通过未加密的JSON发送人名的足够安全方式

时间:2012-10-29 05:06:11

标签: php android json encryption ssl

我刚开始为一个本地健身房的应用程序工作,并且由于我的测试已接近完成,并且版本1即将完成,我开始考虑保护应用程序免受任何MITM类型的攻击。虽然我知道有人甚至想要MITM这个应用程序(而不是银行应用程序)的机会几乎为零,但我仍然希望在安全方面有点积极主动。

虽然应用程序发送/接收没有用户信息(来回发送的数据是重量,代表,时间,用户签到的类的名称等等),我正在传输所有活动的名称健身房成员(用于自动完整的文本框)。我想加密名称,但我发现很难将我的代码从HTTP更改为HTTPS。我的服务器上有HTTPS和自签名证书,但似乎无法让android端工作(在eclipse中不会遇到对等证书错误)。作为一种解决方法,我考虑过使用AES128加密/散列每个名称,然后在手机上解密,然后在通过PHP将数据发送回数据库时也这样做。

这是加密整个会话的充分替代方案吗?称之为“懒惰SSL”,好像有人要获得密钥,他们就能够解密数据,但同样,我们只传输名称,没有其他用户信息。

这是我正在使用的未加密代码(我遗漏了不必要的东西,使这个块更小):

public JSONObject makeHttpRequest(String url, String method, List<NameValuePair> params) {

        if (method == "POST") {
            // request method is POST
            // defaultHttpClient
            DefaultHttpClient httpClient = new DefaultHttpClient();
            HttpPost httpPost = new HttpPost(url);
            httpPost.setEntity(new UrlEncodedFormEntity(params));

            HttpResponse httpResponse = httpClient.execute(httpPost);
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();

        } 

这是一个用于解析Json的更大的类: My entire JSONParser class

我在需要拉取数据或将数据发送到服务器的地方调用此类,如下所示:

final JSONParser jsonParser = new JSONParser();

    final List<NameValuePair> params = new ArrayList<NameValuePair>();
    params.add(new BasicNameValuePair("tag", Globals.TAG_GETMEMBERS));
    params.add(new BasicNameValuePair("LastRow", lastRow));
    // getting JSON string from URL
    final JSONObject json = jsonParser.makeHttpRequest(
            Globals.WEBSERVICE_URL, "POST", params);

使用各种资源:

How to enable a self-signed certificate for SSL sockets on Android?

http://randomizedsort.blogspot.com/2010/09/step-to-step-guide-to-programming.html

我能够获得有用的东西,我最初尝试使用“信任所有证书”方法,但由于这是MITM倾向,我宁愿不使用它(加上它不起作用。使用第二个链接我'到目前为止重新生成证书,我已经下载了充气城堡罐(

我还使用以下命令生成密钥库,并将其导入到我的项目中:

keytool -genkey -dname "cn = smashwebserver, ou=Development Team, o=Smash Gyms, L=Sunnyvale, s=California, c=US" -alias ssltest -keypass ssltest -keystore c:\dell\ssltest.keystore -storepass ssltest -validity 180

keytool -export -alias ssltest -keystore c:\dell\ssltest.keystore -file c:\dell\ssltest.cer -storepass ssltest -keypass ssltest

keytool -import -alias ssltestcert -file C:\dell\ssltest.cer -keypass ssltestcert -keystore "C:\Users\Evan Richardson\workspace\SmashGyms\res\raw\ssltestcert" -storetype BKS -storepass ssltestcert -providerClass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "C:\Users\Evan Richardson\workspace\SmashGyms\libs\bcprov-jdk15on-147.jar"

生成的JSONParser类块如下所示:

if (method == "POST") {

            // Load the self-signed server certificate
            char[] passphrase = "ssltest".toCharArray();
            KeyStore ksTrust = KeyStore.getInstance("BKS");
            ksTrust.load(context.getResources().openRawResource(
                    R.raw.ssltestcert), passphrase);
            TrustManagerFactory tmf = TrustManagerFactory
                    .getInstance(KeyManagerFactory.getDefaultAlgorithm());
            tmf.init(ksTrust);

            // Create a SSLContext with the certificate
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, tmf.getTrustManagers(),
                    new SecureRandom());

            // request method is POST
            // defaultHttpClient
            DefaultHttpClient httpClient = new DefaultHttpClient();
            HttpPost httpPost = new HttpPost(url);
            httpPost.setEntity(new UrlEncodedFormEntity(params));

            HttpResponse httpResponse = httpClient.execute(httpPost);
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();

        }

然而现在我收到以下错误:

10-29 11:55:28.470: W/System.err(9561): java.io.IOException: Wrong version of key store.

我看了那个错误,在这里找到了一个可能的解决方案:Android bouncy castle: IOException

我已经下载了145版本的bouncycastles Jar,并使用了它。这修复了ioexception错误,但现在我得到以下内容:

10-29 12:21:57.536: W/System.err(12506): Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x10b9a10: Failure in SSL library, usually a protocol error
10-29 12:21:57.536: W/System.err(12506): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (external/openssl/ssl/s23_clnt.c:683 0x4026dced:0x00000000)
10-29 12:21:57.536: W/System.err(12506): return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
10-29 12:21:57.586: W/System.err(12506): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

奇怪的是,如果我将我的网址更改为“https://google.com”,我不会收到任何错误,只有以下内容:

10-29 14:03:50.198: V/httpresponsetag:(17810): <!DOCTYPE html>
10-29 14:03:50.198: V/httpresponsetag:(17810): <html lang=en>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <meta charset=utf-8>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
10-29 14:03:50.198: V/httpresponsetag:(17810):   <title>Error 405 (Method Not Allowed)!!1</title>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <style>
10-29 14:03:50.198: V/httpresponsetag:(17810):     *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
10-29 14:03:50.198: V/httpresponsetag:(17810):   </style>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <p><b>405.</b> <ins>That’s an error.</ins>
10-29 14:03:50.198: V/httpresponsetag:(17810):   <p>The request method <code>POST</code> is inappropriate for the URL <code>/</code>.  <ins>That’s all we know.</ins>

这可能表明它实际上是我的自签名证书,但是如果我打开https:servername,它可以工作(当然是默认警告)

修改

即使接受了所有证书,我也得到了相同的错误,所以我去了我的浏览器,看了我正在使用的主机名,同样的错误。然后我查看了我的路由器上的NAT设置...我转发到端口80,而不是443.失败。更改为443,现在看起来它正在工作,至少接受所有证书和以下代码:

public JSONObject makeHttpRequest(String url, String method,
        List<NameValuePair> params) throws NoSuchAlgorithmException,
        CertificateException, NotFoundException, KeyStoreException,
        KeyManagementException {

    // Making HTTP request
    try {

        // check for request method
        if (method == "POST") {

            // request method is POST
            // defaultHttpClient

            // Create a trust manager that does not validate certificate chains
            TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }

                public void checkClientTrusted(
                        java.security.cert.X509Certificate[] certs,
                        String authType) {
                }

                public void checkServerTrusted(
                        java.security.cert.X509Certificate[] certs,
                        String authType) {
                }
            } };

            // Install the all-trusting trust manager
            try {
                SSLContext sc = SSLContext.getInstance("SSL");
                sc.init(null, trustAllCerts,
                        new java.security.SecureRandom());
                HttpsURLConnection.setDefaultSSLSocketFactory(sc
                        .getSocketFactory());
            } catch (Exception e) {
            }

            // Now you can access an https URL without having the certificate in the truststore

            HttpClient client = new DefaultHttpClient();
            client = this.sslClient(client);
            HttpPost httpPost = new HttpPost(url);
            httpPost.setEntity(new UrlEncodedFormEntity(params));

            // Log.v(TAG, EntityUtils.toString(result.getEntity()));

            HttpResponse httpResponse = client.execute(httpPost);
            // Log.v("httpresponsetag:", EntityUtils.toString(httpResponse
            // .getEntity()));
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();

        }

3 个答案:

答案 0 :(得分:4)

忘记重新发明懒惰的SSL或其他什么。只需使用SSL并修复您的代码。并且关闭证书验证并信任所有证书。使用自签名证书并不是特别困难,发布您尝试过的内容,人们会指出您正确的方向。通常你需要:

  1. 获取证书
  2. 将其放入您应用中的原始资源
  3. 阅读并初步使用KeyStore
  4. 将此传递给您的SSL套接字工厂
  5. 使用套接字工厂从4开始初始化您的HTTP客户端。
  6. 如果您使用的是HttpClient,请注意以下操作:注意SSLSocketFactory

    KeyStore ts = KeyStore.getInstance("BKS");
    InputStream in = getResources().openRawResource(R.raw.mytruststore);
    ts.load(in, TRUSTSTORE_PASSWORD.toCharArray());
    
    SchemeRegistry schemeRegistry = new SchemeRegistry();
    schemeRegistry.register(new Scheme("http", PlainSocketFactory
                    .getSocketFactory(), 80));
    SSLSocketFactory sslSocketFactory = new SSLSocketFactory(ts);
    schemeRegistry.register(new Scheme("https", sslSocketFactory, 443));
    HttpParams params = new BasicHttpParams();
    ClientConnectionManager cm = 
        new ThreadSafeClientConnManager(params, schemeRegistry);
    
    HttpClient client = new DefaultHttpClient(cm, params);
    

    有关更多示例,示例项目和一些背景信息,请参阅此处:http://nelenkov.blogspot.com/2011/12/using-custom-certificate-trust-store-on.html

答案 1 :(得分:1)

我不明白为什么你想要解决SSL并发明自己的加密方案。我有一种感觉,你的自签名证书会导致你的问题,也许你需要关闭在eclipse中验证自签名证书?

答案 2 :(得分:-2)

我知道你正在使用ssl,但如果你愿意,还有一种选择。它使用编码和解码。

function encodeString($ss,$ntime){

    for($i=0;$i<$ntime;$i++){

        $ss=base64_encode($ss);

    }

    return $ss;

}



function decodeString($ss,$ntime){

    for($i=0;$i<$ntime;$i++){

        $ss=base64_decode($ss);

    }

    return $ss;

}

您可以像使用

一样使用它
 encodeString("$membername", 3); //3 will make the encryption more strong. Higher the value higher the encryption.

 decodeString("$membername", 3); //decodes the member name.