1回答

梵蒂冈之花

主要问题是您使用没有完整性的密码和硬编码的加密密钥。如果您使用Find Security Bugs分析源代码，您会收到CIPHER_INTEGRITY和HARD_CODE_KEY警告：The cipher does not provide data integrity [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 25] CIPHER_INTEGRITYThe cipher does not provide data integrity [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 15] CIPHER_INTEGRITYHard coded cryptographic key found [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 35] HARD_CODE_KEY解决方案是使用包含基于哈希的消息身份验证代码 (HMAC) 的密码来对数据进行签名：Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");并将密钥存储在单独的配置文件或密钥库中。下面是完整重构后的整个类：import android.util.Base64import static java.nio.charset.StandardCharsets.UTF_8;import java.security.Key;import javax.crypto.Cipher;import javax.crypto.spec.SecretKeySpec;public class AESCrypt {  private static final String TRANSFORMATION = "AES/GCM/NoPadding";  public static String encrypt(String value) throws Exception {    Key key = generateKey();    Cipher cipher = Cipher.getInstance(TRANSFORMATION);    cipher.init(Cipher.ENCRYPT_MODE, key);    byte[] encryptedByteValue = cipher.doFinal(value.getBytes(UTF_8));    return Base64.encodeToString(encryptedByteValue, Base64.DEFAULT);  }  public static String decrypt(String value) throws Exception {    Key key = generateKey();    Cipher cipher = Cipher.getInstance(TRANSFORMATION);    cipher.init(Cipher.DECRYPT_MODE, key);    byte[] decryptedValue64 = Base64.decode(value, Base64.DEFAULT);    byte[] decryptedByteValue = cipher.doFinal(decryptedValue64);    return new String(decryptedByteValue, UTF_8);  }  private static Key generateKey() {    return new SecretKeySpec(Configuration.getKey().getBytes(UTF_8), TRANSFORMATION);  }}

0 0

0