringToEncrypt); // This should give you back the string you encrypted echo $cryptoGuard->decrypt($encryptedText);

Aquí hay una versión actualizada y segura del código original de Eugene Fidelin.

Tenga en cuenta que la salida tiene la IV y la sal en ella, que también necesita almacenar de forma segura con la clave de descifrado.

class Cipher { /** ---------------------------------------------- Original Code by Eugene Fidelin ---------------------------------------------- **/ private $key; private $salt; private $iv; function __construct() { } function set_salt( $salt ) { $this->salt = $salt; } function generate_salt() { $this->salt = mcrypt_create_iv( 32, MCRYPT_DEV_RANDOM ); // abuse IV function for random salt } function set_iv( $iv ) { $this->iv = $iv; } function generate_iv() { $this->iv = mcrypt_create_iv( mcrypt_get_iv_size( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC ) ); } function generate_key( $passphrase, $iterations = 10000, $length = 32 ) { $this->key = hash_pbkdf2 ( ''sha256'', $passphrase, $this->salt, $iterations, $length ); } function get_key() { echo $this->key; } function encrypt( $plaintext ) { $ciphertext = mcrypt_encrypt( MCRYPT_RIJNDAEL_128, $this->key, $plaintext, MCRYPT_MODE_CBC, $this->iv ); $data_return = array(); $data_return[''iv''] = base64_encode( $this->iv ); $data_return[''salt''] = base64_encode( $this->salt ); $data_return[''ciphertext''] = base64_encode( $ciphertext ); return json_encode( $data_return ); } function decrypt( $data_enciphered, $passphrase ) { $data_decoded = json_decode( $data_enciphered, TRUE ); $this->set_iv( base64_decode( $data_decoded[''iv''] ) ); $this->set_salt( base64_decode( $data_decoded[''salt''] ) ); $this->generate_key( $passphrase ); $ciphertext = base64_decode( $data_decoded[''ciphertext''] ); return trim( mcrypt_decrypt( MCRYPT_RIJNDAEL_128, $this->key, $ciphertext, MCRYPT_MODE_CBC, $this->iv ) ); } } $cipher = new Cipher(); $cipher->generate_salt(); $cipher->generate_iv(); $cipher->generate_key( ''123'' ); // the key will be generated from the passphrase "123" // echo $cipher->get_key(); $data_encrypted = $cipher->encrypt( ''hello'' ); echo ''encrypted:''; echo ''<pre>''; print_r( $data_encrypted ); echo ''</pre>''; unset( $cipher ); echo ''decrypted:''; $cipher = new Cipher(); $decrypted = $cipher->decrypt( $data_encrypted, ''123'' ); echo ''<pre>''; print_r( $decrypted ); echo ''</pre>''; die();

Esta es una implementación simple pero segura del AES-256 en modo CBC que utiliza PBKDF2 para crear una clave de cifrado a partir de una contraseña de texto sin formato y HMAC para autenticar el mensaje cifrado.

Funciona con PHP 5.3 y superior.

/** * Implements AES-256 encryption/decryption in CBC mode. * * PBKDF2 is used for creation of encryption key. * HMAC is used to authenticate the encrypted message. * * Requires PHP 5.3 and higher * * Gist: https://gist.github.com/eugef/3d44b2e0a8a891432c65 */ class McryptCipher { const PBKDF2_HASH_ALGORITHM = ''SHA256''; const PBKDF2_ITERATIONS = 64000; const PBKDF2_SALT_BYTE_SIZE = 32; // 32 is the maximum supported key size for the MCRYPT_RIJNDAEL_128 const PBKDF2_HASH_BYTE_SIZE = 32; /** * @var string */ private $password; /** * @var string */ private $secureEncryptionKey; /** * @var string */ private $secureHMACKey; /** * @var string */ private $pbkdf2Salt; public function __construct($password) { $this->password = $password; } /** * Compares two strings. * * This method implements a constant-time algorithm to compare strings. * Regardless of the used implementation, it will leak length information. * * @param string $knownHash The string of known length to compare against * @param string $userHash The string that the user can control * * @return bool true if the two strings are the same, false otherwise * * @see https://github.com/symfony/security-core/blob/master/Util/StringUtils.php */ private function equalHashes($knownHash, $userHash) { if (function_exists(''hash_equals'')) { return hash_equals($knownHash, $userHash); } $knownLen = strlen($knownHash); $userLen = strlen($userHash); if ($userLen !== $knownLen) { return false; } $result = 0; for ($i = 0; $i < $knownLen; $i++) { $result |= (ord($knownHash[$i]) ^ ord($userHash[$i])); } // They are only identical strings if $result is exactly 0... return 0 === $result; } /** * PBKDF2 key derivation function as defined by RSA''s PKCS #5: https://www.ietf.org/rfc/rfc2898.txt * * Test vectors can be found here: https://www.ietf.org/rfc/rfc6070.txt * This implementation of PBKDF2 was originally created by https://defuse.ca * With improvements by http://www.variations-of-shadow.com * * @param string $algorithm The hash algorithm to use. Recommended: SHA256 * @param string $password The password * @param string $salt A salt that is unique to the password * @param int $count Iteration count. Higher is better, but slower. Recommended: At least 1000 * @param int $key_length The length of the derived key in bytes * @param bool $raw_output If true, the key is returned in raw binary format. Hex encoded otherwise * @return string A $key_length-byte key derived from the password and salt * * @see https://defuse.ca/php-pbkdf2.htm */ private function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) { $algorithm = strtolower($algorithm); if (!in_array($algorithm, hash_algos(), true)) { trigger_error(''PBKDF2 ERROR: Invalid hash algorithm.'', E_USER_ERROR); } if ($count <= 0 || $key_length <= 0) { trigger_error(''PBKDF2 ERROR: Invalid parameters.'', E_USER_ERROR); } if (function_exists(''hash_pbkdf2'')) { // The output length is in NIBBLES (4-bits) if $raw_output is false! if (!$raw_output) { $key_length *= 2; } return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output); } $hash_length = strlen(hash($algorithm, '''', true)); $block_count = ceil($key_length / $hash_length); $output = ''''; for ($i = 1; $i <= $block_count; $i++) { // $i encoded as 4 bytes, big endian. $last = $salt . pack(''N'', $i); // first iteration $last = $xorsum = hash_hmac($algorithm, $last, $password, true); // perform the other $count - 1 iterations for ($j = 1; $j < $count; $j++) { $xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true)); } $output .= $xorsum; } if ($raw_output) { return substr($output, 0, $key_length); } else { return bin2hex(substr($output, 0, $key_length)); } } /** * Creates secure PBKDF2 derivatives out of the password. * * @param null $pbkdf2Salt */ private function derivateSecureKeys($pbkdf2Salt = null) { if ($pbkdf2Salt) { $this->pbkdf2Salt = $pbkdf2Salt; } else { $this->pbkdf2Salt = mcrypt_create_iv(self::PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM); } list($this->secureEncryptionKey, $this->secureHMACKey) = str_split( $this->pbkdf2(self::PBKDF2_HASH_ALGORITHM, $this->password, $this->pbkdf2Salt, self::PBKDF2_ITERATIONS, self::PBKDF2_HASH_BYTE_SIZE * 2, true), self::PBKDF2_HASH_BYTE_SIZE ); } /** * Calculates HMAC for the message. * * @param string $message * @return string */ private function hmac($message) { return hash_hmac(self::PBKDF2_HASH_ALGORITHM, $message, $this->secureHMACKey, true); } /** * Encrypts the input text * * @param string $input * @return string Format: hmac:pbkdf2Salt:iv:encryptedText */ public function encrypt($input) { $this->derivateSecureKeys(); $mcryptIvSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); // By default mcrypt_create_iv() function uses /dev/random as a source of random values. // If server has low entropy this source could be very slow. // That is why here /dev/urandom is used. $iv = mcrypt_create_iv($mcryptIvSize, MCRYPT_DEV_URANDOM); $encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $this->secureEncryptionKey, $input, MCRYPT_MODE_CBC, $iv); $hmac = $this->hmac($this->pbkdf2Salt . $iv . $encrypted); return implode('':'', array( base64_encode($hmac), base64_encode($this->pbkdf2Salt), base64_encode($iv), base64_encode($encrypted) )); } /** * Decrypts the input text. * * @param string $input Format: hmac:pbkdf2Salt:iv:encryptedText * @return string */ public function decrypt($input) { list($hmac, $pbkdf2Salt, $iv, $encrypted) = explode('':'', $input); $hmac = base64_decode($hmac); $pbkdf2Salt = base64_decode($pbkdf2Salt); $iv = base64_decode($iv); $encrypted = base64_decode($encrypted); $this->derivateSecureKeys($pbkdf2Salt); $calculatedHmac = $this->hmac($pbkdf2Salt . $iv . $encrypted); if (!$this->equalHashes($calculatedHmac, $hmac)) { trigger_error(''HMAC ERROR: Invalid HMAC.'', E_USER_ERROR); } // mcrypt_decrypt() pads the *RETURN STRING* with nulls (''/0'') to fill out to n * blocksize. // rtrim() is used to delete them. return rtrim( mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $this->secureEncryptionKey, $encrypted, MCRYPT_MODE_CBC, $iv), "/0" ); } }

Uso:

$c = new McryptCipher(''secret key goes here''); $encrypted = $c->encrypt(''secret message''); $decrypted = $c->decrypt($encrypted);

Aviso sobre el rendimiento.

Por defecto, la función mcrypt_create_iv () usa / dev / random como fuente de valores aleatorios. Si el servidor tiene poca entropía, esta fuente podría ser muy lenta. Es por esto que se usa / dev / urandom.

Aquí hay una buena explicación de cuál es la diferencia entre ellos http://www.onkarjoshi.com/blog/191/device-dev-random-vs-urandom/

Entonces, si no está utilizando este cifrado para algo crítico (espero que no lo haga), entonces puede usar / dev / urandom para mejorar el rendimiento del cifrado, de lo contrario simplemente reemplace MCRYPT_DEV_URANDOM con MCRYPT_DEV_RANDOM.

Importante actualización de seguridad # 1

Gracias a @HerrK, quien señaló que usar un simple hash para crear una clave de cifrado no es lo suficientemente seguro, ahora se usa el algoritmo PBKDF2 para eso (lea más sobre PBKDF2 http://en.wikipedia.org/wiki/PBKDF2 ).

La implementación del algoritmo PBKDF2 se copia desde https://defuse.ca/php-pbkdf2.htm .

Importante actualización de seguridad # 2

Gracias a @Scott, quien prestó atención a que el mensaje cifrado debería ser autenticado, ahora se usa HMAC para verificar que el mensaje no haya cambiado.

No soy un tipo de criptografía, pero uso este tipo de cosas:

function crypt($dataToEncrypt){ $appKey = ''%39d15#13P0£df458asdc%/dfr_A!8792*dskjfzaesdfpopdfo45s4dqd8d4fsd+dfd4s"Z1''; $td = mcrypt_module_open(MCRYPT_SERPENT, '''', MCRYPT_MODE_CBC, ''''); // Creates IV and gets key size $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_DEV_RANDOM); $ks = mcrypt_enc_get_key_size($td); // Creates key from application key $key = substr($appKey, 0, $ks); // Initialization mcrypt_generic_init($td, $key, $iv); // Crypt data $encrypted = mcrypt_generic($td, $dataToEncrypt); // Close mcrypt_generic_deinit($td); mcrypt_module_close($td); return array($encrypted, $iv); }

Para descifrar una cadena necesita la clave y el vector de inicialización ( $iv ).

function decrypt($encryptedData, $iv){ $appKey = ''%39d15#13P0£df458asdc%/dfr_A!8792*dskjfzaesdfpopdfo45s4dqd8d4fsd+dfd4s"Z1''; $td = mcrypt_module_open(MCRYPT_SERPENT, '''', MCRYPT_MODE_CBC, ''''); // Gets key size $ks = mcrypt_enc_get_key_size($td); // Creates key from application key $key = substr($appKey, 0, $ks); // Initialization mcrypt_generic_init($td, $key, $iv); // Decrypt data $decrypted = mdecrypt_generic($td, $encryptedData); // Close mcrypt_generic_deinit($td); mcrypt_module_close($td); return trim($decrypted); }