看代码的时候看到有人用了生成密钥的策略,IV的前半部分总是一样的,后半部分根据机器ID不同(别人可能很难得到ID) . 然后它用于生成加密密钥,如以下示例:
public static final String constant = "1234";
String key = constant + (machine ID);
SecretKeySpec sks = new SecretKeySpec(key.getBytes(), "DES");
String result = sks.toString();
它是一种硬编码密码吗?我不确定它是否安全?如果不是,是不是高风险?</p>
非常感谢。
这是不安全的,因为您使用的是非随机密钥,并且您还使用了不安全的加密算法 (DES)。您需要使用安全的随机生成函数/类,例如SecureRandom,并且您需要选择安全算法,例如AES或TwoFish
这是来自JavaDigest的一个示例,显示了正确使用class SecureRandom:
package random;
import java.security.SecureRandom;
/**
* A Simple Example to generate secure random numbers using
* java.security.SecureRandom class.
*
*/
public class SecureRandomGenerator {
public static void main(String[] args) {
// Get the instance of SecureRandom class with specified PRNG algorithm
SecureRandom secureRandom = new SecureRandom();
// You can use the getInstance() of the Secure Random class to create an object of SecureRandam
// where you would need to specify the algorithm name.
// SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
// Display the algorithm name
System.out.println("Used algorithm: " + secureRandom.getAlgorithm());
// You also specify the algorithm provider in the getInstance() method
// SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG", "SUN");
// Display the Provider
System.out.println("Provider: " + secureRandom.getProvider());
// A call to the setSeed() method will seed the SecureRandom object.
// If a call is not made to setSeed(),
// The first call to nextBytes method will force the SecureRandom object to seed itself.
// Get 10 random numbers
System.out.println("Random Integers generated using SecureRandom");
for (int i = 0; i < 10; i++) {
System.out.println(secureRandom.nextInt());
}
}
}