不安全的密码加密模式，如何解决？

公冶经纶

2023-03-14

问题内容：

我正在加密用于firebase登录的密码，它可以正常工作，但是我在Google Play控制台中收到一条警告，该your app contains unsafe cryptographic encryption patterns如何删除它？

我正在android studio上尝试。

public static class AESCrypt
{
    private static final String ALGORITHM = "AES";
    private static final String KEY = "1Hbfh667adfDEJ78";

    public static String encrypt(String value) throws Exception
    {
        Key key = generateKey();
        Cipher cipher = Cipher.getInstance(AESCrypt.ALGORITHM);
        cipher.init(Cipher.ENCRYPT_MODE, key);
        byte [] encryptedByteValue = cipher.doFinal(value.getBytes("utf-8"));
        String encryptedValue64 = Base64.encodeToString(encryptedByteValue, Base64.DEFAULT);
        return encryptedValue64;

    }

    public static String decrypt(String value) throws Exception
    {
        Key key = generateKey();
        Cipher cipher = Cipher.getInstance(AESCrypt.ALGORITHM);
        cipher.init(Cipher.DECRYPT_MODE, key);
        byte[] decryptedValue64 = Base64.decode(value, Base64.DEFAULT);
        byte [] decryptedByteValue = cipher.doFinal(decryptedValue64);
        String decryptedValue = new String(decryptedByteValue,"utf-8");
        return decryptedValue;

    }

    private static Key generateKey() throws Exception
    {
        Key key = new SecretKeySpec(AESCrypt.KEY.getBytes(),AESCrypt.ALGORITHM);
        return key;
    }

问题答案：

主要问题是您使用的密码没有完整性，并且使用了硬编码的加密密钥。如果使用“ 查找安全性错误”来分析源，则会收到CIPHER_INTEGRITY和HARD_CODE_KEY警告：

The cipher does not provide data integrity [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 25] CIPHER_INTEGRITY
The cipher does not provide data integrity [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 15] CIPHER_INTEGRITY
Hard coded cryptographic key found [com.lloyds.keystorage.AESCrypt] At AESCrypt.java:[line 35] HARD_CODE_KEY

解决方案是使用包含基于哈希的消息认证码（HMAC）的密码来对数据进行签名：

Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

并将密钥存储在单独的配置文件或密钥库中。

下面是经过完全重构的整个类：

import android.util.Base64
import static java.nio.charset.StandardCharsets.UTF_8;
import java.security.Key;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class AESCrypt {
  private static final String TRANSFORMATION = "AES/GCM/NoPadding";

  public static String encrypt(String value) throws Exception {
    Key key = generateKey();
    Cipher cipher = Cipher.getInstance(TRANSFORMATION);
    cipher.init(Cipher.ENCRYPT_MODE, key);
    byte[] encryptedByteValue = cipher.doFinal(value.getBytes(UTF_8));
    return Base64.encodeToString(encryptedByteValue, Base64.DEFAULT);
  }

  public static String decrypt(String value) throws Exception {
    Key key = generateKey();
    Cipher cipher = Cipher.getInstance(TRANSFORMATION);
    cipher.init(Cipher.DECRYPT_MODE, key);
    byte[] decryptedValue64 = Base64.decode(value, Base64.DEFAULT);
    byte[] decryptedByteValue = cipher.doFinal(decryptedValue64);
    return new String(decryptedByteValue, UTF_8);
  }

  private static Key generateKey() {
    return new SecretKeySpec(Configuration.getKey().getBytes(UTF_8), TRANSFORMATION);
  }
}

不安全的密码加密模式，如何解决？

相关阅读

相关文章

相关问答

相关工具

相关文档