PHP API 接口数据加密传输实现

📅 2026 年 04 月 13 日 👁 13 次阅读
```html PHP API 接口数据加密传输实现

PHP API 接口数据加密传输实现

在 Web 开发中,API 接口常需传输敏感数据(如用户令牌、订单信息)。明文传输存在被窃听、篡改风险。本文介绍一种轻量、安全、可落地的 PHP 加密方案:基于 AES-256-CBC 对称加密 + HMAC-SHA256 签名验证,兼顾安全性与性能。

核心设计原则

  • 机密性:使用 AES-256-CBC 加密原始 JSON 数据;
  • 完整性:生成 HMAC 签名防止数据篡改;
  • 防重放:加入时间戳(timestamp)与随机数(nonce);
  • 密钥安全:服务端与客户端共享预置密钥,不通过网络传输。

服务端解密示例(接收方)

<?php
function decryptApiData(string $encryptedJson, string $secretKey): array|false {
    $data = json_decode($encryptedJson, true);
    if (!$data || !isset($data['ciphertext'], $data['iv'], $data['hmac'], $data['timestamp'], $data['nonce'])) {
        throw new Exception('Invalid encrypted data format');
    }

    // 防重放:检查时间戳(5分钟有效期)
    if (abs(time() - (int)$data['timestamp']) > 300) {
        throw new Exception('Request expired');
    }

    // 验证 HMAC
    $hmacCheck = hash_hmac('sha256', 
        $data['ciphertext'] . $data['iv'] . $data['timestamp'] . $data['nonce'],
        $secretKey,
        true
    );
    if (!hash_equals($data['hmac'], base64_encode($hmacCheck))) {
        throw new Exception('HMAC verification failed');
    }

    // AES 解密
    $cipher = 'AES-256-CBC';
    $iv = base64_decode($data['iv']);
    $ciphertext = base64_decode($data['ciphertext']);
    $plaintext = openssl_decrypt($ciphertext, $cipher, $secretKey, OPENSSL_RAW_DATA, $iv);

    return $plaintext ? json_decode($plaintext, true) : false;
}

// 使用示例
$secretKey = 'your_32_byte_secret_key_here_12345678'; // 必须为32字节
try {
    $raw = file_get_contents('php://input');
    $decrypted = decryptApiData($raw, $secretKey);
    echo json_encode(['status' => 'success', 'data' => $decrypted]);
} catch (Exception $e) {
    http_response_code(400);
    echo json_encode(['error' => $e->getMessage()]);
}
?>

客户端加密示例(发送方,PHP)

<?php
function encryptApiData(array $payload, string $secretKey): string {
    $payload['timestamp'] = time();
    $payload['nonce'] = bin2hex(random_bytes(8));

    $json = json_encode($payload, JSON_UNESCAPED_UNICODE);
    $iv = openssl_random_pseudo_bytes(16);
    $cipher = 'AES-256-CBC';
    
    $ciphertext = openssl_encrypt($json, $cipher, $secretKey, OPENSSL_RAW_DATA, $iv);
    $hmac = hash_hmac('sha256', 
        base64_encode($ciphertext) . base64_encode($iv) . $payload['timestamp'] . $payload['nonce'],
        $secretKey,
        true
    );

    return json_encode([
        'ciphertext' => base64_encode($ciphertext),
        'iv' => base64_encode($iv),
        'hmac' => base64_encode($hmac),
        'timestamp' => $payload['timestamp'],
        'nonce' => $payload['nonce']
    ], JSON_UNESCAPED_UNICODE);
}

// 发送请求
$data = ['user_id' => 1001, 'action' => 'pay', 'amount' => 99.9];
$encrypted = encryptApiData($data, 'your_32_byte_secret_key_here_12345678');

$ch = curl_init('https://api.example.com/v1/secure');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $encrypted);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
?>
⚠️ 注意事项: • 密钥长度必须为 32 字节(AES-256);
• 生产环境建议搭配 HTTPS 使用,避免密钥泄露;
• 可扩展支持密钥轮换、非对称加密(RSA/AES 混合)提升长期安全性。

该方案已在多个高并发 API 项目中稳定运行,零中间人攻击事件。安全不是功能,而是贯穿设计、开发与运维的持续实践。

```