Android AES 256位加密数据

时间:2012-04-17 20:17:07

标签: android encryption aes

所以我看过很多例子,做了大量的谷歌搜索,看了Stack Overflow上的例子......我需要帮助。我有一个Android应用程序,我在设备上存储用户名和密码,我需要加密它们AES 256.从查看示例,这是我到目前为止:

public class Security {
    Cipher ecipher;
    Cipher dcipher;

    // 8-byte Salt
    byte[] salt = {
        (byte)0xA9, (byte)0x9B, (byte)0xC8, (byte)0x32,
        (byte)0x56, (byte)0x35, (byte)0xE3, (byte)0x03
    };

    // Iteration count
    int iterationCount = 19;

    public Security (String passPhrase) {
        try {
            // Create the key
            KeySpec keySpec = new PBEKeySpec(passPhrase.toCharArray(), salt, iterationCount);
            SecretKey key = SecretKeyFactory.getInstance(
                "PBEWithSHAAndAES").generateSecret(keySpec);
            ecipher = Cipher.getInstance(key.getAlgorithm());
            dcipher = Cipher.getInstance(key.getAlgorithm());

            // Prepare the parameter to the ciphers
            AlgorithmParameterSpec paramSpec = new PBEParameterSpec(salt, iterationCount);

            // Create the ciphers
            ecipher.init(Cipher.ENCRYPT_MODE, key, paramSpec);
            dcipher.init(Cipher.DECRYPT_MODE, key, paramSpec);
        } catch (Exception e) { 
            e.printStackTrace(); 
        }
    }

    public String encrypt(String str) {
        try {
            // Encode the string into bytes using utf-8
            byte[] utf8 = str.getBytes("UTF8");

            // Encrypt
            byte[] enc = ecipher.doFinal(utf8);

            // Encode bytes to base64 to get a string
            return Base64.encodeToString(enc, Base64.DEFAULT);
        } catch (Exception e) { 
            e.printStackTrace();
            return null;
        }
    }

    public String decrypt(String str) {
        try {
            // Decode base64 to get bytes
            byte[] dec = Base64.decode(str, Base64.DEFAULT);

            // Decrypt
            byte[] utf8 = dcipher.doFinal(dec);

            // Decode using utf-8
            return new String(utf8, "UTF8");
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
}

我正在尝试使其基于密码,因此用户将首次使用回传到服务器所需的用户名和密码创建帐户,并创建将用作这些凭据密钥的PIN存储在数据库中。

我最关心的是这看起来安全吗?我知道固定盐是坏的,我该如何解决?

我知道有关于此的十亿问题,但我希望有人出来说“这是安全的”或“这不安全,改变这个”

谢谢!


修改

所以这是我到目前为止的代码,它似乎正在起作用......

public class Security {

    Cipher ecipher;
    Cipher dcipher;
    byte[] salt = new byte[8];
    int iterationCount = 200;

    public Security(String passPhrase) {
        try {
            // generate a random salt
            SecureRandom random = new SecureRandom();
            random.nextBytes(salt);

            // Create the key
            KeySpec keySpec = new PBEKeySpec(passPhrase.toCharArray(), salt, iterationCount);
            SecretKey key = SecretKeyFactory.getInstance(
                "PBEWithSHA256And256BitAES-CBC-BC").generateSecret(keySpec);
            ecipher = Cipher.getInstance(key.getAlgorithm());
            dcipher = Cipher.getInstance(key.getAlgorithm());

            // Prepare the parameter to the ciphers
            AlgorithmParameterSpec paramSpec = new PBEParameterSpec(salt, iterationCount);

            // Create the ciphers
            ecipher.init(Cipher.ENCRYPT_MODE, key, paramSpec);
            dcipher.init(Cipher.DECRYPT_MODE, key, paramSpec);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public String encrypt(String str) {
        try {
            // Encode the string into bytes using utf-8
            byte[] utf8 = str.getBytes("UTF8");

            // Encrypt
            byte[] enc = ecipher.doFinal(utf8);

            // Encode bytes to base64 to get a string
            return Base64.encodeToString(enc, Base64.DEFAULT);
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    public String decrypt(String str) {
        try {
            // Decode base64 to get bytes
            byte[] dec = Base64.decode(str, Base64.DEFAULT);

            // Decrypt
            byte[] utf8 = dcipher.doFinal(dec);

            // Decode using utf-8
            return new String(utf8, "UTF8");
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    public int getIterationCount() {
        return iterationCount;
    }

    public String getSalt() {
        return Base64.encodeToString(salt, Base64.DEFAULT);
    }
}

我用这段代码来测试它:

 Security s = new Security(pinBox.getText().toString());
            String encrypted = s.encrypt(passwordBox.getText().toString());
            String decrypted = s.decrypt(encrypted);
            builder.setMessage("pin: " + pinBox.getText().toString() + "\n" +
                    "password: " + passwordBox.getText().toString() + "\n" +
                    "encrypted: " + encrypted + "\n" +
                    "decrypted: " + decrypted + "\n" +
                    "salt: " + s.getSalt());

所以我不需要担心初始化向量?或者特别硬编码密码算法?

再次感谢!

1 个答案:

答案 0 :(得分:6)

编辑:虽然下面的代码是正确的,但你所拥有的是基本相同的东西,从密码派生的IV,所以你不必单独存储它。

您的代码是否按预期工作?对于实际的加密/解密,您可能希望使用AES,很可能是在CBC模式下。然后你需要一个IV,所以它变成这样:

ecipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
byte[] iv = new byte[IV_LENGTH];
SecureRandom random = new SecureRandom();
random.nextBytes(iv);
ecipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(iv));
byte[] enc = ecipher.doFinal(utf8);

它是否安全取决于您使用它的目的。盐的目的是使密码强制更难:如果它是随机的,攻击者就不能使用预先生成的密码表(密码短语 - >密钥)。如果你不太担心这种攻击,你可能会把它保留下来。如果您决定将其随机化,只需将其与加密数据一起存储即可。与IV相同。