PHP加密解密与密码安全实践

PHP加密解密与密码安全实践

加密是保障数据安全的核心技术。PHP提供了多种加密工具，从密码哈希到对称加密、非对称加密都有。今天说说PHP中各种加密算法的使用。

密码存储是基础中的基础。PHP提供了password_hash和password_verify。

```php
$password = 'MySecurePassword123!';
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
echo "哈希: $hash\n";

if (password_verify($password, $hash)) {
echo "密码验证成功\n";
}

if (password_needs_rehash($hash, PASSWORD_ARGON2ID)) {
$newHash = password_hash($password, PASSWORD_ARGON2ID);
echo "已升级到Argon2ID\n";
}
?>
```

对称加密用openssl扩展。AES-256-GCM是推荐算法。

```php
function encrypt(string $plaintext, string $key): string
{
$iv = random_bytes(12);
$tag = '';
$ciphertext = openssl_encrypt($plaintext, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);
return base64_encode($iv . $tag . $ciphertext);
}

function decrypt(string $data, string $key): string
{
$decoded = base64_decode($data);
$iv = substr($decoded, 0, 12);
$tag = substr($decoded, 12, 16);
$ciphertext = substr($decoded, 28);
return openssl_decrypt($ciphertext, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);
}

$key = random_bytes(32);
$secret = "机密消息";
$encrypted = encrypt($secret, $key);
echo "加密: $encrypted\n";

$decrypted = decrypt($encrypted, $key);
echo "解密: $decrypted\n";
?>
```

非对称加密用公钥加密私钥解密。

```php
class RSAEncryption
{
private string $privateKey;
private string $publicKey;

public function __construct()
{
$resource = openssl_pkey_new(['private_key_bits' => 2048]);
openssl_pkey_export($resource, $this->privateKey);
$details = openssl_pkey_get_details($resource);
$this->publicKey = $details['key'];
}

public function encrypt(string $data): string
{
$encrypted = '';
openssl_public_encrypt($data, $encrypted, $this->publicKey);
return base64_encode($encrypted);
}

public function decrypt(string $data): string
{
$decrypted = '';
openssl_private_decrypt(base64_decode($data), $decrypted, $this->privateKey);
return $decrypted;
}

public function sign(string $data): string
{
$signature = '';
openssl_sign($data, $signature, $this->privateKey);
return base64_encode($signature);
}

public function verify(string $data, string $signature): bool
{
return openssl_verify($data, base64_decode($signature), $this->publicKey) === 1;
}
}

$rsa = new RSAEncryption();
$message = "重要消息";

$encrypted = $rsa->encrypt($message);
echo "RSA加密: $encrypted\n";

$decrypted = $rsa->decrypt($encrypted);
echo "RSA解密: $decrypted\n";

$signature = $rsa->sign($message);
echo "签名验证: " . ($rsa->verify($message, $signature) ? '通过' : '不通过') . "\n";
?>
```

数据签名用于验证完整性和来源。

```php
function signData(array $data, string $secret): string
{
ksort($data);
return hash_hmac('sha256', json_encode($data), $secret);
}

function verifySignature(array $data, string $signature, string $secret): bool
{
return hash_equals(signData($data, $secret), $signature);
}

$secret = 'api-secret-key';
$data = ['user_id' => 123, 'amount' => 99.99, 'timestamp' => time()];
$sig = signData($data, $secret);

echo "数据签名: $sig\n";
echo "验证: " . (verifySignature($data, $sig, $secret) ? '通过' : '不通过') . "\n";

$tampered = $data;
$tampered['amount'] = 9999.99;
echo "篡改验证: " . (verifySignature($tampered, $sig, $secret) ? '通过' : '不通过') . "\n";
?>
```

加密算法的选择根据场景来定。密码存储用password_hash，数据传输用TLS，数据加密用AES-256-GCM，数字签名用RSA。密钥管理比加密算法本身更重要，建议使用专业的密钥管理服务。