1. 技术文章
  2. Is this a secure encryption method

Is this a secure encryption method

前提是你 提交于 2019-12-21 05:46:08

问题


I'm writing an application for Android that uses symmetric key encryption to protect sensitive data. As far as I can tell, Android only directly supports "PBEWithMD5AndDES". How secure is this algorithm? Also, I've included my code below (non-andriod). Is my code correctly encrypting the data?

import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;

public class CipherTest
{

    private static class EncryptInfo
    {

        private final byte[] encryptedData;
        private final byte[] initVector;
        private final byte[] salt;

        public EncryptInfo(byte[] encryptedData, byte[] initVector, byte[] salt)
        {
            this.encryptedData = encryptedData.clone();
            this.initVector = initVector.clone();
            this.salt = salt.clone();
        }

        public byte[] getEncryptedData()
        {
            return encryptedData;
        }

        public byte[] getInitVector()
        {
            return initVector;
        }

        public byte[] getSalt()
        {
            return salt;
        }

    }

    private static final String keyGenAlgorithm = "PBEWithMD5AndDES";
    private static final String keyAlgorithm = "DES";
    private static final String cipherTransform = "PBEWithMD5AndDES/CBC/PKCS5Padding";

    private static EncryptInfo encrypt(char[] password, byte[] data)
            throws NoSuchAlgorithmException, InvalidKeySpecException,
            NoSuchPaddingException, InvalidKeyException,
            InvalidParameterSpecException, IllegalBlockSizeException,
            BadPaddingException, UnsupportedEncodingException
    {

        byte[] salt = new byte[16];
        new SecureRandom().nextBytes(salt);

        PBEKeySpec keySpec = new PBEKeySpec(password, salt, 1024);

        SecretKeyFactory secretKeyFactory = SecretKeyFactory
                .getInstance(keyGenAlgorithm);
        SecretKey secretKey = secretKeyFactory.generateSecret(keySpec);
        keySpec.clearPassword();
        byte[] key = secretKey.getEncoded();
        SecretKeySpec secretKeySpec = new SecretKeySpec(key, keyAlgorithm);
        Cipher cipher = Cipher.getInstance(cipherTransform);
        cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);

        byte[] initVector = cipher.getParameters().getParameterSpec(
                IvParameterSpec.class).getIV();

        return new EncryptInfo(cipher.doFinal(data), initVector, salt);
    }

    public static byte[] decrypt(byte[] data, char[] password, byte[] salt,
            byte[] initVector) throws NoSuchAlgorithmException,
            InvalidKeySpecException, NoSuchPaddingException,
            InvalidKeyException, InvalidAlgorithmParameterException,
            IllegalBlockSizeException, BadPaddingException
    {
        PBEKeySpec keySpec = new PBEKeySpec(password, salt, 1024);

        SecretKeyFactory secretKeyFactory = SecretKeyFactory
                .getInstance(keyGenAlgorithm);
        SecretKey secretKey = secretKeyFactory.generateSecret(keySpec);
        keySpec.clearPassword();
        byte[] key = secretKey.getEncoded();
        SecretKeySpec secretKeySpec = new SecretKeySpec(key, keyAlgorithm);
        Cipher cipher = Cipher.getInstance(cipherTransform);
        cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, new IvParameterSpec(
                initVector));
        return cipher.doFinal(data);
    }

    public static void main(String[] args) throws Exception
    {
        char[] password = "password".toCharArray();

        EncryptInfo info = encrypt(password, "Message".getBytes());

        byte[] decyptedText = decrypt(info.getEncryptedData(), password, info
                .getSalt(), info.getInitVector());

        System.out.println(new String(decyptedText));

    }
}

回答1:


Both MD5 and DES are weak. If your data being encrypted is really valuable, you should look for some external crypto library for Android that offers AES and SHA256/SHA512 algorithms.




回答2:


If you want to encrypt data using a symmetric key encryption, I recommend:
1) Use AES, because it is certified by the NSA for data classified as secret.
2) Use a well reviewed implementation so you don't have to research the proper way to configure the code. For example, AESCrypt.

You can find AESCrypt here: http://www.aescrypt.com/java_aes_crypt.html

I've seen AESCrypt used in several financial institutions. AESCrypt for java is a single class that calls JCE methods. Android, JCE is implemented by bouncycastle. I have seen bouncycastle used in several major financial institutions.



来源:https://stackoverflow.com/questions/3811302/is-this-a-secure-encryption-method

标签
java
android
security
encryption
encryption-symmetric
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!