下面的代码使用PBE算法,我理解SALT数组用于向提供的密码添加几个字节。但是当我试图从该数组中删除少量元素时,当我运行程序时它给出错误。
我的问题是,下面程序中使用的SALT数组是否可以修改?如果是,为什么我修改它时会出错?
请查看此代码并帮助我理解它。除了这个SALT数组之外,对程序的简要说明非常受欢迎。
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
public class ProtectedConfigFile {
private static final char[] PASSWORD = "enfldsgbnlsngdlksdsgm".toCharArray();
private static final byte[] SALT = {
(byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,
(byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,
};
public static void main(String[] args) throws Exception {
String originalPassword = "secret";
System.out.println("Original password: " + originalPassword);
String encryptedPassword = encrypt(originalPassword);
System.out.println("Encrypted password: " + encryptedPassword);
String decryptedPassword = decrypt(encryptedPassword);
System.out.println("Decrypted password: " + decryptedPassword);
}
private static String encrypt(String property)
throws GeneralSecurityException, UnsupportedEncodingException {
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(SALT, 20));
return base64Encode(pbeCipher.doFinal(property.getBytes("UTF-8")));
}
private static String base64Encode(byte[] bytes) {
// NB: This class is internal, and you probably should use another impl
return new BASE64Encoder().encode(bytes);
}
private static String decrypt(String property)
throws GeneralSecurityException, IOException {
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(SALT, 20));
return new String(pbeCipher.doFinal(base64Decode(property)), "UTF-8");
}
private static byte[] base64Decode(String property) throws IOException {
// NB: This class is internal, and you probably should use another impl
return new BASE64Decoder().decodeBuffer(property);
}
}
例外是:
Exception in thread "main" java.lang.Exception: java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long
at TransactionTokenUtility.encrypt(TransactionTokenUtility.java:80)
at TransactionTokenUtility.generateToken(TransactionTokenUtility.java:144)
at TransactionTokenUtility.main(TransactionTokenUtility.java:51)
Caused by: java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long
at com.sun.crypto.provider.SunJCE_ab.a(DashoA13*..)
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(DashoA13*..)
答案 0 :(得分:2)
答案是根据较旧的v1.5 PKCS#5标准和PBKDF1,盐应该包含正好8个随机八位字节(读取:字节)。 Oracle Java实现(从2002年开始!)遵循此标准。这可以(并且已经)使用Oracle提供的源代码进行验证。
需要8个八位字节的标准:
最少需要8个八位字节的标准(作为建议):
最好的办法是迁移到PBKDF2。您将获得更安全(NIST接受)的算法,并且您在盐长度方面具有更大的灵活性。
请注意,PKCS#5中有关Salt(第4章)的章节将至少8个八位字节作为最低安全要求。然而,这被PBKDF1的定义所推翻,该定义恰好定义了8个八位字节。