I need help with two things:
Advice on an encryption algorithm that I can use to encode data on the server, send it to AS3 c开发者_StackOverflow中文版lient and decode it there. From what I read, Public - Private Key sound good.
An AS3 library that can encode and decode that is compatible with PHP's bcrypt (again, I read bcrypt is best for this kind of data transmission).
I'm not a security expert, I hope the question is clear and not clumsy.
EDIT: As suggested SSL is a great option, but at the moment I am looking for non-SSL ones.
Thank you.
What's your threat model? If you're only worried about people sniffing the data while it's on the wire, then use SSL. It'll be transparent to your app, and generally you only have to install a cert and change your URLs from http:// to https://
If your major threat is someone running a debugger on the app to catch the data, then you've got a massively bigger problem and will be highly unlikely to ever stop someone from "stealing" the data.
A bump to @Marc B for pointing out that SSL is perfectly secure, but if you absolutely need custom encryption...
If the server supports mcrypt (most PHP implementations do), then you can use any of the encryption methods provided by mcrypt (including modern AES implementations, IDEA, TEA, etc, etc, etc [it's a long list actually]). However, the php script (of course) must be written to expect encrypted data.
Check out http://php.net/manual/en/book.mcrypt.php for information about PHP's implementation of mcrypt.
EDIT: A quick dump of print_r(mycrypt_list_algorithms()) on a nearly stock fedora box with php-mcrypt installed shows...
Array
(
[0] => cast-128
[1] => gost
[2] => rijndael-128
[3] => twofish
[4] => arcfour
[5] => cast-256
[6] => loki97
[7] => rijndael-192
[8] => saferplus
[9] => wake
[10] => blowfish-compat
[11] => des
[12] => rijndael-256
[13] => serpent
[14] => xtea
[15] => blowfish
[16] => enigma
[17] => rc2
[18] => tripledes
)
rijndael is AES. Some are better than others for different reasons, while some are just junk (like DES).
If you don't mind about someone using a client-side debugger, just use an ActionScript library such as as3crypto, it should have everything you need to decode whatever data PHP sends.
There's no point bothering with public-private key encryption, because you'll have to embed your private key in the SWF, thus making it public.
精彩评论