PHP 中的公钥/私钥类似系统
对于我的自动登录脚本,我正在考虑实现以下内容:
- 用户获得某种存储在 cookie 中的个人“公钥”,
- 因为我不想在数据库中保存完全相同的密钥我想创建一个匹配的密钥 “私钥”
- 当检测到cookie时,
将检索存储在数据库中的密钥,并检查两个密钥之间的公共/私有关系在没有openSSL等的情况下在php中实现此功能的最佳方法是什么?
这就是我现在所拥有的:
$public = hash($hash_algorithm, uniqid(rand()));
$private = hash_hmac($hash_algorithm, $public, $encryption_key);
并验证:
$check = hash_hmac($hash_algorithm, $public, $encryption_key);
return $check == $private;
$encryption_key 是来自配置文件的随机密钥。
我的想法是否太简单了,或者这已经足够了吗?当然,当使用密钥时,会生成一个新密钥,原理如下: http://jaspan.com/improved_persistent_login_cookie_best_practice
For my autologin script I was thinking about implementing the following:
- the user gets some sort of personal "public key" that is stored in a cookie
- because I don't want to save the exact same key in my database I want to create a matching "private key"
- when the cookie is detected, the key stored in the database is retrieved and the public/private relation is checked between the 2 keys
What is the best way to implement this in php without openSSL etc.
This is what I have now:
$public = hash($hash_algorithm, uniqid(rand()));
$private = hash_hmac($hash_algorithm, $public, $encryption_key);
And to validate:
$check = hash_hmac($hash_algorithm, $public, $encryption_key);
return $check == $private;
$encryption_key is a random key from a config file.
Am I thinking about this too simple or is this good enough? Of course when the key is used, a new one is generated like the principle here: http://jaspan.com/improved_persistent_login_cookie_best_practice
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
尽管完全可能创建仅使用对称密钥加密原语的公钥加密系统(请参阅:SPHINCS),您可能不应该推出自己的设计并期望它在这里是安全的。
在 2018 年,答案是:“with libsodium"。但当你问这个问题时,这实际上并不是一个选择。
但本着这个问题的精神:为您提供非对称加密的外部加密库,或者重新发明轮子,没有解决方案。
Although it is strictly possible to create a public-key cryptography system that only uses symmetric-key cryptography primitives (see: SPHINCS), you probably shouldn't roll your own design and expect it to be secure here.
In 2018, the answer is: "with libsodium". But when you asked this question, that wasn't really an option.
But in the spirit of the question: Outside cryptography libraries that provide asymmetric cryptography for you, or reinventing the wheel, there is no solution.