在Java中为AES生成随机IV [英] Generating random IV for AES in Java
问题描述
我正在为Android中的PBE实现和AES加密引擎,我已经找到了两种方法来实现IV的创建,我想知道哪一个更好,更安全获得 IvParameterSpec :
方法#1:
SecureRandom randomSecureRandom = SecureRandom.getInstance(SHA1PRNG);
byte [] iv = new byte [cipher.getBlockSize()];
randomSecureRandom.nextBytes(iv);
IvParameterSpec ivParams = new IvParameterSpec(iv);
方法#2:
AlgorithmParameters params = cipher.getParameters();
byte [] iv2 = params.getParameterSpec(IvParameterSpec.class).getIV();
ivParams = new IvParameterSpec(iv2);
我会使用方法#1 ,因为Java API为 Cipher.init() API指定了以下内容,它只采用加密/解密模式和密钥:
如果此密码实例需要指定密钥无法提供的任何算法参数或随机值,则此密码的基础实现应生成所需参数(使用其提供商 或 随机值)。
(强调我的)。
所以不是明确选择方法2 时,不同的提供商将执行哪些操作。看看Android源代码,似乎至少某些版本(包括版本21?)将不创建随机IV - 随机IV创建似乎被注释掉了。
方法1也更透明,在我看来 - 眼睛更容易。
<请注意,通常最好使用
new SecureRandom(),让系统找出哪个RNG最好。 SHA1PRNG定义不明确,可能因实现而异,已知有实施弱点,特别是 on Android。 所以最终结果应该是这样的:
SecureRandom randomSecureRandom = new SecureRandom();
byte [] iv = new byte [cipher.getBlockSize()];
randomSecureRandom.nextBytes(iv);
IvParameterSpec ivParams = new IvParameterSpec(iv);
请注意GCM模式最适合12字节IV而不是16字节IV - AES的块大小。
I'm implementing and AES encryption engine for PBE in android, and I've found two ways to implement the creation of the IV and I would like to know which one is better and more secure for getting IvParameterSpec:
Method #1:
SecureRandom randomSecureRandom = SecureRandom.getInstance("SHA1PRNG");
byte[] iv = new byte[cipher.getBlockSize()];
randomSecureRandom.nextBytes(iv);
IvParameterSpec ivParams = new IvParameterSpec(iv);
Method #2:
AlgorithmParameters params = cipher.getParameters();
byte[] iv2 = params.getParameterSpec(IvParameterSpec.class).getIV();
ivParams = new IvParameterSpec(iv2);
I'd use method #1, because the Java API specifies the following for the Cipher.init() API that just takes the encryption/decryption mode and key:
If this cipher instance needs any algorithm parameters or random values that the specified key can not provide, the underlying implementation of this cipher is supposed to generate the required parameters (using its provider or random values).
(emphasis mine).
So it is not clear what different providers will do when method 2 is chosen. Looking at the Android source code, it seems that at least some versions (including version 21?) will not create a random IV - the random IV creation seems commented out.
Method 1 is also more transparent and it is - in my opinion - easier on the eyes.
Note that it is generally better to use new SecureRandom() and let the system figure out which RNG is best. "SHA1PRNG" is not well defined, may differ across implementations and is known to have had implementation weaknesses, especially on Android.
So the end result should be something like:
SecureRandom randomSecureRandom = new SecureRandom();
byte[] iv = new byte[cipher.getBlockSize()];
randomSecureRandom.nextBytes(iv);
IvParameterSpec ivParams = new IvParameterSpec(iv);
Beware that GCM mode works best with a 12 byte IV instead of the 16 byte IV - the block size of AES.
这篇关于在Java中为AES生成随机IV的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
