PHP (不)建議使用的 加解密演算法

PHP 7.2 後 mcrypt 被拿掉了,但是偏偏以前使用的演算法,PHP7.2 的 OpenSSL 不支援,所以要重新來找新的加解密演算法。

PHP 建議與不建議使用的 加解密演算法

加解密演算法這麼多種,要怎麼挑選呢?

PHP 官方文件的範例就有排除法,排掉 (ECB, RC2, RC4, DES, 3DES, MD5 based)後,能用的演算法就剩不多,在從裡面來挑選一下。

PHP: openssl_get_cipher_methods - Manual,下述程式取自此篇:

View Raw Code?
  1. <?php
  2. $ciphers = openssl_get_cipher_methods();
  3. $ciphers_and_aliases = openssl_get_cipher_methods(true);
  4. $cipher_aliases = array_diff($ciphers_and_aliases, $ciphers);
  6. //ECB mode should be avoided
  7. $ciphers = array_filter( $ciphers, function($n) { return stripos($n,"ecb")===FALSE; } );
  9. //At least as early as Aug 2016, Openssl declared the following weak: RC2, RC4, DES, 3DES, MD5 based
  10. $ciphers = array_filter( $ciphers, function($c) { return stripos($c,"des")===FALSE; } );
  11. $ciphers = array_filter( $ciphers, function($c) { return stripos($c,"rc2")===FALSE; } );
  12. $ciphers = array_filter( $ciphers, function($c) { return stripos($c,"rc4")===FALSE; } );
  13. $ciphers = array_filter( $ciphers, function($c) { return stripos($c,"md5")===FALSE; } );
  14. $cipher_aliases = array_filter($cipher_aliases,function($c) { return stripos($c,"des")===FALSE; } );
  15. $cipher_aliases = array_filter($cipher_aliases,function($c) { return stripos($c,"rc2")===FALSE; } );
  17. print_r($ciphers);
  18. print_r($cipher_aliases);
  19. ?>

程式跑出來,能使用的演算法:

Array
(
[18] => AES128
[19] => AES192
[20] => AES256
[21] => BF
[26] => CAST
[27] => CAST-cbc
[50] => IDEA
[82] => aes128
[83] => aes192
[84] => aes256
[85] => bf
[90] => blowfish
[91] => cast
[92] => cast-cbc
[115] => idea
)

這些跑出來的演算法,該挑哪一個呢?在 PHP 上述的官網下面有程式,直接可以測試演算法的速度,程式如下:

View Raw Code?
  1. <?php
  2. const TEST_COUNT = 100000;
  3. const SOURCE = 'Note that HTML tags are not allowed in the posts, but the note formatting is preserved.';
  4. const KEY = "password";
  6. function TESTER( $testing_function, $argument )
  7. {
  8. $t = microtime(true);
  10. for ($test_iterator = 0; $test_iterator < TEST_COUNT; $test_iterator++) {
  11. $testing_function( $argument );
  12. }
  13. return round(microtime(true) - $t, 4);
  14. }
  16. $crypt = function($cipher) {
  17. $ivlen = openssl_cipher_iv_length($cipher);
  18. $iv = openssl_random_pseudo_bytes($ivlen);
  19. openssl_encrypt(SOURCE, $cipher, KEY, $options=0, $iv);
  20. };
  22. $methods = openssl_get_cipher_methods(false);
  24. array_splice( $methods, 0, count($methods) / 2);
  26. $timings = array();
  28. foreach ($methods as $cypher) {
  29. $time = TESTER( $crypt, $cypher );
  30. $timings[ $cypher ] = $time;
  31. echo str_pad($cypher, 40, ' ', STR_PAD_LEFT), " have time ", str_pad($time, 8, STR_PAD_LEFT), ' seconds. ', PHP_EOL;
  32. }
  34. uasort($timings, function($a, $b){
  35. return $a <=> $b;
  36. });
  38. $min_time = round(reset($timings) / TEST_COUNT, 7);
  39. $min_cypher = key($timings);
  41. $max_time = round(end($timings) / TEST_COUNT, 7);
  42. $max_cypher = key($timings);
  44. echo '-------------', PHP_EOL;
  45. echo "Total tests: ", count($timings), PHP_EOL;
  46. echo "Max timing : {$max_time} seconds for `{$max_cypher}` algorithm.", PHP_EOL;
  47. echo "Min timing : {$min_time} seconds for `{$min_cypher}` algorithm.", PHP_EOL;
  49. echo 'Details: ', PHP_EOL;
  51. foreach ($timings as $m => $t) {
  52. echo '- ', str_pad($t, 8, STR_PAD_LEFT), " seconds for `{$m}`", PHP_EOL;
  53. }
  55. echo PHP_EOL;
  56. ?>

速度跑完後,應該就可以評估要挑選哪個演算法了~

相關網頁

  • Encryption operating modes: ECB vs CBC - 為何不要用 ECB 要用 CBC
  • Openssl blowfish cbc (BF-CBC) or AES-256-CBC
    • Is AES-256-CBC more secure than BF-CBC? Or is it just another way of encryption?
    • both blowfish & AES are block ciphers,AES is said that is more secure than blowfish...

作者: Tsung

對新奇的事物都很有興趣, 喜歡簡單的東西, 過簡單的生活.

發表迴響

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料