我正在尝试使用Javascript加密并在Python / Django中解密相同的数据。
免责声明:不是生产级别的代码,而是要学习的概念
我通过Diffie Hellman(使用jQuery的Ajax)生成了一个密钥,并将其传递给下面的加密函数。输入通常是JSON格式的ID和密码。
这是加密的方式。 {在某处找到代码。}
function toWordArray(str){
return CryptoJS.enc.Utf8.parse(str);
}
function toString(words){
return CryptoJS.enc.Utf8.stringify(words);
}
function toBase64String(words){
return CryptoJS.enc.Base64.stringify(words);
}
function encrypt(input, key){
console.log("Input: " + input);
var PROTOCOL_AES256 = 2;
var secret_key = CryptoJS.SHA256(key);
var header = toWordArray("AMAZON" + String.fromCharCode(PROTOCOL_AES256));
var iv = CryptoJS.lib.WordArray.random(16);
var body = CryptoJS.AES.encrypt(input, secret_key, {iv: iv});
// construct the packet
// HEADER + IV + BODY
header.concat(iv);
header.concat(body.ciphertext);
console.log("Bytes before Base64 encoding: " + header); //Line 1
// encode in base64
return toBase64String(header);
}
我得到的输出如下:
final key: 47 signin:119:33
Input: {"name":"Buzz","password":"lightyear"} signin:55:25
Bytes before Base64 encoding: 414d415a4f4e02e8ec9b8a949eb754e305acfbe5207f1ebe75272c18146bca57ce399928c0ffd7e506d90e11b011da42b1bd8d2393ec59cc926cef33c2121da3f48dfd59925138 signin:67:25
Payload: QU1BWk9OAujsm4qUnrdU4wWs++Ugfx6+dScsGBRrylfOOZkowP/X5QbZDhGwEdpCsb2NI5PsWcySbO8zwhIdo/SN/VmSUTg= signin:137:37
XHRGEThttp://127.0.0.1:8000/Shenzen/actsignin/?encrypted_string=QU1BWk9OAujsm4qUnrdU4wWs%2B%2BUgfx6%2BdScsGBRrylfOOZkowP%2FX5QbZDhGwEdpCsb2NI5PsWcySbO8zwhIdo%2FSN%2FVmSUTg%3D
[HTTP/1.1 500 Internal Server Error 24ms]
AES failed.
现在我按如下所示在python中对其进行解码:
encrypted_string = request.GET['encrypted_string']
print("Encrypted string decoded: ",base64.b64decode(encrypted_string)) #Line 2
print("----")
sha256_key = SHA256.new(data=bytes(key))
cipher = AES.new(sha256_key.digest(),AES.MODE_CBC)
print(cipher.decrypt(base64.b64decode(encrypted_string)))
[12/Oct/2019 18:39:41] "GET /Shenzen/dh/?step=calcval&level1=37 HTTP/1.1" 200 16
Encrypted string decoded: b"AMAZON\x02\xcb0\xb5~ \xbf<\x96\x16\x0eJY@\x88\xfe\x94\xc28\xf2j\x19n\x8f\x8d\xdb\xb6yc\x89-L\x93\xa3\x9f\xc3i\xd5\xf4e4'|\xa1\x1f\x9d\xb9k\x95O\xb9<\xc3\xa0\xd7\xa6B^\x85+SSToe"
----
Internal Server Error: /Shenzen/actsignin/
Traceback (most recent call last):
File "/home/tarunmaganti/Documents/AbhiramSlavery/ProjectLogin/hell/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
response = get_response(request)
File "/home/tarunmaganti/Documents/AbhiramSlavery/ProjectLogin/hell/lib/python3.6/site-packages/django/core/handlers/base.py", line 115, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/home/tarunmaganti/Documents/AbhiramSlavery/ProjectLogin/hell/lib/python3.6/site-packages/django/core/handlers/base.py", line 113, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/home/tarunmaganti/Documents/AbhiramSlavery/ProjectLogin/UrbanHell/Shenzen/views.py", line 67, in actsignin
print(cipher.decrypt(base64.b64decode(encrypted_string)))
File "/home/tarunmaganti/Documents/AbhiramSlavery/ProjectLogin/hell/lib/python3.6/site-packages/Crypto/Cipher/_mode_cbc.py", line 246, in decrypt
raise ValueError("Data must be padded to %d byte boundary in CBC mode" % self.block_size)
ValueError: Data must be padded to 16 byte boundary in CBC mode
[12/Oct/2019 18:39:44] "GET /Shenzen/actsignin/?encrypted_string=QU1BWk9OAsswtX4gvzyWFg5KWUCI%2FpTCOPJqGW6Pjdu2eWOJLUyTo5%2FDadX0ZTQnfKEfnblrlU%2B5PMOg16ZCXoUrU1NUb2U%3D HTTP/1.1" 500 17651put
我希望第1行和第2行的输出相等,但这是我得到的:
Javascript Bytes before Base64 encoding: 414d415a4f4e02e8ec9b8a949eb754e305acfbe5207f1ebe75272c18146bca57ce399928c0ffd7e506d90e11b011da42b1bd8d2393ec59cc926cef33c2121da3f48dfd59925138 signin:67:25
Python Encrypted string decoded: b"AMAZON\x02\xcb0\xb5~ \xbf<\x96\x16\x0eJY@\x88\xfe\x94\xc28\xf2j\x19n\x8f\x8d\xdb\xb6yc\x89-L\x93\xa3\x9f\xc3i\xd5\xf4e4'|\xa1\x1f\x9d\xb9k\x95O\xb9<\xc3\xa0\xd7\xa6B^\x85+SSToe"
您能解释发生了什么吗?如何获得与javascript相同的字符串?或如何将Python中的字符串转换为可解密(?)数据。
在JavaScript代码中,标头(如十六进制字符串:414d415a4f4e02
),随机生成的IV和密文被连接起来并进行Base64编码。在Python代码中,连接的数据经过Base64解码。但是,似乎没有执行拆分为标头,IV和密文的操作。因此,解密缺少密文和IV。代替密文,将连接的数据用于解密,这是错误的。而且创建的AES实例没有IV,这也是错误的。
在JavaScript端,连接的数据之前 Base64编码的十六进制表示形式为:
414d415a4f4e02e8ec9b8a949eb754e305acfbe5207f1ebe75272c18146bca57ce399928c0ffd7e506d90e11b011da42b1bd8d2393ec59cc926cef33c2121da3f48dfd59925138
在Python端,连接数据之后 Base64解码的十六进制表示形式为:
414d415a4f4e02cb30b57e20bf3c96160e4a594088fe94c238f26a196e8f8ddbb67963892d4c93a39fc369d5f46534277ca11f9db96b954fb93cc3a0d7a6425e852b5353546f65
数据显然从IV开始(即,从第8个字节开始,包括第8个字节)开始有所不同。 JavaScript代码每次运行都会生成随机IV,因此每次运行的密文也不同。这两个数据很可能来自different运行,因为开始是相同的,并且偏差从每次运行中随机生成的部分开始。否则,必须以这种独特的方式在其他地方更改数据(并且可能不必通过发布的代码更改)。
也可能有填充问题。 CryptoJS默认使用PKCS7填充。相反,默认情况下PyCrypto / PyCryptodome不使用填充(即用户必须手动填充),因此Python端的填充在解密期间可能不会自动删除。