将硬编码的文件解密为byte [] [英] Decrypting a hardcoded file as byte[]
问题描述
这实际上是一个两面的...
首先我需要
- 读取文件的内容
- 将它们隐藏到
字节[] - 在文件中写入
byte []或者... ...
然后#2或#3的结果将进入另一个项目。我试图保护我们的PEM / DER密钥。
对于解密,我需要
- 将
byte [] - 将加密文件的内容解密为
byte [] - 将解密的数据写入文件或使用它而不是文件
现在,我有一些基本的秘密代码
KeyGenerator keyGenerator = KeyGenerator.getInstance(AES );
keyGenerator.init(128); // 192和256位可能不可用
SecretKey secretKey = keyGenerator.generateKey();
密码密码= Cipher.getInstance(AES / CBC / PKCS5Padding);
//通过在CBC模式下初始化密码,初始化向量已经被随机生成
//。这个初始化向量将是解密加密数据所必需的。
//将初始化向量存储为纯文本以供以后使用是安全的。您可以通过调用iv.getIV()获取
//它的字节。
cipher.init(Cipher.ENCRYPT_MODE,secretKey);
IvParameterSpec iv = cipher.getParameters()。getParameterSpec(IvParameterSpec.class);
// IvParameterSpec iv = new IvParameterSpec(IV); //用于硬编码的一个
byte [] encryptedData = cipher.doFinal(data);
并解密一个
cipher.init(Cipher.DECRYPT_MODE,secretKey,iv);
byte [] decryptptedData = cipher.doFinal(encryptedData);
System.out.println(decryptpted:+ new String(decryptptedData));
,问题是:
一个用例很少加密的东西,并且将在运行时分发被解密的密钥,我需要从cyphertext中保存什么?
我知道我需要保存IV,但是当我解密不太好的时候,这让我相信我需要保存密钥。
任何人都可以给我任何提示,指针或一般的安全提示,以获得更好的解决方案?如果我需要保存密钥,IV和加密数据,我应该在哪里存放?可能硬编码,并将IV存储在加密数据上?也许硬编码四和密钥,只是将加密数据存储在文件中?
这不是理论上的安全,认为这是最大的麻烦和不便可能会导致某人试图窃取你的钥匙。我们都知道没有办法我可以完全隐藏他们。
我非常需要这个人开始的解密加密文件并在Java中执行
但是如果有将安全数据提供给PemKeyReader的一种更好的方式,我都是耳朵。
共享密钥和加密东西是两个完全不同的事情如何共享密钥 <说到这一点,128位的 AES 比 3DES 所以你可以做的是保持 PKI 基础架构来交换 AES密钥,然后加密和解密使用它们。
为什么不 RSA ? RSA 需要最小512位,以将其视为最强,并且如果增加更多位,则会增加加密和解密所需的时间。
SO AES是快速和安全的。
使用 SecretKeySpec 从字节[]创建密钥
public static void main(String [] args)throws Exception
{
//初始化密钥,具有预定义的字节数组[],如下所示。 I
//使用简单的字符串数组方法生成16字节数组。
// AES密钥必须至少为16个字节。
//现在你可以把这个字节数组放在哪里是.SO文件。
//使用此字节生成新密钥[]
//然后,您可以使用设备特定信息在
//首次启动时生成密钥。
//使用第二个键加密数据,第一个键加密第二个
// key
//我希望它清除所有的疑惑
SecretKey key = new SecretKeySpec( ABCDEFGHIJKLMNOP.getBytes(),AES);
System.out.println(Arrays.toString(key.getEncoded()));
//使用AES算法初始化密码
加密密码= Cipher.getInstance(AES / CBC / PKCS5Padding);
//设置加密模式
cipher.init(Cipher.ENCRYPT_MODE,key);
//加密一些字节
byte [] encrypted = cipher.doFinal(ABCDEFGH.getBytes());
//打印到vefiry
System.out.println(Arrays.toString(encrypted));
//获取IV
byte [] iv = cipher.getIV();
System.out.println(iv.length);
//现在为什么存储你可以创建结构像[16 IV] [加密数据]
//同时解密你可以先读取[16]字节IV然后
//解密剩余字节
// byte [] iv =新字节[16];
// System.arraycopy(encrypted,0,iv,0,16)
//将剩余字节复制到解密
//将密码设置为解密模式
cipher.init(Cipher.DECRYPT_MODE,key,new IvParameterSpec(iv));
//解密
byte [] decryptpted = cipher.doFinal(encrypted);
System.out.println(new String(decryptpted));
}
现在编写一个将从某些字符串生成byte []的算法随机数据,如设备名称,用户名,随机种子等。
您可以通过在 C中写入该算法为算法源代码添加更多保护/ code>并创建 .SO 文件,并使用本机获取。 byte [] 呼叫
这样做有什么好处?
- 事件如果你这样做被黑客入侵,需要实时的环境才能运行创建密钥。
- 即使有人破解,损坏将受到限制,例如1个设备
Well this is actually a two-parter...
First I need to
- read the contents of the file
- crypt them into a
byte[] - write the
byte[]in a file or whatever...
Then the result from #2 or #3 will go into another project. I'm trying to protect our PEM/DER keys.
For decryption, I need to
- read the contents of the crypted file as a
byte[] - decrypt them into a
byte[] - write the decrypted data to a file OR use it instead of a file
Now, I have some basic crypting code
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
keyGenerator.init(128); // 192 and 256 bits may not be available
SecretKey secretKey = keyGenerator.generateKey();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
// By initializing the cipher in CBC mode, an "initialization vector" has been randomly
// generated. This initialization vector will be necessary to decrypt the encrypted data.
// It is safe to store the initialization vector in plain text for later use. You can obtain
// it's bytes by calling iv.getIV().
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
IvParameterSpec iv = cipher.getParameters().getParameterSpec(IvParameterSpec.class);
// IvParameterSpec iv = new IvParameterSpec(IV); //used for the hardcoded one
byte[] encryptedData = cipher.doFinal(data);
and decrypting one as well
cipher.init(Cipher.DECRYPT_MODE, secretKey, iv);
byte[] decryptedData = cipher.doFinal(encryptedData);
System.out.println("decrypted: " + new String(decryptedData));
and the question is:
Given a use-case scenario where one would rarely encrypt something and would distribute crypted keys that are to be decrypted at runtime, what do I need to save apart from the cyphertext?
I know I need to save the IV, but when I did decryption wasn't quite good - which leads me to believe that I need to save the secretKey as well.
Could anyone give me any tips, pointers or general security hints to a better solution? If I need to save the key, the IV and the encrypted data, where should I store them? Maybe hardcode the key and store the IV along the encrypted data? Maybe hardcode both the IV and the key and just store encrypted data in the files?
This isn't about theoretical safety, think of this as the biggest nuissance and inconvenience you can cause to someone that is trying to steal your keys. We all know there's no way I can perfectly hide them.
I pretty much need what this guy started with Decrypting an encrypted file and executing in Java
However if there's a better way of feeding secure data into a PemKeyReader, i'm all ears.
Sharing the key and encrypting something are two completely different things. How to share keys
Having said this, AES with 128bit is fairly strong encryption algorithm than 3DES So what you can do is keep PKI infrastructure in place to exchange AES keys and then Encrypt and Decrypt using them.
Why not RSA? RSA needs to be minimum 512 bit to consider it as strongest and if you increase more bits then it increases time required for encryption and decryption.
SO AES is fast and safe.
Use SecretKeySpec to create key from byte[]
public static void main(String[] args) throws Exception
{
// Initialise secret key with predefined byte array [] like below. I
// have used simple string to array method to generate 16 byte array.
// AES Key must be minimum 16 bytes.
// Now you can put this byte array some where is .SO file.
// Generate new Key using this byte []
// Then you can generate a key using device specific information at
// first boot up.
// Use second key to encrypt data and first key to encrypt the second
// key
// I Hope it clears all the doubts
SecretKey key = new SecretKeySpec("ABCDEFGHIJKLMNOP".getBytes(), "AES");
System.out.println(Arrays.toString(key.getEncoded()));
// Initialise Cipher with AES Algorithm
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
// Set The Encrypt Mode
cipher.init(Cipher.ENCRYPT_MODE, key);
// Encrypt some bytes
byte[] encrypted = cipher.doFinal("ABCDEFGH".getBytes());
// Print it to vefiry
System.out.println(Arrays.toString(encrypted));
// Get The IV
byte[] iv = cipher.getIV();
System.out.println(iv.length);
// Now why storing you can create structure like [16 IV][Encrypted Data]
// And while decrypting you can read first [16] bytes IV and then
// decrypt remaining bytes
//byte[] iv = new byte[16];
// System.arraycopy(encrypted, 0, iv, 0, 16)
//Copy remaining bytes to decrypt
// set cipher to decrypt mode
cipher.init(Cipher.DECRYPT_MODE, key,new IvParameterSpec(iv));
// decrypt it
byte[] decrypted = cipher.doFinal(encrypted);
System.out.println(new String(decrypted));
}
Now write an algorithm which will generate byte[] from some random data like device name, user name, random seed etc.
You can add more protection to algorithm source code by writing that algorithm in C and create.SO file and get byte [] using Native calls.
What are the advantages of doing all this?
- Event if your so is hacked it will need real time environment to run create key out of it.
- Even if some one does crack it the damage will be limited i.e. 1 device
- Hacker will have to repeat same with each device which is highly impossible to do.
这篇关于将硬编码的文件解密为byte []的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
