Security:cipher加密结果取决于服务器吗?
我正在一个 cakephp 应用程序中工作,我使用 Security::cipher 来加密一些数据。它工作正常,但我已将文件和数据库移动到另一台服务器,现在加密结果不同。 我尝试过一些简单的行:
$security = new Security;
$code = $security->cipher('1234', Configure::read('Security.cipherSeed'));
当我打印 $code 时,两个服务器中的值不同。我在两个 core.php 文件中配置了相同的 Security.cipherSeed 。 Security::cipher 函数是否使用某些服务器值进行加密?
谢谢。
I'm working in a cakephp application where I use Security::cipher in order to encrypt some data. It works perfectly but I've moved files and DB to another server and now the encrypted result is different.
I've tried with some simple lines:
$security = new Security;
$code = $security->cipher('1234', Configure::read('Security.cipherSeed'));
When I print $code, the value is different in both servers. I've configured the same Security.cipherSeed in both core.php files.
Is Security::cipher function using some server value to encrypt?
Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,看看这个错误,它确实存在似乎是一个问题。
深入研究源代码,这一行就是它的工作原理:
现在,为什么这样有效?因为
rand()
实现了伪随机算法。因此,对于任何给定的已知种子,理论上您可以产生相同系列的随机输出。要看看这是否有效,让我们看看rand()
的 PHP 源代码,特别是内部php_rand
函数:我们知道这不是问题,因为我们是手动播种(除非我们在服务器上安装了 suhosin 补丁,否则它将始终重新播种,因此不起作用)。
哇哦,你看到发生了什么了吗?根据服务器规范,可以使用 4 个不同的随机库之一(
rand()
、random()
、lrand48()
或者它自己的内部随机函数php_rand_r
)!这就是为什么它不能跨服务器安装移植的原因。相反,使用真正的加密库,例如 MCrypt 或 GPG。
编辑:我已经提交了关于这个主题的错误报告很精彩。
Well, looking at this bug, it does appear to be an issue.
Digging into the source code, this line is what makes it work:
Now, why does that work? Because
rand()
implements a pseudo-random algorithm. So for any given known seed, you can theoretically produce the same series of random output. To see if this will work, let's look at the PHP source code forrand()
, specifically the internalphp_rand
function:We know this isn't the problem, since we're manually seeding (unless we have the suhosin patch installed on the server, then it will always reseed and hence not work).
Woah, did you see what happened? Depending on the server specification, is can use one of 4 different random libraries (
rand()
,random()
,lrand48()
or it's own internal random functionphp_rand_r
)! That's why it's not portable across server installs.Instead, use a real encryption library such as MCrypt or GPG.
Edit: I've submitted a bug report on this topic to cake.