sqlcipher - sqlcipher 有多安全?它被黑客入侵了吗? [英] sqlcipher - how safe is sqlcipher? has it been hacked?

查看:47
本文介绍了sqlcipher - sqlcipher 有多安全?它被黑客入侵了吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

它在页面级别对 SQLLite 数据库进行加密,好吧,没问题!

It encrypts the SQLLite database at page level, ok thats fine, nothing wrong with that!

但是你的源代码呢?它已编译,但即使它已编译,也有人可以反编译它,检索您的密码并解密数据库?

but what about your source code? its compiled, but even if its compiled someone could decompile it, retrieve your password and decrypt the database?

推荐答案

SQLCipher 的安全性如何?

根据SQLCipher 设计文档,它基于安全组件(AES、OpenSSL、HMAC_SHA1、PBKDF2,...).如果这些说法是正确的,对我来说听起来不错.

According to the SQLCipher design documentation, it is based on secure components (AES, OpenSSL, HMAC_SHA1, PBKDF2,...). If those claims are correct, it sounds good to me.

有点不寻常(至少对我而言)是每页有一个随机 IV.这与典型的文件系统加密模式有些不同 AES-XTS.SQLCipher 使用的设计比 AES-XTS 有一定的优势,例如写入相同的数据再次不会导致相同的加密页面.但是,可能存在缺点,例如我不太确定使用 SQLCipher 是否可以移动复制页面(将加密页面复制到另一个页面).这可能是不可能的,但是从设计文档中我看不出这是如何防止的.如果使用非标准加密模式,这就是风险:-) 但即使这是一个问题,它也不会让攻击者读取数据;它只允许某些类型的攻击.即使使用 AES-XTS,某些类型的攻击也是可能的,所以我不会太担心.

What is a bit unusual (to me, at least) is that there is a random IV per page. This is somewhat different to the typical file system encryption mode AES-XTS. The design used by SQLCipher has certain advantages over AES-XTS, for example writing the same data again will not result in the same encrypted page. However, possibly there are disadvantages, for example I'm not quite sure if with SQLCipher it is possible to move or copy pages (copy encrypted pages to another page). It might not be possible, however from the design document I don't see how this is prevented. Such is the risk if a non-standard encryption mode is used :-) But even if this is a problem, it wouldn't allow an attacker to read the data; it would only allow certain types of attacks. Even with AES-XTS certain types of attacks are possible, so I wouldn't be worried too much.

你的源代码呢?

为了保存东西,不要在代码中存储密码.相反,让用户输入密码,或将其存储在钥匙串中.这对于 AndroidiOS 据我所知,但我不知道细节.

To keep things save, don't store the password in the code. Instead, let the user enter the password, or store it in a key-chain. This is possible for both Android and iOS as far as I see, but I don't know the details.

这篇关于sqlcipher - sqlcipher 有多安全?它被黑客入侵了吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆