当前位置：文江博客话题详情

如何从 AES 加密字符串添加/删除 PKCS7 填充？

发布于 2024-12-03 14:29:28 字数 117 浏览 2 评论 0原文

我正在尝试使用 128 位 AES 加密 (ECB) 来加密/解密字符串。我想知道如何添加/删除 PKCS7 填充。看起来 Mcrypt 扩展可以处理加密/解密，但必须手动添加/删除填充。

有什么想法吗？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

温柔嚣张 2024-12-10 14:29:28

让我们来看看。 RFC 5652（加密消息语法）中描述了 PKCS #7。

填充方案本身在 6.3 节中给出。内容加密过程。它本质上是说：根据需要附加许多字节来填充给定的块大小（但至少一个），并且每个字节都应该将填充长度作为值。

因此，查看最后一个解密的字节我们就知道要去掉多少字节。（还可以检查它们是否都具有相同的值。）

我现在可以为您提供一对 PHP 函数来执行此操作，但我的 PHP 有点生疏。因此，要么自己执行此操作（然后随意编辑我的答案以添加它），要么查看用户贡献的注释到 mcrypt 文档 - 其中相当一部分是关于填充的，并提供了 PKCS #7 填充的实现。

因此，让我们看一下第一个注释详细信息：

<?php

function encrypt($str, $key)
 {
     $block = mcrypt_get_block_size('des', 'ecb');

这获取所使用算法的块大小。在您的情况下，我想您将使用 aes 或 rijndael_128 而不是 des （我没有测试它）。（相反，对于 AES，您可以在此处简单地采用 16，而不是调用该函数。）

     $pad = $block - (strlen($str) % $block);

这将计算填充大小。 strlen($str) 是数据长度（以字节为单位），% $block 给出对 $block 取模的余数，即最后一个块中的数据字节数。 $block - ... 因此给出了填充最后一个块所需的字节数（现在是 1 和 $block 之间的数字），包含）。

     $str .= str_repeat(chr($pad), $pad);

str_repeat 生成一个字符串，其中包含重复相同的字符串，这里重复由给出的字符 $pad，$pad次，即长度为$pad的字符串，用$pad填充。
$str .= ... 将此填充字符串附加到原始数据。

     return mcrypt_encrypt(MCRYPT_DES, $key, $str, MCRYPT_MODE_ECB);

这是加密本身。使用 MCRYPT_RIJNDAEL_128 而不是 MCRYPT_DES。

现在另一个方向：

 function decrypt($str, $key)
 {   
     $str = mcrypt_decrypt(MCRYPT_DES, $key, $str, MCRYPT_MODE_ECB);

解密。（您当然会更改算法，如上所述）。 $str 现在是解密的字符串，包括填充。

     $block = mcrypt_get_block_size('des', 'ecb');

这又是块大小。（见上文。）

     $pad = ord($str[($len = strlen($str)) - 1]);

这看起来有点奇怪。最好分多个步骤编写：

    $len = strlen($str);
    $pad = ord($str[$len-1]);

$len 现在是填充字符串的长度，而 $str[$len - 1] 是该字符串的最后一个字符。 ord 将其转换为数字。因此 $pad 是我们之前用作填充填充值的数字，这就是填充长度。

     return substr($str, 0, strlen($str) - $pad);

所以现在我们从字符串中切掉最后的 $pad 字节。（除了 strlen($str)，我们也可以在这里编写 $len：substr($str, 0, $len - $pad) .)。

 }

?>

请注意，除了使用 substr($str, $len - $pad) 之外，还可以编写 substr($str, -$pad)，如 PHP 中的 substr 函数对负操作数/参数有特殊处理，从字符串末尾开始计数。（我不知道这是否比先获取长度并手动计算索引效率更高或更低。）

正如前面所说和rossum在评论中指出的，您应该像这里那样简单地剥离填充，而应该这样做检查它是否正确 - 即查看 substr($str, $len - $pad)，并检查其所有字节是否都是 chr($pad)。这可以作为针对损坏的轻微检查（尽管如果您使用链接模式而不是 ECB，则此检查更有效，并且不能替代真正的 MAC）。

（不过，请告诉您的客户，他们应该考虑更改为比欧洲央行更安全的模式。）

Let's see. PKCS #7 is described in RFC 5652 (Cryptographic Message Syntax).

The padding scheme itself is given in section 6.3. Content-encryption Process. It essentially says: append that many bytes as needed to fill the given block size (but at least one), and each of them should have the padding length as value.

Thus, looking at the last decrypted byte we know how many bytes to strip off. (One could also check that they all have the same value.)

I could now give you a pair of PHP functions to do this, but my PHP is a bit rusty. So either do this yourself (then feel free to edit my answer to add it in), or have a look at the user-contributed notes to the mcrypt documentation - quite some of them are about padding and provide an implementation of PKCS #7 padding.

So, let's look on the first note there in detail:

<?php

function encrypt($str, $key)
 {
     $block = mcrypt_get_block_size('des', 'ecb');

This gets the block size of the used algorithm. In your case, you would use aes or rijndael_128 instead of des, I suppose (I didn't test it). (Instead, you could simply take 16 here for AES, instead of invoking the function.)

     $pad = $block - (strlen($str) % $block);

This calculates the padding size. strlen($str) is the length of your data (in bytes), % $block gives the remainder modulo $block, i.e. the number of data bytes in the last block. $block - ... thus gives the number of bytes needed to fill this last block (this is now a number between 1 and $block, inclusive).

     $str .= str_repeat(chr($pad), $pad);

str_repeat produces a string consisting of a repetition of the same string, here a repetition of the character given by $pad, $pad times, i.e. a string of length $pad, filled with $pad.
$str .= ... appends this padding string to the original data.

     return mcrypt_encrypt(MCRYPT_DES, $key, $str, MCRYPT_MODE_ECB);

Here is the encryption itself. Use MCRYPT_RIJNDAEL_128 instead of MCRYPT_DES.

Now the other direction:

 function decrypt($str, $key)
 {   
     $str = mcrypt_decrypt(MCRYPT_DES, $key, $str, MCRYPT_MODE_ECB);

The decryption. (You would of course change the algorithm, as above). $str is now the decrypted string, including the padding.

     $block = mcrypt_get_block_size('des', 'ecb');

This is again the block size. (See above.)

     $pad = ord($str[($len = strlen($str)) - 1]);

This looks a bit strange. Better write it in multiple steps:

    $len = strlen($str);
    $pad = ord($str[$len-1]);

$len is now the length of the padded string, and $str[$len - 1] is the last character of this string. ord converts this to a number. Thus $pad is the number which we previously used as the fill value for the padding, and this is the padding length.

     return substr($str, 0, strlen($str) - $pad);

So now we cut off the last $pad bytes from the string. (Instead of strlen($str) we could also write $len here: substr($str, 0, $len - $pad).).

 }

?>

Note that instead of using substr($str, $len - $pad), one can also write substr($str, -$pad), as the substr function in PHP has a special-handling for negative operands/arguments, to count from the end of the string. (I don't know if this is more or less efficient than getting the length first and and calculating the index manually.)

As said before and noted in the comment by rossum, instead of simply stripping off the padding like done here, you should check that it is correct - i.e. look at substr($str, $len - $pad), and check that all its bytes are chr($pad). This serves as a slight check against corruption (although this check is more effective if you use a chaining mode instead of ECB, and is not a replacement for a real MAC).

(And still, tell your client they should think about changing to a more secure mode than ECB.)

回复收藏 0 原文

小矜持 2024-12-10 14:29:28

我创建了两种方法来执行填充和取消填充。这些函数使用 phpdoc 进行记录，并且需要 PHP 5。您会注意到 unpad 函数包含大量异常处理，为每个可能的错误生成不少于 4 条不同的消息。

要获取 PHP mcrypt 的块大小，您可以使用 mcrypt_get_block_size，它还将块大小定义为以字节为单位而不是位。

/**
 * Right-pads the data string with 1 to n bytes according to PKCS#7,
 * where n is the block size.
 * The size of the result is x times n, where x is at least 1.
 * 
 * The version of PKCS#7 padding used is the one defined in RFC 5652 chapter 6.3.
 * This padding is identical to PKCS#5 padding for 8 byte block ciphers such as DES.
 *
 * @param string $plaintext the plaintext encoded as a string containing bytes
 * @param integer $blocksize the block size of the cipher in bytes
 * @return string the padded plaintext
 */
function pkcs7pad($plaintext, $blocksize)
{
    $padsize = $blocksize - (strlen($plaintext) % $blocksize);
    return $plaintext . str_repeat(chr($padsize), $padsize);
}

/**
 * Validates and unpads the padded plaintext according to PKCS#7.
 * The resulting plaintext will be 1 to n bytes smaller depending on the amount of padding,
 * where n is the block size.
 *
 * The user is required to make sure that plaintext and padding oracles do not apply,
 * for instance by providing integrity and authenticity to the IV and ciphertext using a HMAC.
 *
 * Note that errors during uppadding may occur if the integrity of the ciphertext
 * is not validated or if the key is incorrect. A wrong key, IV or ciphertext may all
 * lead to errors within this method.
 *
 * The version of PKCS#7 padding used is the one defined in RFC 5652 chapter 6.3.
 * This padding is identical to PKCS#5 padding for 8 byte block ciphers such as DES.
 *
 * @param string padded the padded plaintext encoded as a string containing bytes
 * @param integer $blocksize the block size of the cipher in bytes
 * @return string the unpadded plaintext
 * @throws Exception if the unpadding failed
 */
function pkcs7unpad($padded, $blocksize)
{
    $l = strlen($padded);

    if ($l % $blocksize != 0) 
    {
        throw new Exception("Padded plaintext cannot be divided by the block size");
    }

    $padsize = ord($padded[$l - 1]);

    if ($padsize === 0)
    {
        throw new Exception("Zero padding found instead of PKCS#7 padding");
    }    

    if ($padsize > $blocksize)
    {
        throw new Exception("Incorrect amount of PKCS#7 padding for blocksize");
    }

    // check the correctness of the padding bytes by counting the occurance
    $padding = substr($padded, -1 * $padsize);
    if (substr_count($padding, chr($padsize)) != $padsize)
    {
        throw new Exception("Invalid PKCS#7 padding encountered");
    }

    return substr($padded, 0, $l - $padsize);
}

这不会以任何方式使 Paŭlo Ebermann 的答案无效，它在代码和代码中的答案基本上相同。 phpdoc 而不是描述。

请注意，向攻击者返回填充错误可能会导致填充预言机攻击，从而完全破坏 CBC（当使用 CBC 代替 ECB 或安全认证密码时）。

I've created two methods to perform the padding and unpadding. The functions are documented using phpdoc and require PHP 5. As you will notice the unpad function contains a lot of exception handling, generating not less than 4 different messages for each possible error.

To get to the block size for PHP mcrypt, you can use mcrypt_get_block_size, which also defines the block size to be in bytes instead of bits.

/**
 * Right-pads the data string with 1 to n bytes according to PKCS#7,
 * where n is the block size.
 * The size of the result is x times n, where x is at least 1.
 * 
 * The version of PKCS#7 padding used is the one defined in RFC 5652 chapter 6.3.
 * This padding is identical to PKCS#5 padding for 8 byte block ciphers such as DES.
 *
 * @param string $plaintext the plaintext encoded as a string containing bytes
 * @param integer $blocksize the block size of the cipher in bytes
 * @return string the padded plaintext
 */
function pkcs7pad($plaintext, $blocksize)
{
    $padsize = $blocksize - (strlen($plaintext) % $blocksize);
    return $plaintext . str_repeat(chr($padsize), $padsize);
}

/**
 * Validates and unpads the padded plaintext according to PKCS#7.
 * The resulting plaintext will be 1 to n bytes smaller depending on the amount of padding,
 * where n is the block size.
 *
 * The user is required to make sure that plaintext and padding oracles do not apply,
 * for instance by providing integrity and authenticity to the IV and ciphertext using a HMAC.
 *
 * Note that errors during uppadding may occur if the integrity of the ciphertext
 * is not validated or if the key is incorrect. A wrong key, IV or ciphertext may all
 * lead to errors within this method.
 *
 * The version of PKCS#7 padding used is the one defined in RFC 5652 chapter 6.3.
 * This padding is identical to PKCS#5 padding for 8 byte block ciphers such as DES.
 *
 * @param string padded the padded plaintext encoded as a string containing bytes
 * @param integer $blocksize the block size of the cipher in bytes
 * @return string the unpadded plaintext
 * @throws Exception if the unpadding failed
 */
function pkcs7unpad($padded, $blocksize)
{
    $l = strlen($padded);

    if ($l % $blocksize != 0) 
    {
        throw new Exception("Padded plaintext cannot be divided by the block size");
    }

    $padsize = ord($padded[$l - 1]);

    if ($padsize === 0)
    {
        throw new Exception("Zero padding found instead of PKCS#7 padding");
    }    

    if ($padsize > $blocksize)
    {
        throw new Exception("Incorrect amount of PKCS#7 padding for blocksize");
    }

    // check the correctness of the padding bytes by counting the occurance
    $padding = substr($padded, -1 * $padsize);
    if (substr_count($padding, chr($padsize)) != $padsize)
    {
        throw new Exception("Invalid PKCS#7 padding encountered");
    }

    return substr($padded, 0, $l - $padsize);
}

This does not invalidate the answer of Paŭlo Ebermann in any way, it's basically the same answer in code & phpdoc instead of as description.

Note that returning a padding error to an attacker might result in a padding oracle attack which completely breaks CBC (when CBC is used instead of ECB or a secure authenticated cipher).

回复收藏 0 原文

翻了热茶 2024-12-10 14:29:28

解密数据后调用以下函数即可

function removePadding($decryptedText){
    $strPad = ord($decryptedText[strlen($decryptedText)-1]);
    $decryptedText= substr($decryptedText, 0, -$strPad);
    return $decryptedText;
}

Just call the following function after you decrypt the data

function removePadding($decryptedText){
    $strPad = ord($decryptedText[strlen($decryptedText)-1]);
    $decryptedText= substr($decryptedText, 0, -$strPad);
    return $decryptedText;
}

回复收藏 0 原文

~没有更多了~