How to handle data encryption and decryption when implementing API in PHP

With the continuous development of the Internet, the application scope of API (Application Programming Interface) is becoming more and more extensive, and data interactions between various systems are becoming more and more frequent. For the transmission of sensitive data, data encryption and decryption are essential steps. This article will introduce how to handle data encryption and decryption when implementing API based on PHP.

1. Why data encryption is necessary

Data encryption refers to converting original plaintext into ciphertext according to a certain algorithm, so that people who have not obtained the corresponding key cannot interpret it, thereby achieving Confidentiality of data. In API development, the main reasons for data encryption are the following two points:

1. Data security

When the API is open to third parties, due to the Transmission does not guarantee that it will be carried out in a private communication environment, so the security and authenticity of the data can be ensured through encryption to avoid data being stolen or tampered with during the transmission process.

2. Legality Verification

Data encryption can ensure the legality of data transmission through identity verification, signature, etc. During the API request sending process, the request parameters are encrypted with irreversible algorithms to ensure the legitimacy of the request and prevent illegal tampering or forgery of the request data.

2. PHP implements data encryption

1. Symmetric encryption algorithm

Symmetric encryption algorithm means that the key used for encryption and decryption is the same , you only need to pass the key as a parameter to complete the encryption and decryption operations. Symmetric encryption algorithms commonly used in API development include DES, 3DES, AES, etc.

Taking the AES encryption algorithm as an example, PHP provides functions such as openssl_encrypt() and openssl_decrypt() to implement symmetric encryption operations. The usage method is as follows:

//AES加密
function aesEncrypt($data, $key) {
    $iv_len = openssl_cipher_iv_length('AES-128-CBC');
    $iv = openssl_random_pseudo_bytes($iv_len);
    $encrypted = openssl_encrypt($data, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv);
    $result = base64_encode($iv . $encrypted);
    return $result;
}
//AES解密
function aesDecrypt($data, $key) {
    $data = base64_decode($data);
    $iv_len = openssl_cipher_iv_length('AES-128-CBC');
    $iv = substr($data, 0, $iv_len);
    $encrypted = substr($data, $iv_len);
    $decrypted = openssl_decrypt($encrypted, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv);
    return $decrypted;
}

Among them, $data is the data to be encrypted, and $key is the key. During the encryption process, obtain the length of the IV vector required by the encryption algorithm by calling openssl_cipher_iv_length(), call openssl_random_pseudo_bytes() to generate a random IV vector, and then call the openssl_encrypt() function to perform the encryption operation. In the decryption process, the ciphertext is first restored to binary data through the base64_decode() function, then the IV vector and encrypted data are extracted respectively, and the openssl_decrypt() function is called to perform the decryption operation.

2. Asymmetric encryption algorithm

Asymmetric encryption algorithm means that the keys used for encryption and decryption are different. Generally, the public key is made public and used to encrypt data. It is then decrypted by the private key on the server side. In API development, common asymmetric encryption algorithms include RSA, DSA, etc.

Taking the RSA encryption algorithm as an example, PHP provides functions such as openssl_public_encrypt and openssl_private_decrypt to implement asymmetric encryption operations. The usage method is as follows:

//RSA加密
function rsaEncrypt($data,$public_key) {
    $encrypted = '';
    openssl_public_encrypt($data,$encrypted,$public_key,OPENSSL_PKCS1_PADDING);
    $encrypted = base64_encode($encrypted);
    return $encrypted;
}
//RSA解密
function rsaDecrypt($data,$private_key) {
    $decrypted = '';
    openssl_private_decrypt(base64_decode($data),$decrypted,$private_key,OPENSSL_PKCS1_PADDING);
    return $decrypted;
}

Among them, $data is the data to be encrypted, and $public_key is the public key. During the encryption process, the data is encrypted by calling the openssl_public_encrypt() function, and then the encrypted data is encoded by the base64_encode() function. During the decryption process, the encrypted data is decrypted by calling the openssl_private_decrypt() function, and then the decrypted data is returned.

3. PHP implements data signature

The data signature in the API is verified for legality by hashing the parameters. For API request parameters, the server needs to perform data signatures to ensure the integrity and authenticity of data transmission.

Commonly used hash algorithms include HMAC, SHA1, MD5, etc. Taking HMAC as an example, data signature can be easily implemented using PHP's built-in hash_hmac() function. The usage is as follows:

//HMAC签名
function hmacSign($data, $secret) {
    $signed_data = hash_hmac('sha256', $data, $secret, false);
    return $signed_data;
}

Among them, $data is the data to be signed, and $secret is the signing key. Call the hash_hmac() function to hash-encrypt the data and return the signed data.

4. Data Encryption and Decryption Example

Next, we will comprehensively apply the above data encryption and signature methods to demonstrate how to use PHP to complete the encryption and decryption process of API request parameters.

//数据加密
$data = [
    'user_id' => 12345,
    'user_name' => 'test',
    'timestamp' => time(),
];
$json_data = json_encode($data);
$encrypted_data = aesEncrypt($json_data, $encrypt_key);

//数据签名
$signature_data = $encrypted_data . $secret_key;
$signature = hmacSign($signature_data, $hmac_key);

//API请求构造
$params = [
    'data' => $encrypted_data,
    'signature'=> $signature,
];
$request_url = 'http://api.example.com' . '?'. http_build_query($params);

//API响应解析
$response_data = file_get_contents($request_url);
$response_data = json_decode($response_data, true);

//数据解密
$encrypted_data = $response_data['data'];
$signature_data = $encrypted_data . $secret_key;
$signature = $response_data['signature'];
if(hmacSign($signature_data, $hmac_key) === $signature) {
    $json_data = aesDecrypt($encrypted_data, $encrypt_key);
    $response = json_decode($json_data, true);
    //TODO:处理API响应数据
}
else {
    //TODO:处理签名不合法的情况
}

In the above code, the aesEncrypt() function is first used to symmetrically encrypt the request parameters, and then the hmacSign() function is used to hash the encrypted data to generate signed request parameters. After the server receives the request, it verifies whether the signature is legal by hashing the signature data, and then uses the aesDecrypt() function to decrypt the encrypted data to obtain the original request parameters.

In the actual application process, it is necessary to ensure that encryption keys, signature keys and other information cannot be leaked to ensure the security of API data. At the same time, appropriate encryption and signature algorithms need to be selected based on system usage requirements to meet system performance and security requirements.

The above is the detailed content of How to handle data encryption and decryption when implementing API in PHP. For more information, please follow other related articles on the PHP Chinese website!