双重加密 [英] Double encryption

问题描述

我正在使用 https://github.com/simbiose/Encryption 来加密我的数据android应用.

I am using https://github.com/simbiose/Encryption to encrypt data in my android app.

我想到了双重加密.

String key = "key";
String salt = "someSalt";
byte[] iv = new byte[16];
Encryption encryption = Encryption.getDefault(key, salt, iv);

String encrypted = encryption.encryptOrNull("Some String");

Log.d("Encrypto", "Encryption Level 1 : "+encrypted);

encrypted = encryption.encryptOrNull(encrypted);

Log.d("Encrypto", "Encryption Level 2 : "+encrypted);

String decrypted = encryption.decryptOrNull(encrypted);

Log.d("Encrypto", "Decryption Level 2 : "+decrypted);

decrypted = encryption.decryptOrNull(decrypted);

Log.d("Encrypto", "Decryption Level 1 : "+decrypted);

这很好用，但是推荐吗?

1. 是的，这增加了存储加密字符串的内存使用量，但是如果它使它更安全，那么使用更多的内存就可以了.
2. 如果这样做，我会遇到一些问题吗?

主要问题:这是一个好的加密库吗?如果没有，请推荐我一个更好的人

Main question: is this a good encryption library? if not please recommend me a better one

推荐答案

您真的需要加密数据吗?

Do you really need to encrypt the data?

https://www.schneier.com/blog/archives/2015/06/why_we_encrypt.html

为什么要双重加密?有更好的方法(例如，更长的密钥)来增加抵抗力，使人们对密文进行离线暴力破解.

Why do you want double encryption? There are better ways - for example, a longer key - to add resistance against people performing offline brute force attacks on cipher text.

"通过默默无闻的安全性"是禁止的.回到所需的基础知识(密钥长度，块大小，加密模式，何时使用对称或非对称密钥)等.

"Security through obscurity" is a no-no. Go back to the basics of what you need (key length, block size, mode of encryption, when to use a symmetric or asymmetric key) etc.

在编写Android应用程序时，我会问..

As you are writing an Android app, I would question..

• 该库是用Java编写的，并且使Java系统调用.反向/挂接系统调用很简单.当您可以通过挂接Android系统调用来转储密钥时，添加更长的密钥是否对您的应用程序有帮助?
• 您的Android Java代码已反编译为几乎"源代码，或反编译为到Smali代码-然后进行修改-然后重新编译?
• 您打算如何分发密钥?运行时还是静态烘焙到代码中?对于所有应用程序用户，它是随机密钥还是相同密钥?
• 您是否可以利用Android硬件来保留和保护您的密钥，而不仅仅是将密钥包含在软件中? https://source.android.com/security/keystore/

如果这是我的应用&&我关心机密，我会使用硬件支持的加密(接受某些较旧的Android设备可能不支持该加密)或使用本机(C)加密库.后者为您提供了广泛的设备支持，但引入了其他问题(JNI边界，代码提升).

If it was my app && I cared about Confidentiality I would use hardware backed encryption (accepting that some older Android devices might not support it) OR use a Native (C) encryption library. The latter gets you wide device support but introduces other issues (JNI boundary, code lifting).

总而言之，引入加密听起来很简单.但是，当它只是强调有趣的东西正在受到保护时，您真的需要它吗?

In summary, introducing encryption sounds simple. But do you really need it when it just highlights something interesting is being protected?

PS-您可能想在以下问题上重新发布此问题: https://security.stackexchange.com/

PS - You may want to re-post this question on: https://security.stackexchange.com/

这篇关于双重加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！