在PHP / Java中使用下面的AES加密库是否安全? [英] Is it safe to use following library of AES Encryption in PHP/Java?
问题描述
当我在搜索AES加密/解密实现时,我发现一些问题的链接在SO,像这样:
When I was in search about AES Encryption/Decryption implementation, I found some links of questions out there in SO, like these:
- AES Encryption Java -> PHP -> Java
- AES encryption in java
- AES encryption & security flaw
- Is it safe to use PBKDF2 with SHA256 to generate 128-bit AES keys?
并且我发现了以下网页,它提供了易于使用的AES加密/解密算法在PHP和Java中的实现作为图书馆。
And also I found the following webpage, which offers easy to use implementation of AES Encryption/Decryption algorithm in both PHP and Java as a library.
问题:可以安全地使用AES库实施,直接在我们的实时开发项目?
Question: Is it safe to use that library of AES implementation, directly in our real time development projects?
这可能需要您执行源代码。因为它是更长的PHP实现可能似乎,下面我已经把那个库的Java源代码的基本部分。
This may require you to go through the implementation of the source code. So as it is lengthier the PHP implementation may seemed, following I have put the essential part of the Java source code of that library.
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
/**
Aes encryption
*/
public class AES
{
private static SecretKeySpec secretKey ;
private static byte[] key ;
private static String decryptedString;
private static String encryptedString;
public static void setKey(String myKey){
MessageDigest sha = null;
try {
key = myKey.getBytes("UTF-8");
System.out.println(key.length);
sha = MessageDigest.getInstance("SHA-1");
key = sha.digest(key);
key = Arrays.copyOf(key, 16); // use only first 128 bit
System.out.println(key.length);
System.out.println(new String(key,"UTF-8"));
secretKey = new SecretKeySpec(key, "AES");
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static String getDecryptedString() {
return decryptedString;
}
public static void setDecryptedString(String decryptedString) {
AES.decryptedString = decryptedString;
}
public static String getEncryptedString() {
return encryptedString;
}
public static void setEncryptedString(String encryptedString) {
AES.encryptedString = encryptedString;
}
public static String encrypt(String strToEncrypt)
{
try
{
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
setEncryptedString(Base64.encodeBase64String(cipher.doFinal(strToEncrypt.getBytes("UTF-8"))));
}
catch (Exception e)
{
System.out.println("Error while encrypting: "+e.toString());
}
return null;
}
public static String decrypt(String strToDecrypt)
{
try
{
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING");
cipher.init(Cipher.DECRYPT_MODE, secretKey);
setDecryptedString(new String(cipher.doFinal(Base64.decodeBase64(strToDecrypt))));
}
catch (Exception e)
{
System.out.println("Error while decrypting: "+e.toString());
}
return null;
}
}
不要标记为太宽的问题,忽略它,我问,因为我需要确保之前,我使用它为我的下一个项目。
Note: Please, don't mark this as Too Broader Question and Neglect it, I'm asking because I need to be sure before I use it for my next project.
提前感谢为您的宝贵时间!
Thanks in advance for your valuable time!
推荐答案
不,你绝对不要使用该代码。
No, you should absolutely not use that code.
AES类不应包含摘要,这不是AES的一部分。欧洲央行不安全;甚至CBC可能不安全,没有完整性/身份验证。异常将在表下乱序,并将返回 null 。运行时异常与由无效输入和输出生成的异常之间没有区别。字段不正确。正在使用默认编码。
AES class should not contain a digest, that's not part of AES. ECB is insecure; even CBC is likely insecure without integrity/authentication. Exceptions are shuffled under the table and will result in null being returned. There is no difference made between runtime exceptions and exceptions that are generated by invalid input and output. The fields are not correct. Default encoding is being used. Actually, if I had a score sheet then it would fail on about half the points at minimum.
为了能够使用加密技术,你至少需要
To be able to use cryptography you need at least a minimum understanding of the subject. Otherwise you need to leave it to professionals or you need to use pre-made solutions by known experts. Just grabbing code from the internet will only provide you with a false sense of security and a source of impossible to fix bugs.
这篇关于在PHP / Java中使用下面的AES加密库是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
