什么是隐藏在Android中存储密码的最佳方式? [英] What is the best way to hide the keystore password in Android?
问题描述
我是新的Android开发和实施的SSLSockets。做一些挖掘后,我能建立一个简单的服务器/客户端工作。我觉得实现可以使用如何在密码密钥库加载某些工作,并没有难倒以纯文本有它。下面是一些code是在客户端。正如你可以看到我有密码硬coded进入一个局部变量。有没有更好的方式密钥库密码加载,所以我没有它在code纯文本?
的char [] KSPASS =密码.toCharArray();
的char [] = keypass的密码.toCharArray();
尝试{
最终密钥库的keyStore = KeyStore.getInstance(BKS);
keyStore.load(context.getResources()openRawResource(R.raw.serverkeys),KSPASS); 最终的KeyManagerFactory的KeyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(密钥库的keypass); 最终的TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(的keyStore); 的SSLContext = SSLContext.getInstance(TLS);
sslContext.init(keyManager.getKeyManagers(),trustFactory.getTrustManagers(),NULL);
Arrays.fill(KSPASS,'');
Arrays.fill(keypass的,''); KSPASS = NULL;
关键通过= NULL;
更新:
原来的客户端并不需要知道密钥库密码的。我已经修改了code作为密码传递null。到目前为止,初步测试已经与通信服务器的工作。在服务器端,我仍然加载密钥库的密码。
最终密钥库的keyStore = KeyStore.getInstance(BKS);
keyStore.load(context.getResources()openRawResource(R.raw.serverkeys),NULL); 最终的KeyManagerFactory的KeyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(密钥存储区,NULL); 最终的TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(的keyStore); 的SSLContext = SSLContext.getInstance(TLS);
sslContext.init(keyManager.getKeyManagers(),trustFactory.getTrustManagers(),NULL);
嗯,这不是一个简单的问题开始。
例如,你可以要求从应用程序启动用户的密码,使密码是不是在你的code.I硬codeD认为这是最安全的方法。
如果这是不可能的,那么你的问题就出现了,如果有人可以访问罐子和看到code和随后的密码。你可以委托给用户保护这些罐子。
如果这是不可能的,那么你可以对密码进行加密并存储在某个地方。然后在你的code你辛苦code中的密钥来解密密码。因此,有人寻找到罐子里看不到你的真实password.Only解密密钥。当然,如果人把真正的努力,他可以拿到钥匙,并试图找到其中的密码所在和解密,并拿到钥匙,但它需要更多的努力去做。
在最后它取决于你有什么安全要求
I'm new to Android development and implementing SSLSockets. After doing some digging I was able to setup a simple server/client that is working. The implementation I feel could use some work and stumped on how to load in the password to the keystore without having it in plain text. Here is some code that is on the client side. As you can see I have the password hard coded into a local var. Is there a better way to load in the keystore password so I do not have it in plain text in the code?
char [] KSPASS = "password".toCharArray();
char [] KEYPASS = "password".toCharArray();
try {
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), KSPASS);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, KEYPASS);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
Arrays.fill(KSPASS, ' ');
Arrays.fill(KEYPASS, ' ');
KSPASS = null;
KEYPASS = null;
Update:
It turns out the client did not need to know the keystore password at all. I've modified the code to pass null in as the password. So far initial tests have worked with communication to the server. On the server side I still load the keystore password.
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), null);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, null);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
Well this is not an easy problem to begin with.
You could for example request the password from the user on application startup so that the password is not hardcoded in your code.I think this is the most secure approach.
If this is not possible, then your problem arises if someone has access to the jars and "sees" the code and subsequently the password. You could delegate to the user protecting these jars.
If this is not possible then you could encrypt the password and store it somewhere. Then in your code you hard code the key to decrypt the password. So someone looking into the jar can not see your real password.Only the decryption key. Of course if one put real effort he could get the key and try to find where the password is located and decrypt it and get the key but it requires more effort to do.
In the end it depends on what security requirements you have
这篇关于什么是隐藏在Android中存储密码的最佳方式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
