雅荷心语博客JS与PHP使用RSA算法进行加密通讯
我们平时做用户登录表单提交,用户名密码都是明文直接POST到后端,这样很容易被别人从监听到。
注:包括使用MD5等哈希函数处理后的数据,这里也算做明文(现在MD5爆破网站已经很多了~)。
对安全性要求较高的网站,比如银行和大型企业等都会使用HTTPS对其进行加密通讯。
但是由于效率原因,使用HTTPS的代价是及其昂贵的,对于访问量稍大的网站就会造成严重的性能瓶颈。解决方法一般只能采用专门的SSL硬件加速设备如F5的BIGIP等。
所以很多网站选择了模拟SSL的做法,使用RSA来对密码等安全信息进行公钥加密,服务端用私钥解密。
通常是对密码进行加密,本文也拿密码加密为例。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
[root@localhost /]# ls bin boot dev etc home lib lost+found media mnt opt proc root sbin selinux srv sys tmp usr var [root@localhost /]# openssl genrsa -des3 -out prikey.pem 1024 #生成rsa密钥 Generating RSA private key, 1024 bit long modulus ..........++++++ .........................++++++ e is 65537 (0x10001) Enter pass phrase for prikey.pem: Verifying - Enter pass phrase for prikey.pem: [root@localhost /]# openssl rsa -in prikey.pem -out prikey.pem #去除掉密钥文件保护密码 Enter pass phrase for prikey.pem: writing RSA key [root@localhost /]# ls bin boot dev etc home lib lost+found media mnt opt prikey.pem proc root sbin selinux srv sys tmp usr var [root@localhost /]# openssl rsa -in prikey.pem -pubout -out pubkey.pem #分离出公钥 writing RSA key [root@localhost /]# ls bin boot dev etc home lib lost+found media mnt opt prikey.pem proc pubkey.pem root sbin selinux srv sys tmp usr var [root@localhost /]# openssl asn1parse -out temp.ans -i -inform PEM < prikey.pem #提取十六进制密钥 0:d=0 hl=4 l= 607 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=3 l= 129 prim: INTEGER : D42E861C04CFB9EBB1368A682EC22BDCA364A35E1C5DF1D43FC4F24197D4B798BCB7FD0192774749C4DED8B659002B4ABEA2F11F7896BCEE5CD615D31EF8936823ED6760CA01D91F677F1459019383679D78BE72FE67E7C1C3FDA1A514B5FE35879A9A9DC90EAE059948CD222F4C69F37F23F0864112CD4A8AE2B4FD9EC36297 #公匙 139:d=1 hl=2 l= 3 prim: INTEGER :010001 #十六进制e值 144:d=1 hl=3 l= 129 prim: INTEGER : 85035557233D059457579594921B6F5BB5A255379E18D68CF41D06B14FF92DCF361F3120572D27277B9F27C3C82F6EF44065ED3A896215B667C45D92280C347B235AB10164B15A3799D5CFFE7B4FDA5A823116F4DA48A08E6CFED11F274BEE1CE74AD161045992EEDE859A8B048CA9FECE7DFD5E1DA25E71FD2624380FBB8DA1 #密匙 276:d=1 hl=2 l= 65 prim: INTEGER :FB8B45FBD58D9FAFD41EDAD77BF57D4E413AD4513BC9EF384DA8E6049D945668967E40400FBE536CDD4B363E990EE273B6D7BDBAC620FA27BB8ACC2B46F70393 343:d=1 hl=2 l= 65 prim: INTEGER : D7F0BF176770516845C0858C849B12858DEB41F430BFD9BC72BBEEA8F646FBD0E565E04FC7C1046E012D9CC46FD567532A18BAE83976FF003DFB8E350B61CF6D 410:d=1 hl=2 l= 65 prim: INTEGER :EEE1BEDE8059F4D2A8217D36B2B3DA021D145F599DEC11D0688003A1527CF2EA7431059750DC30A1EC2E671F5F7FB132AEEB8774FE7F86D180DB3935C839011D 477:d=1 hl=2 l= 65 prim: INTEGER :A4886421A207FB8F36AE855356EA8D4743A6405F9E116006ED68F264BD19C2DF1D1AEDB9FC1ABE944EC381524F5FCBD59B1AB2B724A9DD8C42ADFC61C0656B55 544:d=1 hl=2 l= 65 prim: INTEGER :CA796B199B066C2B3513D20E4207F5D85AB6347C4A3FBCE152DBD0A535060D413BAEB88D603A4673C946C4B9501DD98B772557B7119F841CAD86DE2D013C997C [root@localhost /]# |
第二步:JS加密传输实现
使用RSA加密通讯方式,需要先加载三个RSA的js库文件,可以到这里下载:http://www.ohdave.com/rsa/
|
1 2 3 4 5 6 7 8 9 |
<script type="text/javascript" src="RSA.js"></script> <script type="text/javascript" src="BigInt.js"></script> <script type="text/javascript" src="Barrett.js"></script> <form action="http://localhost/openssl.php" method="post" name="rsa_form" id="rsa_form"> 用户名:<input name="username" type="text"> 密码:<input name="password" id="password" type="password"> <input value="提交" onclick="rsa()" type="button"> </form> |
|
1 |
<script type="text/javascript">var rsa=function(){var rsa_n='D42E861C04CFB9EBB1368A682EC22BDCA364A35E1C5DF1D43FC4F24197D4B798BCB7FD0192774749C4DED8B659002B4ABEA2F11F7896BCEE5CD615D31EF8936823ED6760CA01D91F677F1459019383679D78BE72FE67E7C1C3FDA1A514B5FE35879A9A9DC90EAE059948CD222F4C69F37F23F0864112CD4A8AE2B4FD9EC36297';var pw=document.getElementById("password");setMaxDigits(131);var key=new RSAKeyPair("10001",'',rsa_n);pw.value=encryptedString(key,pw.value);document.rsa_form.submit();}</script> |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
<?php class Rsa { private static $PRIVATE_KEY = '-----BEGIN RSA PRIVATE KEY----- MIICXwIBAAKBgQDULoYcBM+567E2imguwivco2SjXhxd8dQ/xPJBl9S3mLy3/QGS d0dJxN7YtlkAK0q+ovEfeJa87lzWFdMe+JNoI+1nYMoB2R9nfxRZAZODZ514vnL+ Z+fBw/2hpRS1/jWHmpqdyQ6uBZlIzSIvTGnzfyPwhkESzUqK4rT9nsNilwIDAQAB AoGBAIUDVVcjPQWUV1eVlJIbb1u1olU3nhjWjPQdBrFP+S3PNh8xIFctJyd7nyfD yC9u9EBl7TqJYhW2Z8RdkigMNHsjWrEBZLFaN5nVz/57T9pagjEW9NpIoI5s/tEf J0vuHOdK0WEEWZLu3oWaiwSMqf7Off1eHaJecf0mJDgPu42hAkEA+4tF+9WNn6/U HtrXe/V9TkE61FE7ye84TajmBJ2UVmiWfkBAD75TbN1LNj6ZDuJztte9usYg+ie7 iswrRvcDkwJBANfwvxdncFFoRcCFjISbEoWN60H0ML/ZvHK77qj2RvvQ5WXgT8fB BG4BLZzEb9VnUyoYuug5dv8APfuONQthz20CQQDu4b7egFn00qghfTays9oCHRRf WZ3sEdBogAOhUnzy6nQxBZdQ3DCh7C5nH19/sTKu64d0/n+G0YDbOTXIOQEdAkEA pIhkIaIH+482roVTVuqNR0OmQF+eEWAG7WjyZL0Zwt8dGu25/Bq+lE7DgVJPX8vV mxqytySp3YxCrfxhwGVrVQJBAMp5axmbBmwrNRPSDkIH9dhatjR8Sj+84VLb0KU1 Bg1BO664jWA6RnPJRsS5UB3Zi3clV7cRn4QcrYbeLQE8mXw= -----END RSA PRIVATE KEY-----'; private static $PUBLIC_KEY = '-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDULoYcBM+567E2imguwivco2Sj Xhxd8dQ/xPJBl9S3mLy3/QGSd0dJxN7YtlkAK0q+ovEfeJa87lzWFdMe+JNoI+1n YMoB2R9nfxRZAZODZ514vnL+Z+fBw/2hpRS1/jWHmpqdyQ6uBZlIzSIvTGnzfyPw hkESzUqK4rT9nsNilwIDAQAB -----END PUBLIC KEY-----'; /** * 16进制 * 公匙: D42E861C04CFB9EBB1368A682EC22BDCA364A35E1C5DF1D43FC4F24197D4B798BCB7FD0192774749C4DED8B659002B4ABEA2F11F7896BCEE5CD615D31EF8936823ED6760CA01D91F677F1459019383679D78BE72FE67E7C1C3FDA1A514B5FE35879A9A9DC90EAE059948CD222F4C69F37F23F0864112CD4A8AE2B4FD9EC36297 * 密匙: 85035557233D059457579594921B6F5BB5A255379E18D68CF41D06B14FF92DCF361F3120572D27277B9F27C3C82F6EF44065ED3A896215B667C45D92280C347B235AB10164B15A3799D5CFFE7B4FDA5A823116F4DA48A08E6CFED11F274BEE1CE74AD161045992EEDE859A8B048CA9FECE7DFD5E1DA25E71FD2624380FBB8DA1 */ /** *返回对应的私钥 */ private static function getPrivateKey(){ $privKey = self::$PRIVATE_KEY; return openssl_pkey_get_private($privKey); } /** *返回对应的公钥 */ private static function getPublicKey(){ $pubkey = self::$PUBLIC_KEY; return openssl_pkey_get_public($pubkey); } /** * 私钥加密 * @param [type] $data [description] * @return [type] [description] */ public static function privEncrypt($data) { if(!is_string($data)){ return null; } return openssl_private_encrypt($data,$encrypted,self::getPrivateKey())? base64_encode($encrypted) : null; } /** * 私钥解密 * @param [type] $encrypted 密文(二进制格式且base64编码) * @param boolean $fromjs 密文是否来源于JS的RSA加密 * @return [type] [description] */ public static function privDecrypt($encrypted, $fromjs = FALSE) { if(!is_string($encrypted)){ return null; } $padding = $fromjs ? OPENSSL_NO_PADDING : OPENSSL_PKCS1_PADDING; if (openssl_private_decrypt(base64_decode($encrypted), $decrypted, self::getPrivateKey(), $padding)) { return $fromjs ? trim(strrev($decrypted)) : $decrypted; } return null; } /** * 私匙加密 * @param [type] $data [description] * @return [type] [description] */ public static function encrypt($data) { if (openssl_public_encrypt($data, $encrypted, self::getPublicKey())) $data = base64_encode($encrypted); else throw new Exception('Unable to encrypt data. Perhaps it is bigger than the key size?'); return $data; } } $base = base64_encode('天明宝宝'); $key = Rsa::encrypt('天明宝宝'); var_dump($key); $data = Rsa::privDecrypt($key); var_dump($data); |
注:PHP中openssl扩展公私钥加密函数只支持小数据,加密时117字节,解密时128字节。若不然得自己循环加密后合并。
Demo 文件 : https://yunpan.cn/cuqdUQtfbP8xq 访问密码 89e5
