This is the 12th day of my participation in Gwen Challenge
IOS basic principles + reverse article summary
This paper is mainly symmetric algorithm terminal demonstration + code demonstration
OpenSSL terminal demo
The following uses DES, AES, ECB, and CBC to demonstrate the terminal commands
Encrypts the “Hello” stringecho -n hello | openssl enc -aes-128-ecb -K 616263 -nosalt | base64
Encrypts the “Hello” stringecho -n hello | openssl enc -aes-128-cbc -iv 0102030405060708 -K 616263 -nosalt | base64
decryptionEcho -n d1QG4T2tivoi0Kiu3NEmZQ = = | | base64 - D openssl enc - aes - 128 - the ECB - 616263 - K nosalt - D
decryptionEcho -n u3W/N816uzFpcg6pZ + KBDG = = | | base64 - D openssl enc - aes - 128-616263-0102030405060708 - K CBC to iv nosalt - D
- vi abc.txt
Copy the code
- Symmetric encryption (salted by default) :
openssl enc -des-ecb -K 016263 -nosalt -in abc.txt -out msg1.bin
Enc: indicates the encryption mode, which is symmetric encryption
Msg1. bin: binary file
- Viewing binaries:
xxd msg1.bin
Repeat the first two for the secondZero, 88
000000000000 111111111111 222222222222 880000000000 111111111111 222222222222 000000000000......Copy the code
View the encrypted ciphertext binary and compare it with the previous one
Changed: 931F 4A54 79bf 730f 4453 2DF5 E152 38F1 has become C7E1 1DE2 C778 9DF6 4D79 8BEC 04AD 08C4. The minimum unit of two characters is 16 bytes
If you change 1 character, the minimum unit is 8 bytes. So during encryption, the minimum is 8 bytes
2. DES + CBC
Vi abc.txt (same as in 1)
Encryption: openssl ENc-des-CBC-k 616263-iv 0102030405060708 -nosalt in abc.txt -out msg3.bin
Change one character to get msg4.bin
-iv: vector representation
616263: encrypted key, also can be changed to ABC
Contrast with ECB mode: from the second, the binary is different (CBC is chain-encrypted)
Note: the rest AES+ECB, AES+CBC, please exercise by yourself, here will not do the demonstration
Code demo
DES, AES, ECB and CBC are also used for demonstration
- (void)testEnc{// AES + ECB NSString *key = @" ABC "; NSString *encStr = [[EncryptionTools sharedEncryptionTools] encryptString:@"hello" keyString:key iv:nil]; NSLog(@"AES + ECB : %@", encStr); } <! AES + ECB: d1QG4T2tivoi0Kiu3NEmZQ== <! - end command - > $echo -n hello | openssl enc - aes - 128 - the ECB - 616263 - K nosalt | base64 / / and the program is running the result is the same d1QG4T2tivoi0Kiu3NEmZQ = = $ echo -n d1QG4T2tivoi0Kiu3NEmZQ== | base64 -D |openssl enc -aes-128-ecb -K 616263 -nosalt -d hello%Copy the code
Echo -n hello Displays hello
| : it means the output operator
Note: DES and AES encryption strength is different
Uint8_t iv[8] = {1, 2, 3, 4, 5, 6, 7, 8}; NSData *data = [NSData dataWithBytes:iv length:sizeof(iv)]; NSString *key = @"abc"; NSString *encStr = [[EncryptionTools sharedEncryptionTools] encryptString:@"hello" keyString:key iv:data]; // Decrypt NSString * decStr = [[EncryptionTools sharedEncryptionTools] decryptString:encStr keyString:key iv:data]; NSLog(@"AES + CBC : %@", encStr); NSLog(@"AES + CBC : %@", decStr); } AES + CBC: u3W/N816uzFpcg6pZ+ KBDG == AES + CBC: hello <! - end command - > $echo -n hello | openssl enc - aes - 128 - CBC - K 616263-0102030405060708 - iv nosalt | base64 u3W/N816uzFpcg6pZ+kbdg== $ echo -n u3W/N816uzFpcg6pZ+kbdg== | base64 -D |openssl enc -aes-128-cbc -K 616263 -iv 0102030405060708 -nosalt -d hello%Copy the code
- (void)testEnc{// 2, DES + ECB [EncryptionTools sharedEncryptionTools]. Algorithm = kCCAlgorithmDES; NSString *key = @"abc"; NSString *encStr = [[EncryptionTools sharedEncryptionTools] encryptString:@"hello" keyString:key iv:nil]; NSLog(@"DES + ECB : %@", encStr); } DES + ECB: HQr0Oij2kbo= <! - end command - > $echo -n hello | openssl enc - des - the ECB - 616263 - K nosalt | base64 HQr0Oij2kbo = $echo -n HQr0Oij2kbo = | base64 -D | openssl enc -des-ecb -K 616263 -nosalt -d hello%Copy the code
4. DES + CBC
- (void)testEnc{// 4, DES + CBC [EncryptionTools sharedEncryptionTools]. Algorithm = kCCAlgorithmDES; uint8_t iv[8] = {1, 2, 3, 4, 5, 6, 7, 8}; NSData *data = [NSData dataWithBytes:iv length:sizeof(iv)]; NSString *key = @"abc"; NSString *encStr = [[EncryptionTools sharedEncryptionTools] encryptString:@"hello" keyString:key iv:data]; // Decrypt NSString * decStr = [[EncryptionTools sharedEncryptionTools] decryptString:encStr keyString:key iv:data]; NSLog(@"AES + CBC : %@", encStr); NSLog(@"AES + CBC : %@", decStr); AES + CBC: alvrvb3Gz88= AES + CBC: hello <! - end command - > $echo -n hello | openssl enc - des - CBC - K 616263-0102030405060708 - iv nosalt | base64 alvrvb3Gz88 = $echo -n alvrvb3Gz88= | base64 -D | openssl enc -des-cbc -K 616263 -iv 0102030405060708 -nosalt -d hello%Copy the code
Encryption and decryption implementation
The following is the complete symmetric encryption and decryption code package of DES and AES
<! # - h - > import < Foundation/Foundation. H > # import < CommonCrypto/CommonCrypto. H > / * * * * * DES terminal test instructions (ECB) encryption * $echo - n Hello | openssl enc - des - the ECB - 616263 - K nosalt | base64 encryption (CBC) * * * des $echo -n hello | openssl enc - des - CBC - iv The 616263-0102030405060708 - K nosalt | base64 AES encryption (ECB) * * * $echo -n hello | openssl enc - AES - 128 - the ECB - 616263 K - nosalt | base64 AES encryption (CBC) * * * $echo -n hello | openssl enc - AES - 128-616263-0102030405060708 - K CBC to iv nosalt | Base64 DES (ECB) decryption * * * $echo -n HQr0Oij2kbo = | | base64 - D openssl enc - DES - the ECB - K 616263 - nosalt - D * * * DES (CBC) decryption $echo -n alvrvb3Gz88 = | | base64 - D openssl enc - des - CBC - 0102030405060708 - K 616263 - iv nosalt - D * * * $AES (ECB) decryption Echo -n d1QG4T2tivoi0Kiu3NEmZQ = = | | base64 - D openssl enc - aes - 128 - the ECB - 616263 - nosalt - D * * K aes (CBC) decryption * $echo - n U3W/N816uzFpcg6pZ + KBDG = = | | base64 - D openssl enc - aes - 128-616263-0102030405060708 - K CBC to iv nosalt - D * * note: */ @interface EncryptionTools: NSObject + (instancetype)sharedEncryptionTools; /** @constant kCCAlgorithmAES Advanced Encryption standard, */ @property (Nonatomic, assign) Uint32_t algorithm; /** * encrypt string and return Base64 encoded string ** @param String String to be encrypted * @param keyString Encryption key * @param IV initialization vector (8 bytes) ** @return Returns the base64 encoded string */ - (NSString *)encryptString:(NSString *)string keyString:(NSString *)keyString iv:(NSData *)iv; /** * decrypted string ** @param String Encrypted and Base64 encoded string * @param keyString Decryption key * @param IV initialization vector (8 bytes) ** @return Returns the decrypted string */ - (NSString *)decryptString:(NSString *)string keyString:(NSString *)keyString iv:(NSData *)iv; @end <! --m--> #import "EncryptionTools.h" @interface EncryptionTools() @property (nonatomic, assign) int keySize; @property (nonatomic, assign) int blockSize; @end @implementation EncryptionTools + (instancetype)sharedEncryptionTools { static EncryptionTools *instance; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ instance = [[self alloc] init]; instance.algorithm = kCCAlgorithmAES; }); return instance; } - (void)setAlgorithm:(uint32_t)algorithm { _algorithm = algorithm; switch (algorithm) { case kCCAlgorithmAES: self.keySize = kCCKeySizeAES128; self.blockSize = kCCBlockSizeAES128; break; case kCCAlgorithmDES: self.keySize = kCCKeySizeDES; self.blockSize = kCCBlockSizeDES; break; default: break; }} - (NSString *)encryptString:(NSString *)string keyString:(NSString *)keyString iv:(NSData *)iv {// set the secret key NSData *keyData = [keyString dataUsingEncoding:NSUTF8StringEncoding]; uint8_t cKey[self.keySize]; bzero(cKey, sizeof(cKey)); [keyData getBytes:cKey length:self.keySize]; // Set the iv uint8_t cIv[self.blocksize]; bzero(cIv, self.blockSize); int option = 0; if (iv) { [iv getBytes:cIv length:self.blockSize]; option = kCCOptionPKCS7Padding; } else {/ * - kCCOptionPKCS7Padding | kCCOptionECBMode this mode - the ECB mode - kCCOptionPKCS7Padding chain mode - * / option = CBC mode kCCOptionPKCS7Padding | kCCOptionECBMode; } / / set the output buffer NSData * data = [string dataUsingEncoding: NSUTF8StringEncoding]; size_t bufferSize = [data length] + self.blockSize; void *buffer = malloc(bufferSize); Size_t encryptedSize = 0; CCCrypt /* - Parameter 1: kCCEncrypt encryption/kCCDeccrypt decryption - Parameter 2: encryption algorithm - Parameter 3: encryption options ECB/CBC - Parameter 4: address of KEY - Parameter 5: N/A 6: iv Initialization vector n/A 7: encrypted data N/A 8: encrypted data length N/A 9: memory address of the ciphertext n/A 10: size of the ciphertext buffer N/A 11: */ CCCryptorStatus cryptStatus = CCCrypt(kCCEncrypt, self.algorithm, option, cKey, self.keySize, cIv, [data bytes], [data length], buffer, bufferSize, &encryptedSize); NSData *result = nil; if (cryptStatus == kCCSuccess) { result = [NSData dataWithBytesNoCopy:buffer length:encryptedSize]; } else { free(buffer); NSLog (@ "[error] encryption failure | status code: % d", cryptStatus); } return [result base64EncodedStringWithOptions:0]; } - (NSString *)decryptString:(NSString *)string keyString:(NSString *)keyString iv:(NSData *)iv {// sets the secret key NSData *keyData = [keyString dataUsingEncoding:NSUTF8StringEncoding]; uint8_t cKey[self.keySize]; bzero(cKey, sizeof(cKey)); [keyData getBytes:cKey length:self.keySize]; // Set the iv uint8_t cIv[self.blocksize]; bzero(cIv, self.blockSize); int option = 0; if (iv) { [iv getBytes:cIv length:self.blockSize]; option = kCCOptionPKCS7Padding; } else { option = kCCOptionPKCS7Padding | kCCOptionECBMode; } / / set the output buffer NSData * data = [[NSData alloc] initWithBase64EncodedString: string options: 0]; size_t bufferSize = [data length] + self.blockSize; void *buffer = malloc(bufferSize); Size_t decryptedSize = 0; CCCryptorStatus cryptStatus = CCCrypt(kCCDecrypt, self.algorithm, option, cKey, self.keySize, cIv, [data bytes], [data length], buffer, bufferSize, &decryptedSize); NSData *result = nil; if (cryptStatus == kCCSuccess) { result = [NSData dataWithBytesNoCopy:buffer length:decryptedSize]; } else { free(buffer); NSLog (@ "[error] decryption failure | status code: % d", cryptStatus); } return [[NSString alloc] initWithData:result encoding:NSUTF8StringEncoding]; } @endCopy the code
It is mainly realized through CCCrypt of the system, which involves 11 parameters, respectively
- Parameter 1: kCCEncrypt encryption/kCCDeccrypt decryption - Parameter 2: encryption algorithm - Parameter 3: encryption option ECB/CBC - Parameter 4: KEY address - Parameter 5: KEY length - Parameter 6: iv Initialization vector - Parameter 7: - Parameter 8: Length of encrypted data - Parameter 9: memory address of ciphertext - Parameter 10: size of ciphertext buffer - Parameter 11: pointer to data (size of encrypted result)Copy the code
Security risks: Using system functions also risks data leakage
Debugging CCCrypt
Let’s use breakpoint debugging to illustrate the security risks
Add sign breakpoint CCCrypt
To run the program
- It’s not safe to get a parameter from a register and find hello in clear text
There are the following suggestions for improvement
1. Create a layer of encapsulation on top of system functions, such as using bitwise Xor (the simplest encapsulation)
Encryption: When a string is passed, a bitwise xor operation is performed
Decryption: decrypt first, and then xor by bit
2. Method name confusion – that is, the method name remains the same, but a series of changes have been made since the package hit the shelves
Symmetric encryption in iOS uses the system’s CCCrypt, which has 11 parameters
Using CCCrypt of the system directly is a security hazard of plaintext leakage, so it is necessary to do some operations on the system function to ensure the security of plaintext