I have been using the openssl function for encrypting data with AES-256-CBC in php. I have been able to encrypt it using an unique IV (by generating with openssl_random_pseudo_bytes)for each new encryption.
But I am struggling with the idea of authenticated encryption with aes cbc. How do I basically authenticate when I am about to decrypt the data?
Do I need to use something like PBKDF2, blowfish or hash_hmac()?
Do I need to hash the key somehow?
Any help is extremely appreciated.
Simple solution, use RNCryptor which is available for php and many other languages. See this ReadMe for implementation details.
Even if you don't use RNCryptor the methods are correct and secure.
Some details from the site:
- AES-256 encryption
- CBC mode
- Password stretching with PBKDF2
- Password salting
- Random IV
- Encrypt-then-hash HMAC
- Versioning
But I am struggling with the idea of authenticated encryption with aes cbc. How do I basically authenticate when I am about to decrypt the data?
After you encrypt the data with a random IV, put both the ciphertext and IV into hash_hmac() with a second key.
If you're asking because you need to deploy into production, wait until version 2 of defuse/php-encryption is released and use that instead. (It's AES-256-CTR not AES-256-CBC, but CTR mode has less attack surface than CBC mode; i.e. no padding oracle attacks if you defeat the HMAC.)
Don't use RNCryptor.
RNCryptor is/was not written in accordance to cryptography coding standards, neither in PHP, nor in Python.
RNCryptor literally violates rule 1 of the cryptography coding standards consistently. There may be other issues that have yet been undiscovered. If you want portability across languages, use libsodium.
来源:https://stackoverflow.com/questions/34954998/how-to-correctly-encrypt-data-with-proper-authentication-using-aes-256-cbc-in-ph