强烈建议始终使用具有所需密钥长度的密钥:
-
CBC/ECB/CTR-128为128位(16字节)
-
CBC/ECB/CTR-192为192位(24字节)
-
CBC/ECB/CTR-256的256位(32位)
不幸的是,MariaDB(也是MySQL)不会抱怨无效的密钥长度,但会执行以下操作:
如果密钥长度短于所需的密钥长度,则用零(0x0)填充:
select @@block_encryption_mode;
+-------------------------+
| @@block_encryption_mode |
+-------------------------+
| aes-128-cbc |
+-------------------------+
set @iv=0x3DAFBA429D9EB430B422DA802C9FAC41,
@key1=0x06A9214036B8A15B512E03D534120000,
@key2=0x06A9214036B8A15B512E03D53412;
select aes_encrypt("Test", @key1, @iv) = aes_encrypt("Test", @key2, @iv);
+-------------------------------------------------------------------+
| aes_encrypt("Test", @key1, @iv) = aes_encrypt("Test", @key2, @iv) |
+-------------------------------------------------------------------+
| 1 |
+-------------------------------------------------------------------+
如果密钥长度高于所需的密钥长度,MariaDB会用冗余字节替换密钥,而其他实现会截断密钥,这可能是导致不同结果的原因。
#due xor operation with redundant bytes keys will be the same
set @key1=REPEAT("A",32), @key2=REPEAT("B",32);
select aes_encrypt("Test", @key1, @iv) = aes_encrypt("Test", @key2, @iv);
+-------------------------------------------------------------------+
| aes_encrypt("Test", @key1, @iv) = aes_encrypt("Test", @key2, @iv) |
+-------------------------------------------------------------------+
| 1 |
+-------------------------------------------------------------------+