为Crypto-js提供价值 [英] providing values to Crypto-js
问题描述
我已经使用CyryptoJs(即服务),但是我认为我并没有遵循最佳实践。
I've got CyryptoJs working (as a service), but I don't think I'm observing best practices with it.
import { Injectable } from '@angular/core';
import * as CryptoJS from "crypto-js";
@Injectable()
export class EncryptionService {
constructor() {
}
secretKey: string = "fnord";
encrypt(jsonObj) {
return CryptoJS.AES.encrypt(JSON.stringify(jsonObj), this.secretKey);
}
decrypt(data) {
if (data !==null && data.length > 0) {
var bytes = CryptoJS.AES.decrypt(data.toString(), this.secretKey);
return bytes.toString(CryptoJS.enc.Utf8);
} else {
return "";
}
}
}
secretKey 可能不应该那样暴露。
secretKey should probably not be exposed like that. What would be a smart way to deliver that value?
推荐答案
存在一些安全问题。
-
每个用户的加密密钥都必须是唯一的。
The encryption key needs to be unique for each user.
使用完整的密钥长度密钥:AES的128、192或256位。
Use a full length key: 128, 192 or 256 bits for AES.
最好使用从CSPRNG(密码安全)获得的随机字节的全长加密密钥。随机数生成器。)
It is best to use a full length encryption key of random bytes obtained from a CSPRNG (Cryptographically Secure Random Number Generator).
使用字符串作为密钥,尤其是短字符串并不安全。如果需要用户输入密码,请使用诸如PBKDF2(基于密码的密钥派生功能2)之类的密钥派生功能来派生安全的加密密钥。
Using a string for the key, especially a short one is not secure. If you need the user to enter a password use a key derivation function such as PBKDF2 (Password Based Key Derivation Function 2) function to derive a secure encryption key.
需要提供一个IV(初始化向量),并且每个CSPRNG都必须是一个随机字节数组,每个加密都是唯一的。只需在加密数据前加上IV前缀即可使用,而不必在秘密过程中使用。
There needs to an IV (Initialization Vector) supplied and it needs to be a random byte array from a CSPRNG unique for each encryption. Just prefix the encrypted data with the IV for use during decryption, it does not need to be secret.
最好完全指定所有加密参数,例如
It is best to fully specify all encryptions parameters such as mode and padding for interoperability.
如果存在输入错误密钥或攻击者替换文件的可能性,则添加加密身份验证。
If there is the possibility of entering an incorrect key or an attacker replacing a file add encryption authentication.
向加密数据添加版本指示符,以便将来如有必要可以进行更改。
Add a version indicator to the encrypted data so changes can be made in the future if necessary.
最后,您将如何存储加密密钥,对此没有简单的答案。
Finally, how are you going to store the encryption key, there is no easy answer to that.
这篇关于为Crypto-js提供价值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
