查看代码的时候,看到有人用了关于密钥生成的策略,IV的前半部分始终相同,后半部分根据机器ID不同(其他人可能很难得到)身份证)。然后用于生成加密密钥,如下例:
public static final String constant = "1234";
String key = constant + (machine ID);
SecretKeySpec sks = new SecretKeySpec(key.getBytes(), "DES");
String result = sks.toString();
它是一种硬编码密码吗?我不确定它是否安全?如果不是,是不是高风险?
非常感谢。
【问题讨论】:
标签: security passwords hardcoded
这是不安全的,因为您使用的是非随机密钥,并且还使用了不安全的加密算法 (DES)。您需要使用像SecureRandom 这样的安全随机生成函数/类,并且需要选择像AES 或TwoFish 这样的安全算法
这是来自JavaDigest 的示例,展示了正确使用class SecureRandom:
package random;
import java.security.SecureRandom;
/**
* A Simple Example to generate secure random numbers using
* java.security.SecureRandom class.
*
*/
public class SecureRandomGenerator {
public static void main(String[] args) {
// Get the instance of SecureRandom class with specified PRNG algorithm
SecureRandom secureRandom = new SecureRandom();
// You can use the getInstance() of the Secure Random class to create an object of SecureRandam
// where you would need to specify the algorithm name.
// SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
// Display the algorithm name
System.out.println("Used algorithm: " + secureRandom.getAlgorithm());
// You also specify the algorithm provider in the getInstance() method
// SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG", "SUN");
// Display the Provider
System.out.println("Provider: " + secureRandom.getProvider());
// A call to the setSeed() method will seed the SecureRandom object.
// If a call is not made to setSeed(),
// The first call to nextBytes method will force the SecureRandom object to seed itself.
// Get 10 random numbers
System.out.println("Random Integers generated using SecureRandom");
for (int i = 0; i < 10; i++) {
System.out.println(secureRandom.nextInt());
}
}
}
【讨论】: