为了账号安全,请及时绑定邮箱和手机立即绑定

密码加密模式不安全,如何解决?

首页 猿问 密码加密模式不安全,如何解决?

密码加密模式不安全,如何解决?

Java
拉莫斯之舞 2023-08-09 17:29:01
我正在加密登录密码firebase,它运行良好,但我在 google play 控制台中收到一条警告,your app contains unsafe cryptographic encryption patterns我该如何摆脱它?我正在 android studio 上尝试。public static class AESCrypt{    private static final String ALGORITHM = "AES";    private static final String KEY = "1Hbfh667adfDEJ78";    public static String encrypt(String value) throws Exception    {        Key key = generateKey();        Cipher cipher = Cipher.getInstance(AESCrypt.ALGORITHM);        cipher.init(Cipher.ENCRYPT_MODE, key);        byte [] encryptedByteValue = cipher.doFinal(value.getBytes("utf-8"));        String encryptedValue64 = Base64.encodeToString(encryptedByteValue, Base64.DEFAULT);        return encryptedValue64;    }    public static String decrypt(String value) throws Exception    {        Key key = generateKey();        Cipher cipher = Cipher.getInstance(AESCrypt.ALGORITHM);        cipher.init(Cipher.DECRYPT_MODE, key);        byte[] decryptedValue64 = Base64.decode(value, Base64.DEFAULT);        byte [] decryptedByteValue = cipher.doFinal(decryptedValue64);        String decryptedValue = new String(decryptedByteValue,"utf-8");        return decryptedValue;    }    private static Key generateKey() throws Exception    {        Key key = new SecretKeySpec(AESCrypt.KEY.getBytes(),AESCrypt.ALGORITHM);        return key;    }
查看完整描述

1 回答

?
梵蒂冈之花

TA贡献1900条经验 获得超5个赞

主要问题是您使用没有完整性的密码和硬编码的加密密钥。如果您使用Find Security Bugs分析源代码,您会收到CIPHER_INTEGRITY和HARD_CODE_KEY警告:

The cipher does not provide data integrity [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 25] CIPHER_INTEGRITY

The cipher does not provide data integrity [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 15] CIPHER_INTEGRITY

Hard coded cryptographic key found [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 35] HARD_CODE_KEY

解决方案是使用包含基于哈希的消息身份验证代码 (HMAC) 的密码来对数据进行签名:


Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

并将密钥存储在单独的配置文件或密钥库中。


下面是完整重构后的整个类:


import android.util.Base64

import static java.nio.charset.StandardCharsets.UTF_8;

import java.security.Key;

import javax.crypto.Cipher;

import javax.crypto.spec.SecretKeySpec;


public class AESCrypt {

  private static final String TRANSFORMATION = "AES/GCM/NoPadding";


  public static String encrypt(String value) throws Exception {

    Key key = generateKey();

    Cipher cipher = Cipher.getInstance(TRANSFORMATION);

    cipher.init(Cipher.ENCRYPT_MODE, key);

    byte[] encryptedByteValue = cipher.doFinal(value.getBytes(UTF_8));

    return Base64.encodeToString(encryptedByteValue, Base64.DEFAULT);

  }


  public static String decrypt(String value) throws Exception {

    Key key = generateKey();

    Cipher cipher = Cipher.getInstance(TRANSFORMATION);

    cipher.init(Cipher.DECRYPT_MODE, key);

    byte[] decryptedValue64 = Base64.decode(value, Base64.DEFAULT);

    byte[] decryptedByteValue = cipher.doFinal(decryptedValue64);

    return new String(decryptedByteValue, UTF_8);

  }


  private static Key generateKey() {

    return new SecretKeySpec(Configuration.getKey().getBytes(UTF_8), TRANSFORMATION);

  }

}


查看完整回答
反对 回复 2023-08-09
  • 1 回答
  • 0 关注
  • 186 浏览
慕课专栏
更多

添加回答

了解更多

举报

0/150
提交
取消
意见反馈 帮助中心 APP下载
官方微信