使用场景
- 如果只是为了防止用户数据泄露,有条件用https,那不要犹豫,赶快买个证书。
- 但是https也有局限性,加密层位于http层(应用层)和tcp层(传输层)之间, 所以抓到的http层的数据并没有加密。
单独加密的弊端
- 单独用RSA非对称加密的话,客户端解密的时候需要用到私匙,这样无异于裸奔,使得整个加密毫无意义,除非你客户端只加密不解密,服务器直接返回明文,但这样就不是双向加密了
- 单独用AES对称加密的话,加密解密用同一个密匙,密匙就在客户端放着,也是裸奔
AES + RSA 加密思路
-
在启动APP时,本地随机生成AES密匙,不做持久化存储。
-
通信的时候,将AES密匙通过RSA加密发送给服务器,将通信内容用过AES加密发送给服务器,这样服务器通过RSA解密得到AES密匙,再通过AES解密得到通信明文内容。
-
返回数据的时候,服务器通过AES加密返回密文,客户端用过AES解密得到明文。这样,抓包是无法获取AES密匙的,AES密匙只存在于本地内存中
-
总结来说,就是通过AES加密通信内容,RSA加密AES密匙
以下为简单实现过程,在实际线上项目请对公钥进行缓存,ASE私钥定期更新处理,以保证性能和安全两不误!
uinapp片段
创建文件test.vue,内容如下:
<template>
<view>
<button type="warn" @click="test()" plain>测试</button>
<text v-show="res!==null">返回结果:{{res}}</text>
</view>
</template>
<script>
import CryptoJS from '@/js_sdk/encryption/crypto-js/crypto-js';
import JSEncrypt from '@/js_sdk/encryption/jsencrypt/jsencrypt';
export default {
data() {
return {
publicKey: null, // RSA加密公匙
aesKey: null, // AES加密密匙
iv: 'YM_CHAT_TOOLS_MS', //
aesEncryptKey: null, // AES加密密匙的RSA加密字符串
res: null,
}
},
mounted() {
this.initEncryption();
},
methods: {
test() {
let params = {
id: 123,
name: '我爱我家呀~'
};
uni.request({
url: 'http://im.xxx.cn/test.php', //仅为示例,并非真实接口地址。
data: this.EncrypRequestParams(params),
success: (res) => {
this.res = this.DecryptResData(res.data);
console.log('this.res:' + this.res);
}
});
},
DecryptResData(res) //解密返回结果
{
return this.decrypt(res, this.aesKey, this.iv);
},
EncrypRequestParams(params = {}) //加密请求参数
{
if (this.publicKey === null) {
uni.showToast({
title: "请先获取公钥",
duration: 2000,
mask: true
})
return;
}
params.timestamp = this.getTimestamp();
params = this.encrypt(JSON.stringify(params), this.aesKey, this.iv);
params = {
params: params,
aesEncryptKey: this.aesEncryptKey,
};
console.log('params:' + JSON.stringify(params));
return params;
},
//初始化通讯密钥
initEncryption() {
uni.request({
url: 'http://im.xxx.cn/public.key', //仅为示例,并非真实接口地址。
success: (res) => {
this.publicKey = res.data;
this.aesKey = this.initAesKey();
this.aesEncryptKey = this.rsaEncrypt(JSON.stringify(this.aesKey), this.publicKey);
console.log('this.publicKey:' + this.publicKey);
console.log('this.aesKey:' + this.aesKey);
console.log('this.aesEncryptKey:' + this.aesEncryptKey);
console.log('初始化成功');
}
});
},
getTimestamp() //获取10位时间戳
{
let tmp = Date.parse(new Date()).toString();
tmp = tmp.substr(0, 10);
return tmp;
},
// 加密函数
encrypt(str, KEY, IV = '') {
var key = CryptoJS.enc.Utf8.parse(KEY);
var iv = CryptoJS.enc.Utf8.parse(IV);
var encrypted = CryptoJS.AES.encrypt(str, key, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return encrypted.toString();
},
//解密
decrypt(str, KEY, IV = '') {
var key = CryptoJS.enc.Utf8.parse(KEY);
var iv = CryptoJS.enc.Utf8.parse(IV);
var decrypt = CryptoJS.AES.decrypt(str, key, {
iv: iv,
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7
});
return decrypt.toString(CryptoJS.enc.Utf8);
},
//公钥加密
rsaEncrypt(word, publicKey) {
const encrypt = new JSEncrypt();
encrypt.setPublicKey(publicKey);
return encrypt.encrypt(word);
},
//生成随机aes秘钥
initAesKey() {
return CryptoJS.MD5(new Date().getTime() + this.randomString(32)).toString();
},
//生成随机字串符
randomString(len) {
len = len || 32;
var $chars = 'ABCDEFGHJKMNPQRSTWXYZabcdefhijkmnprstwxyz2345678'; /****默认去掉了容易混淆的字符oOLl,9gq,Vv,Uu,I1****/
var maxPos = $chars.length;
var pwd = '';
for (let i = 0; i < len; i++) {
pwd += $chars.charAt(Math.floor(Math.random() * maxPos));
}
return pwd;
},
}
}
</script>
php片段
创建test.php,内容如下
<?php
$iv = 'YM_CHAT_TOOLS_MS';
//公钥
$public_key = '-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8oSJJAAF4+t4JPoP+LV
3qZTp32K/8tCWGfR/+HE4YwVap63pADKfTkJhBtdaVJK++4DZTxp4zmAbNpV9cNt
eAizRcGb1ytyZp+dLjpW3jBE9DarE5xKBkNCFkf2pF5mfE6inlG2lBSYa0MNt8ZY
s7nPmu+qNYlIeshfm8OuEmNuJVRUNHY7jPgEjZq9Z5Q+kA0MJ7P097PSWfR1FJ12
WufsDH93JK4D7C4iACPoU2l1NywVmOGnjtqdjYfZSlu1kpPKAy0USdEDVxwMWR/v
WbK6Jk7rJWvpR7IY/jLWSTSdwPBA/HT/exdU+YT7BwEy2vzD4Ik/fLSj1LEaNyiK
AQIDAQAB
-----END PUBLIC KEY-----';
//私钥解密
$private_key = '-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7yhIkkAAXj63g
k+g/4tXeplOnfYr/y0JYZ9H/4cThjBVqnrekAMp9OQmEG11pUkr77gNlPGnjOYBs
2lX1w214CLNFwZvXK3Jmn50uOlbeMET0NqsTnEoGQ0IWR/akXmZ8TqKeUbaUFJhr
Qw23xlizuc+a76o1iUh6yF+bw64SY24lVFQ0djuM+ASNmr1nlD6QDQwns/T3s9JZ
9HUUnXZa5+wMf3ckrgPsLiIAI+hTaXU3LBWY4aeO2p2Nh9lKW7WSk8oDLRRJ0QNX
HAxZH+9ZsromTusla+lHshj+MtZJNJ3A8ED8dP97F1T5hPsHATLa/MPgiT98tKPU
sRo3KIoBAgMBAAECggEAEBp/+8qtd1fG3V9Rp0jYdkNlIRPO+6h+g/5DL+I4c+8D
VyVNMi8vLhXaDw4ZsJJyA7ChcekAW4/ux2bhwDWGCakVVoIHzyfWo55EaFZwZJVX
FGoruX7JikfyPt7k86t0tmw33cO8GG67s1cIsh28NY1VlD/BJN4k7QKJ0F2za7gd
ekjIDOmLC3AV8LPwsej9ZBgtZS6q7qo8+JRdHu+qPP2lNlEbInIRCiqjrs8Ymqjn
mq+pjFjTeIb5nYaRJzloiny9/6BsV10tj14KHeakq8azY8zOnP4UhGLbqpSCTzuo
7VDxd/lP8KsRwy9A75fY8mmHX1VtXpXy9jf4Dpx7AQKBgQDeMGoXEk6gSxVhi0dN
KOVe/ux4SCoAjRRmJmaMzOAfscBv17wEr74AamBwiXH2vrZpXgcqaa4t7nNi2pbG
8ZM6G+kBapf9NYTOw4VyLZgYyAflkDrtM/rd4pE8guKOBTtv3EDiCUJw24NjjPh8
+nqwXl+BnYzMbDXry/v6bnyZeQKBgQDYXZStekUgOS3TQgM0NvQkwYXRCFmqMqHO
1DMXUkWTTj0RQK75T1krlPMku/04vlseolVf+m9t51ox7iaEsNq2r3UCs/w4bsj5
hE0a/iBo8+e5sB/oXF16ywKc035XCTaTVnqWHeOqaSSvuh9YYn29PIwM1f2Cu8zQ
n84qO/vayQKBgBPJI+liC/ZiOUkyaesJFUPcV5pucq8R4RsnmEI5jEvGPGi5QVj5
fWX0ExpyYt+iJARGB0VTm9sjPMs0w/B7Wqz2B03E/DvkJCt1ZdDBFqY+SdW7fkPZ
OSHBJ0XIMfyLortXVb/LK0t5gL3As/ANLhe+j6qvKPabPEH/LDUk2ZuhAoGBANEY
hwGrwzgj6hRanEwOu5z15QOhJT4lFliSnBlyqch0+PE+aJqJQ2yp0txyTIJU/Cw7
x3QsyxkUVwcf1tuvKn8YS2VkWWCUN+djIzzt0JZ8+DlsazmcYb60iH7UqSklvzde
gLOoiQd7+zdUEMzSyh9ibxpMh2WbZpFLjusj8v55AoGBAI0dsu0ZW/WGvHYNwpn8
XP8x9N0/RoNyrwd+UnXQg4Kn5jw5NsEyhcfR9h/nl4kpDbnw1OY+TpfzIUABOVwf
VKWZ9VQjNGWxuKrqBSY7ViM8QkHvOVIo4aRRf5ITlmErs3fAh6islj8DJR1HHqFz
xHm/4gaL5CuAB22ljEPUgxir
-----END PRIVATE KEY-----';
$aesEncryptKey = $_GET['aesEncryptKey'];
$content = $_GET['params'];
$return_de = openssl_private_decrypt(base64_decode($aesEncryptKey), $decrypted, $private_key);
if (!$return_de) {
return ('解密失败,请检查RSA秘钥');
}
$decrypted = json_decode($decrypted, true);
$de = openssl_decrypt($content, 'AES-256-CBC', $decrypted, 4, $iv);
$content = [
"data" => [
'time' => date("Y-m-d H:i:s"),
],
"msg" => 'OK',
"code" => 200,
];
$res_en = base64_encode(openssl_encrypt(json_encode($content), "AES-256-CBC", $decrypted, 1, $iv));
echo $res_en;
说明
参数iv事先确认好前后端一致即可,注意是16进制
crypto-js和jsencrypt包下载
在线生成RSA秘钥,推荐长度2048bit,私钥不填即可
