1

I'm working on a CMS system and I want to add a feature to protect user's data. Of course passwords are hashed and could only be decoded using brute forcing. But now it's about the rest of the data, for example their mail address. I would like to have a function which encodes a mail address when a user registers which could be decoded each time a mail should be send. Now the problem with hashing is that you can't easily convert it back (I think), at least with md5 and sh1 and similar algorithms this is not possible so this is not what I want.

I would like to have a feature that salt could be used in the en- and decoding process. This means that I have a random string stored somewhere in the web aplication, which is used as 'seed' or 'salt' for this process, so the result will be different if that random string is different, this makes it harder to decode once hackers (for example) broke into the database and stole the data.

I saw a function in PHP called base64_encode() and base64_decode(), these functions can en- and decode the data very easy. The problem with these functions is that there's no 'salt' parameter and I don't think it's very good as protection. Is there's a function which does something similair with more protection with a en- and decode feature, and with a salt parameter?

Thanks in advance, Tim Visée

4

1 回答 1

3

让我解释一下编码、散列和加密之间的区别。

  • 编码只是一种表示数据的方式,因此它不能帮助您提高安全性。base64 用于将 8 位数据表示编码为 6 位,即用于在电子邮件正文中传输。对你没用。
  • 散列是一种数据的单向转换,通常具有以下属性:
    • 许多(实际上是无限的)不同的数据字符串具有相同的哈希值。您可以散列任意长度的字符串,但生成的散列始终具有有限的长度,因此并非每个输入字符串都可以具有唯一散列是很清楚的。
    • 虽然散列法很快,但无法比尝试所有可能的组合更简单地计算具有指定散列值的原始数据。
    • 加密是您正在寻找的。加密数据只能使用适当的密钥读取。

但是,我认为加密数据库中的数据没有什么意义。如果有人看到您的 PHP 源代码和数据库,他可以轻松读取密钥并解密数据。它只能在有人窃取原始数据库但仍然无法访问您的源代码时为您提供帮助,但这种情况非常罕见,Web 程序员通常不会这样做。

于 2013-03-03T14:31:51.283 回答