当我问自己 Windows 和 Linux 系统过去曾被黑客入侵的问题并尝试在谷歌上搜索这个问题时,我正在考虑 android 操作系统的安全性。不幸的是,即使花了半天时间我也不满意我在互联网上发现的。我想知道android安全和密码机制是如何工作的。如果有人可以分享任何内容或将我引导至有用的链接:)
问问题
383 次
1 回答
0
Android password handling is detailed in the sources at LockPatternUtils.java, near line 820:
public byte[] passwordToHash(String password) {
if (password == null) {
return null;
}
String algo = null;
byte[] hashed = null;
try {
byte[] saltedPassword = (password + getSalt()).getBytes();
byte[] sha1 = MessageDigest.getInstance(algo = "SHA-1").digest(saltedPassword);
byte[] md5 = MessageDigest.getInstance(algo = "MD5").digest(saltedPassword);
hashed = (toHex(sha1) + toHex(md5)).getBytes();
} catch (NoSuchAlgorithmException e) {
Log.w(TAG, "Failed to encode string because of missing algorithm: " + algo);
}
return hashed;
}
It looks like the general idea is to force a bad you to guess a correct password constrained by both MD5 and SHA1. That means a bad guy must get the intersection (not union) the MD5 and SHA-1 hashes.
Unfortunately, the MD5 component allows for password recovery. Perhaps a better strategy would have been folding MD5 into SHA-1 (to remove naked access to MD5).
By the way, there is a bug report for that (TM): Lock Pattern/Password uses MD5 Hash (LockPatternUtils.java).
于 2013-02-14T01:19:18.540 回答