数据库身份证号加密密码加密_使用密码加密数据

数据库身份证号加密密码加密

介绍 (Introduction)

When we’re encrypting data, typically we will create a random key that is able to decrypt that data. In some specific cases one wants to use a user specified key to decrypt that data like a password. However, the key that is used for cryptographic algorithms typically needs to be at least 32 bytes. But, it is likely that our password won’t make that criteria, so we need to have a solution for that. Recently, I needed such a method, and in this post I’ll lay out what I’ve done in order to solve it. But before we get into the nitty-gritty.

当我们加密数据时，通常我们将创建一个能够解密该数据的随机密钥。 在某些特定情况下，您想使用用户指定的密钥来解密该数据，例如密码。 但是，用于加密算法的密钥通常需要至少32个字节。 但是，很可能我们的密码不能满足该条件，因此我们需要一个解决方案。 最近，我需要这样一种方法，在这篇文章中，我将列出解决该问题的方法。 但是在我们深入了解之前。

DISCLAIMER: I’m not an expert at encryption, I’ve mentioned the sources that I’ve used to come to the solutions provided in this post. I implore you read/watch those sources to better understand it. And, as such if there are any errors in the post/code please let me know or leave a comment so I can update it, so that there is no perpetuation of wrong methods/techniques.

免责声明 ：我不是加密方面的专家，我已经提到过我用于本文中提供的解决方案的资源。 我恳请您阅读/观看这些资料，以更好地理解它。 并且，因此，如果邮编/代码中有任何错误，请让我知道或发表评论，以便我进行更新，这样就不会永久保留错误的方法/技术。

OK, since we’ve got that out of the way, let’s begin! (Note: you can also view this post here)

好的，既然我们已经解决了这个问题，那就开始吧！ (注意：您也可以在此处查看此帖子)

加密 (Encrypt)

Let’s first start with encrypting our data. We’ll start with creating the Encrypt function that will accept a key and a data argument. Based on that we will encrypt the data that can be decrypted using the key. First, we will generate that key by using 32 random bytes, later on we'll replace that with our password. Below, shows the code that is able to encrypt our data, provided by a generated key.

首先让我们加密数据。 我们将从创建Encrypt函数开始，该函数将接受key和data参数。 基于此，我们将加密可以使用key解密的数据。 首先，我们将使用32个随机字节来生成该密钥，然后将其替换为密码。 下面显示了能够加密我们的数据的代码，该代码由生成的密钥提供。

import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/rand"
)
func Encrypt(key, data []byte) ([]byte, error) {
       
    blockCipher, err := aes.NewCipher(key)
    if err != nil {
       
        return nil, err
    }
    gcm, err := cipher.NewGCM(blockCipher)
    if err != nil {
       
        return nil, err
    }
    nonce := make([]byte, gcm.NonceSize())
    if _, err = rand.Read(nonce); err != nil {
       
        return nil, err
    }
    ciphertext := gcm.Seal(nonce, nonce, data, nil)
    return ciphertext, nil
}

So, let’s go over the code, and inspect what we’re doing.

因此，让我们看一下代码，检查我们在做什么。

func Encrypt(key, data []byte) ([]byte, error)

First, we start by creating our Encrypt function, and it will accept a key and a data argument. We'll be using a byte slice instead of an io.Reader as the data argument. While using io.Reader would allow us to use the Encrypt function with every other type that implements the io.Reader interface. (Ryer 2015) It is however because of the nature of io.Reader, being a stream of data, that when we want to decrypt the ciphertext, we need to see it in its entirety. A solution would be to break the stream into discrete chunks, however this would add significant complexity to the problem.¹ (Isom 2015)

首先，我们从创建我们的Encrypt函数开始，它将接受一个key和一个data参数。 我们将使用byte片而不是io.Reader作为data参数。 在使用io.Reader ，我们可以将Encrypt函数与其他所有实现io.Reader接口的类型一起使用。 ( 2015年 ，赖尔)但是由于io.Reader的本质(作为数据流)，当我们想要解密ciphertext ，我们需要完整地查看它。 一种解决方案是将流分成离散的块，但这将大大增加问题的复杂性。 ¹ (Isom 2015 )

blockCipher, err := aes.NewCipher(key)

We’re initializing the block cipher based on the key that we provided. Here we're using the crypto/aes² package that implements the AES³ ⁴ (Advanced Encryption Standard) encryption algorithm. AES is a symmetric-key encryption algorithm, that will be secure enough for modern use cases. Additionally, AES uses hardware acceleration on most platforms, so it'll be pretty fast to use. (Tankersley 2016)

我们正在根据提供的key初始化分组密码。 这里，我们使用的crypto/aes ²包实现了AES ³ ⁴ (高级加密标准)加密算法。 AES是一种对称密钥加密算法，对于现代用例而言，它将足够安全。 此外，AES在大多数平台上都使用硬件加速，因此使用起来会非常快。 (Tankersley 2016 )

gcm, err := cipher.NewGCM(blockCipher)

Here we’re wrapping the block cipher, with a specific mode. We do this because we shouldn’t use a cipher.Block interface directly. This is because the block cipher only encrypts 16 bytes of data, nothing more. So if you would call blockCiper.Encrypt() it would only encrypt the first 16 bytes. Thus we need something on top of that, and wrap the block cipher, and those are called modes. Again we have several modes to choose from, and here we're going to use the Galois Counter Mode (GCM)⁵, with a standard nonce length.

在这里，我们使用特定的模式包装分组密码。 我们这样做是因为我们不应该直接使用cipher.Block接口。 这是因为分组密码仅加密16个字节的数据，仅此而已。 因此，如果您调用blockCiper.Encrypt() ，它将仅加密前16个字节。 因此，我们需要最重要的东西，并包装分组密码，这些被称为mode 。 同样，我们有几种模式可供选择，在这里，我们将使用具有标准随机数长度的Galois计数器模式 (GCM) ⁵ 。

Only GCM provides authenticated encryption, and it implements the cipher.AEAD interface (Authenticated Encryption with Associated Data)⁶. Authenticated encryption means that not only is your data going to be confidential, secret, and encrypted, it's also now going to be tamper proof. If someone alters the ciphertext you will not then be able to validly decrypt it. When you're using authenticated encryption and someone messes with your data it just fails to decrypt. (Tankersley 2016; Isom 2015)

只有GCM提供认证加密，并实现了cipher.AEAD接口(认证加密与相关数据) ⁶ 。 经过身份验证的加密意味着不仅您的数据将是机密，机密和加密的，而且现在也将是防篡改的。 如果有人更改了ciphertext您将无法对其进行有效解密。 当您使用经过身份验证的加密时&#