当我查看代码时,我看到有人使用关于密钥生成的策略,IV的第一部分总是相同的,而后半部分根据机器ID而不同(其他人可能很难获得ID)。然后它用于生成加密密钥,如下例所示:
public static final String constant = "1234";
String key = constant + (machine ID);
SecretKeySpec sks = new SecretKeySpec(key.getBytes(), "DES");
String result = sks.toString();
这是一种硬编码密码吗?我不确定它是否安全?如果不是,风险很高吗?
非常感谢。
答案 0 :(得分:0)
这是不安全的,因为您使用的是非随机密钥,并且您还使用了不安全的加密算法(DES)。您需要使用安全的随机生成函数/类,如SecureRandom,您需要选择一个安全的算法,如AES或TwoFish
以下是JavaDigest显示正确使用class SecureRandom:
package random;
import java.security.SecureRandom;
/**
* A Simple Example to generate secure random numbers using
* java.security.SecureRandom class.
*
*/
public class SecureRandomGenerator {
public static void main(String[] args) {
// Get the instance of SecureRandom class with specified PRNG algorithm
SecureRandom secureRandom = new SecureRandom();
// You can use the getInstance() of the Secure Random class to create an object of SecureRandam
// where you would need to specify the algorithm name.
// SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
// Display the algorithm name
System.out.println("Used algorithm: " + secureRandom.getAlgorithm());
// You also specify the algorithm provider in the getInstance() method
// SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG", "SUN");
// Display the Provider
System.out.println("Provider: " + secureRandom.getProvider());
// A call to the setSeed() method will seed the SecureRandom object.
// If a call is not made to setSeed(),
// The first call to nextBytes method will force the SecureRandom object to seed itself.
// Get 10 random numbers
System.out.println("Random Integers generated using SecureRandom");
for (int i = 0; i < 10; i++) {
System.out.println(secureRandom.nextInt());
}
}
}