开发者

ActionScript 3 - PHP sending data via AMF (or whatever) encrypted

问答 作者:

I need help with two things:

  1. Advice on an encryption algorithm that I can use to encode data on the server, send it to AS3 c开发者_StackOverflow中文版lient and decode it there. From what I read, Public - Private Key sound good.

  2. An AS3 library that can encode and decode that is compatible with PHP's bcrypt (again, I read bcrypt is best for this kind of data transmission).

I'm not a security expert, I hope the question is clear and not clumsy.

EDIT: As suggested SSL is a great option, but at the moment I am looking for non-SSL ones.

Thank you.

What's your threat model? If you're only worried about people sniffing the data while it's on the wire, then use SSL. It'll be transparent to your app, and generally you only have to install a cert and change your URLs from http:// to https://

If your major threat is someone running a debugger on the app to catch the data, then you've got a massively bigger problem and will be highly unlikely to ever stop someone from "stealing" the data.

A bump to @Marc B for pointing out that SSL is perfectly secure, but if you absolutely need custom encryption...

If the server supports mcrypt (most PHP implementations do), then you can use any of the encryption methods provided by mcrypt (including modern AES implementations, IDEA, TEA, etc, etc, etc [it's a long list actually]). However, the php script (of course) must be written to expect encrypted data.

Check out http://php.net/manual/en/book.mcrypt.php for information about PHP's implementation of mcrypt.

EDIT: A quick dump of print_r(mycrypt_list_algorithms()) on a nearly stock fedora box with php-mcrypt installed shows...

Array
(
    [0] => cast-128
    [1] => gost
    [2] => rijndael-128
    [3] => twofish
    [4] => arcfour
    [5] => cast-256
    [6] => loki97
    [7] => rijndael-192
    [8] => saferplus
    [9] => wake
    [10] => blowfish-compat
    [11] => des
    [12] => rijndael-256
    [13] => serpent
    [14] => xtea
    [15] => blowfish
    [16] => enigma
    [17] => rc2
    [18] => tripledes
)

rijndael is AES. Some are better than others for different reasons, while some are just junk (like DES).

If you don't mind about someone using a client-side debugger, just use an ActionScript library such as as3crypto, it should have everything you need to decode whatever data PHP sends.

There's no point bothering with public-private key encryption, because you'll have to embed your private key in the SWF, thus making it public.

继续阅读:actionscript-3phppublic-key-encryption

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9