在JAVA中使用AES / GCM检测不正确的密钥 [英] Detecting incorrect key using AES/GCM in JAVA

问题描述

我使用BouncyCastle使用 AES 加密/解密 GCM 模式中的一些文件。

当我证明解密的密钥错误时，也不例外。

我应该如何检查密钥是否不正确？

我的代码是：

I'm using AES to encrypt/decrypt some files in GCM mode using BouncyCastle.
While I'm proving wrong key for decryption there is no exception.
How should I check that the key is incorrect?
my code is this:

    SecretKeySpec   incorrectKey = new SecretKeySpec(keyBytes, "AES");
    IvParameterSpec ivSpec = new IvParameterSpec(ivBytes);
    Cipher          cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
    byte[] block = new byte[1048576];
    int i;

    cipher.init(Cipher.DECRYPT_MODE, incorrectKey, ivSpec);

    BufferedInputStream fis=new BufferedInputStream(new ProgressMonitorInputStream(null,"Decrypting ...",new FileInputStream("file.enc")));
    BufferedOutputStream ro=new BufferedOutputStream(new FileOutputStream("file_org"));        
    CipherOutputStream dcOut = new CipherOutputStream(ro, cipher);

    while ((i = fis.read(block)) != -1) {
        dcOut.write(block, 0, i);
    }

    dcOut.close();
    fis.close();

感谢

推荐答案

没有方法可以在GCM模式下检测不正确的键。你可以检查是否验证标签验证，这意味着你使用正确的密钥。问题是如果认证标签不正确，那么这可以指示以下各项（或全部的组合，直到并且包括完全替换密文和认证标签）：

There is no method that you can detect incorrect key in GCM mode. What you can check is if the authentication tag validates, which means you were using the right key. The problem is that if the authentication tag is incorrect then this could indicate each of the following (or a combination of all, up to and including the full replacement of the ciphertext and authentication tag):

1. 正在使用不正确的密钥;


2. 在传输期间更改了计数器模式加密数据;


3. 更改了其他已验证的数据;

>你可以做的是发送额外的数据来识别使用的密钥。这可以是可读的标识符（encryption-key-1），但它也可以是KCV，一个关键的校验值。 KCV通常包括用密钥加密的零块或者对密钥（也称为指纹）的加密安全散列。因为在零块上的加密泄漏信息，你不应该使用它来识别加密密钥。

What you could do is send additional data to identify the secret key used. This could be a readable identifier ("encryption-key-1") but it could also be a KCV, a key check value. A KCV normally consists of a zero-block encrypted with the key, or a cryptographically secure hash over the key (also called a fingerprint). Because the encryption over a zero block leaks information you should not use that to identify the encryption key.

你实际上可以使用GCM模式的AAD特性来计算认证标签覆盖密钥识别数据。请注意，您不能区分指纹的妥协和使用不正确的密钥。然而，指纹不可能比IV，AAD，密文和认证标签的整个结构意外损坏。

You could actually use the AAD feature of GCM mode to calculate the authentication tag over the key identification data. Note that you cannot distinguish between compromise of the fingerprint and using an incorrect key. It's however less likely that the fingerprint is accidentally damaged than the entire structure of IV, AAD, ciphertext and authentication tag.

这篇关于在JAVA中使用AES / GCM检测不正确的密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！