0

下面的代码使用 PBE 算法,我理解SALT数组用于向提供的密码添加几个字节。但是当我试图从该数组中删除几个元素并且当我运行程序时它给出错误。

我的问题是,SALT下面程序中使用的数组可以修改吗?如果是,为什么我在修改它时会出错?

请查看此代码并帮助我理解它。SALT非常感谢除此数组之外的有关该程序的简要说明。

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;

import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;

public class ProtectedConfigFile {

private static final char[] PASSWORD = "enfldsgbnlsngdlksdsgm".toCharArray();
private static final byte[] SALT = {
    (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,
    (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,
};

public static void main(String[] args) throws Exception {
    String originalPassword = "secret";
    System.out.println("Original password: " + originalPassword);
    String encryptedPassword = encrypt(originalPassword);
    System.out.println("Encrypted password: " + encryptedPassword);
    String decryptedPassword = decrypt(encryptedPassword);
    System.out.println("Decrypted password: " + decryptedPassword);
}

private static String encrypt(String property) 
throws GeneralSecurityException, UnsupportedEncodingException {
    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
    SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
    Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
    pbeCipher.init(Cipher.ENCRYPT_MODE, key, new PBEParameterSpec(SALT, 20));
    return base64Encode(pbeCipher.doFinal(property.getBytes("UTF-8")));
}

private static String base64Encode(byte[] bytes) {
    // NB: This class is internal, and you probably should use another impl
    return new BASE64Encoder().encode(bytes);
}

private static String decrypt(String property) 
throws GeneralSecurityException,       IOException {
    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
    SecretKey key = keyFactory.generateSecret(new PBEKeySpec(PASSWORD));
    Cipher pbeCipher = Cipher.getInstance("PBEWithMD5AndDES");
    pbeCipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(SALT, 20));
    return new String(pbeCipher.doFinal(base64Decode(property)), "UTF-8");
}

private static byte[] base64Decode(String property) throws IOException {
    // NB: This class is internal, and you probably should use another impl
    return new BASE64Decoder().decodeBuffer(property);
}

}

例外是:

Exception in thread "main" java.lang.Exception: java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long 
  at TransactionTokenUtility.encrypt(TransactionTokenUtility.java:80) 
  at TransactionTokenUtility.generateToken(TransactionTokenUtility.java:144) 
  at TransactionTokenUtility.main(TransactionTokenUtility.java:51) 
Caused by: java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long 
  at com.sun.crypto.provider.SunJCE_ab.a(DashoA13*..) 
  at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(DashoA13*..)
4

1 回答 1

2

答案是根据旧的 v1.5 PKCS#5 标准和 PBKDF1,盐应该包含 8 个随机八位字节(读取:字节)。Oracle Java 实现(从 2002 年开始!)遵循此标准。这可以(并且已经)使用 Oracle 提供的源代码进行验证。

需要 8 个八位字节的标准:

  • PKCS#5 v1.5
  • 从 PKCS#5 v2.0 开始的 PBKDF 版本 1(为与 PKCS#5 兼容而定义)

至少需要 8 个八位字节的标准(作为推荐):

  • PKCS#5 标准 v2.0 及更高版本中的 PBKDF2

最好的办法是迁移到 PBKDF2。您将拥有更安全(NIST 接受)的算法,并且您在盐长度方面具有更大的灵活性。

请注意,PKCS#5 中关于 Salt 的章节(第 4 章)谈到了至少 8 个八位字节作为最低安全要求。然而,这被 PBKDF1 的定义所推翻,该定义精确地定义了 8 个八位字节。

于 2013-06-07T11:06:48.423 回答