Java的:从applet的修补客户端安全策略AES256 [英] Java: Patching client side security policy from applet for AES256
问题描述
我需要在商业Web应用程序AES256加密/解密。
目前一切都很好用的128密钥大小这不是加密满意,所以我的问题是如何最好地克服这个问题,而不需要用户手动安装任何东西。
I require AES256 encryption/decryption in a commercial web application. Currently everything is good with a key size of 128. This is not satisfactory cryptographically so my problem is how best to get round this issue without requiring the user to install anything manually.
我有Oracle的无限管辖权的jar文件,但我不知道,如果用户的JRE / lib / security目录替换这些都将是与旧版本兼容。很显然,我不想破坏用户的JRE。我也有写权限到我的JRE安全目录,但我认为有些用户不具备这些权限。
I have the unlimited jurisdiction jar files from Oracle but I have no idea if replacing these in the user's JRE/lib/security directory will be compatible with older versions. Obviously I don't want to corrupt the user's JRE. Also I have write permission to my JRE security directory but I assume some user's will not have these privileges.
有没有解决这个问题,一个简单的办法,还是我坚持要么弱加密或者用户潜在的问题环节?
Is there a simple way around this issue, or am I stuck with either weak encryption or a potentially problematic step for users?
更新unrestricting javax.crypto.JceSecurity
Update for "unrestricting" javax.crypto.JceSecurity
@ntoskml你是正确的。 getMaxAllowedKeyLength 仍返回有限密钥大小,但加密与密钥大小== 256 :)成功。我会更新我的测试方法,并设置密钥长度,如果强加密可用。谢谢
@ntoskml You are correct. getMaxAllowedKeyLength still returns the limited key size but the encryption succeeds with key size == 256 :). I will update my test method and set the key size if strong encryption is available. Thanks
>>> from javax.crypto import Cipher
>>> Cipher.getMaxAllowedKeyLength("AES")
128
>>> from java.lang import Class
>>> c = Class.forName("javax.crypto.JceSecurity")
>>> isRestricted = c.getDeclaredField("isRestricted")
>>> isRestricted.setAccessible(True)
>>> isRestricted.set(None, False)
>>> isRestricted.get(None)
False
>>> Cipher.getMaxAllowedKeyLength("AES")
128
>>> from javax.crypto import KeyGenerator
>>> kge = KeyGenerator.getInstance("AES")
>>> kge.init(256)
>>> aesKey = kgen.generateKey()
>>> c2 = Cipher.getInstance("AES")
>>> c2.init(Cipher.ENCRYPT_MODE, aesKey)
>>> c2.doFinal("test")
array('b', [-81, 99, -61, -51, 93, -42, -68, -28, 107, 59, -109, -98, -25, 127, 37, 23])
和重启后的测试案例的Jython控制台
And the test case after restarting Jython console
>>> # Reflection as above
>>> isRestricted.get(None)
True
>>> kge.init(256)
>>> aesKey = kge.generateKey()
>>> c2.init(Cipher.ENCRYPT_MODE, aesKey)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1011)
at javax.crypto.Cipher.implInit(Cipher.java:786)
at javax.crypto.Cipher.chooseProvider(Cipher.java:849)
at javax.crypto.Cipher.init(Cipher.java:1213)
at javax.crypto.Cipher.init(Cipher.java:1153)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
java.security.InvalidKeyException: java.security.InvalidKeyException: Illegal key size or default parameters
宾果:)感谢分享@ntoskml
Bingo :) Thanks for sharing @ntoskml
推荐答案
编辑:下面是一个更新的回答这个问题:<一href=\"http://stackoverflow.com/questions/1179672/unlimited-strength-jce-policy-files/22492582#22492582\">"Unlimited实力&QUOT; JCE策略文件
Here's an updated answer to this question: "Unlimited Strength" JCE Policy Files
这是可能简单地通过使用反射几行禁用键的大小限制。我们用我们的节目这个方法,需要访问256位加密技术的互操作性。
It is possible to disable the key size restrictions simply by using a few lines of reflection. We use this method in our program which needs access to 256-bit cryptography for interoperability purposes.
private static void removeCryptographyRestrictions() {
if (!isRestrictedCryptography()) {
return;
}
try {
java.lang.reflect.Field isRestricted;
try {
final Class<?> c = Class.forName("javax.crypto.JceSecurity");
isRestricted = c.getDeclaredField("isRestricted");
} catch (final ClassNotFoundException e) {
try {
// Java 6 has obfuscated JCE classes
final Class<?> c = Class.forName("javax.crypto.SunJCE_b");
isRestricted = c.getDeclaredField("g");
} catch (final ClassNotFoundException e2) {
throw e;
}
}
isRestricted.setAccessible(true);
isRestricted.set(null, false);
} catch (final Throwable e) {
logger.log(Level.WARNING,
"Failed to remove cryptography restrictions", e);
}
}
private static boolean isRestrictedCryptography() {
return "Java(TM) SE Runtime Environment"
.equals(System.getProperty("java.runtime.name"));
}
然而,我们的程序是不是一个小程序,我不知道小程序是否有权访问该反射API。
However, our program is not an applet, and I am not sure whether applets have access to the reflection API.
有关合法性问题也依然存在。有该限制的原因。如果您担心咨询律师。
The question about legality also remains. There is a reason for that limit. Consult a lawyer if you are concerned.
如果可能,尽量保持它的128位密钥。即使考虑当考虑摩尔定律,打破了128位AES将需要数十亿美元在数十亿年。更长的密钥提供了在现实世界中没有的好处 - 尤其是当密钥是从密码,不具有熵任何接近256位反正衍生
If possible, try to keep it to 128-bit keys. Even when taking Moore's law into consideration, breaking 128-bit AES would take billions upon billions of years. Longer keys offer no benefit in the real world – particularly when the keys are derived from passwords, which don't have anywhere near 256 bits of entropy anyway.
这篇关于Java的:从applet的修补客户端安全策略AES256的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!