-1
下面是一個工作的C#密碼代碼。CryptoJS AES代碼相當於C#代碼
包括命名空間引用
using System.Web.Script.Serialization;
using System.Security.Cryptography;
using System.Text;
C#代碼來編碼JSON格式的用戶數據
// Encode the data into a JSON object
JavaScriptSerializer s = new JavaScriptSerializer();
string json_data = s.Serialize(user_data);
string site_key = "84129";
string api_key = "0d2c15da-b36f-4a9c-8f44-93eb95811e2e-05e1fb36-54aa-44fc-888e-45d2669c3013";
byte[] bIV = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
//Using byte arrays now instead of strings
byte[] encrypted = null;
byte[] data = Encoding.ASCII.GetBytes(json_data);
//Use the AesManaged object to do the encryption
using (AesManaged aesAlg = new AesManaged())
{
aesAlg.IV = bIV;
aesAlg.KeySize = 16 * 8;
// Create the 16-byte salted hash
SHA1 sha1 = SHA1.Create();
byte[] saltedHash = sha1.ComputeHash(Encoding.ASCII.GetBytes(api_key + site_key), 0, (api_key + site_key).Length);
Array.Resize(ref saltedHash, 16);
aesAlg.Key = saltedHash;
// Encrypt using the AES Managed object
ICryptoTransform encryptor = aesAlg.CreateEncryptor();
using (MemoryStream msEncrypt = new MemoryStream())
{
using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
csEncrypt.Write(data, 0, data.Length);
csEncrypt.FlushFinalBlock();
}
encrypted = msEncrypt.ToArray();
}
}
// the Base64-encoded encrypted data
string encodedData= Convert.ToBase64String(encrypted, Base64FormattingOptions.None)
.TrimEnd("=".ToCharArray()) // Remove trailing equal (=) characters
.Replace("+", "-") // Change any plus (+) characters to dashes (-)
.Replace("/", "_"); // Change any slashes (/) characters to underscores (_)
注:json_data字符串是如..
{ 「電子郵件」: 「[email protected]」, 「名」: 「chandresh」, 「過期」: 「2013-07-05T11:47:32」}
我已經tryed到編寫相當於上面C#工作代碼的CryptoJS代碼。
不知何故,加密/編碼完成無效encodedData。請幫助您的Base64編碼,在JavaScript版本的關鍵
var json_data = '{"email":"[email protected]","name":"chandresh","expires":"2013-07-05T11:47:32"}';
var site_key = "84129";
var api_key = "0d2c15da-b36f-4a9c-8f44-93eb95811e2e-05e1fb36-54aa-44fc-888e-45d2669c3013";
var _iv = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
var options = { mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7, iv: _iv, keySize: 128/8 };
// Create the 16-byte salted hash
var saltedHash = CryptoJS.SHA1(api_key + site_key);
saltedHash.sigBytes = 16;
saltedHash = CryptoJS.enc.Base64.stringify(saltedHash);
var encrypted = CryptoJS.AES.encrypt(json_data,saltedHash, options);
// the Base64-encoded encrypted data
var encodedData = encrypted.ciphertext.toString(CryptoJS.enc.Base64);
encodedData = encodedData.trimEnd("="); // Remove trailing equal (=) characters
encodedData = encodedData.replace(/\+/gi, "-"); // Change any plus (+) characters to dashes (-)
encodedData = encodedData.replace(/\//gi, "_"); // Change any slashes (/) characters to underscores (_)
+1我同意這兩個加密問題,並且會添加,因爲這很可能是一個web服務,這種只有普通AES-CBC w/PKCS7填充加密的設計使得選擇的密文攻擊可以很容易地恢復明文。 – jbtule
@jbtule而且這甚至只有在padding oracles不適用的情況下才適用,在這種情況下,明文很容易獲得。 - 基本上我必須將我的填充oracle攻擊應用程序指向正確的位置。 –
@ntoskrnl,您正確刪除了Base64編碼JavaScript版本中的密鑰。 _i.e。除去此line_ ** saltedHash = CryptoJS.enc.Base64.stringify(saltedHash); ** _also \ _iv的更新初始化附上as_ at **變種_iv = CryptoJS.enc.Base64.parse([]); ** 謝謝你的一切 –