基于Java 256位AES密码的加密

390

我需要实现256位AES加密，但是我在网上找到的所有示例都使用“ KeyGenerator”来生成256位密钥，但是我想使用自己的密码。如何创建自己的密钥？我尝试将其填充到256位，但是随后出现错误消息，提示密钥太长。我确实安装了无限管辖权补丁，所以那不是问题:)

就是 KeyGenerator看起来像这样...

// Get the KeyGenerator
KeyGenerator kgen = KeyGenerator.getInstance("AES");
kgen.init(128); // 192 and 256 bits may not be available

// Generate the secret key specs.
SecretKey skey = kgen.generateKey();
byte[] raw = skey.getEncoded();

从这里获取的代码

编辑

我实际上是将密码填充到256个字节而不是位，这太长了。以下是我现在正在使用的一些代码，因为我对此有更多的经验。

byte[] key = null; // TODO
byte[] input = null; // TODO
byte[] output = null;
SecretKeySpec keySpec = null;
keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
cipher.init(Cipher.ENCRYPT_MODE, keySpec);
output = cipher.doFinal(input)

您需要自己做的“ TODO”位:-)

— 乳头龙
source

您能否澄清一下：调用kgen.init（256）是否有效？

— 米奇·麦特

2

是的，但这会自动生成一个密钥……但是由于我想在两个地方之间加密数据，因此我需要事先知道密钥，因此我需要指定一个密钥而不是“生成”一个。我可以指定一个适用于128位加密的16位密码。我已经尝试了32位用于256位加密，但是没有按预期工作。

— Nippysaurus，2009年

4

如果我理解正确，则您正在尝试使用预先指定的256位密钥，例如，指定为字节数组。如果是这样，DarkSquid的使用SecretKeySpec的方法应该可以工作。也可以从密码派生AES密钥。如果您要这样做，请告诉我，我会告诉您正确的做法。仅仅对密码进行散列并不是最佳实践。

— erickson

注意填充数字，可能会使AES的安全性降低。

— 约书亚

1

@erickson：这正是我需要做的（从密码中得出AES密钥）。

— Nippysaurus

475

与带外接收者共享password（a char[]）和salt（a所byte[]选择的a SecureRandom- 8个字节，这是个好习惯，不需要保密）。然后从此信息中得出一个好的密钥：

/* Derive the key, given password and salt. */
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
KeySpec spec = new PBEKeySpec(password, salt, 65536, 256);
SecretKey tmp = factory.generateSecret(spec);
SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");

幻数（可以在某处定义为常数）65536和256分别是密钥派生迭代计数和密钥大小。

迭代密钥派生功能需要大量的计算工作，并且可以防止攻击者快速尝试许多不同的密码。可以根据可用的计算资源来更改迭代次数。

密钥大小可以减小到128位，这仍然被认为是“强”加密，但是如果发现削弱AES的攻击，它的安全边际不会太大。

与适当的块链接模式一起使用时，相同的派生密钥可用于加密许多消息。在密码块链接（CBC）中，将为每个消息生成随机初始化向量（IV），即使明文相同，也会产生不同的密文。CBC可能不是您可以使用的最安全的模式（请参阅下面的AEAD）；还有许多其他模式具有不同的安全性属性，但是它们都使用类似的随机输入。无论如何，每个加密操作的输出都是密文和初始化向量：

/* Encrypt the message. */
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, secret);
AlgorithmParameters params = cipher.getParameters();
byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV();
byte[] ciphertext = cipher.doFinal("Hello, World!".getBytes("UTF-8"));

存储ciphertext和iv。解密时，SecretKey使用具有相同盐和迭代参数的密码以完全相同的方式重新生成。使用此密钥初始化密码，并使用消息存储初始化向量：

/* Decrypt the message, given derived key and initialization vector. */
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(iv));
String plaintext = new String(cipher.doFinal(ciphertext), "UTF-8");
System.out.println(plaintext);

Java 7包括对AEAD密码模式的 API 支持，OpenJDK和Oracle发行版中包括的“ SunJCE”提供程序从Java 8开始实现这些。它将保护数据的完整性及其隐私。

java.security.InvalidKeyException带有“非法密钥大小或默认参数”消息的A 表示加密强度受到限制；无限强度管辖权策略文件不在正确的位置。在JDK中，应将它们放置在${jdk}/jre/lib/security

根据问题描述，听起来策略文件未正确安装。系统可以轻松拥有多个Java运行时。仔细检查以确保使用了正确的位置。

— 埃里克森
source

29

@尼克：读PKCS＃5。盐对于PBKDF2是必需的，这就是为什么基于密码的加密API要求盐作为密钥派生的输入。如果不添加盐，则可以使用字典攻击，从而预先计算出最可能的对称加密密钥列表。密码IV和密钥派生盐有不同的用途。IV允许一个密钥重复使用多个消息。盐防止字典对密钥的攻击。

— erickson

2

首先，这将是DES加密，而不是AES。大多数提供商对PBEwith<prf>and<encryption>算法没有很好的支持。例如，SunJCE不提供AES的PBE。其次，启用jasypt是非目标。旨在提供安全性而无需了解基本原理的软件包似乎很危险。

— erickson

6

我已经将@erickson的答案作为一个类实现：github.com/mrclay/jSecureEdit/tree/master/src/org/mrclay/crypto（PBE可以完成工作，PBEStorage是用于将IV /密文存储在一起的值对象。）

— 史蒂夫·克莱

3

@AndyNuss此示例用于可逆加密，通常不应将其用于密码。您可以使用PBKDF2密钥派生来安全地“哈希”密码。这意味着在上面的示例中，您将结果存储tmp.getEncoded()为哈希。您还应该存储salt和迭代（在此示例中为65536），以便在有人尝试进行身份验证时可以重新计算哈希。在这种情况下，每次更改密码时，使用密码随机数生成器生成盐。

— erickson 2012年

6

要运行此代码，请确保ngs.ac.uk/tools/jcepolicyfiles

— Amir Moghimi

75

考虑使用Spring Security加密模块

Spring Security Crypto模块提供对对称加密，密钥生成和密码编码的支持。该代码作为核心模块的一部分分发，但与任何其他Spring Security（或Spring）代码无关。

它提供了一个简单的加密抽象，似乎与这里的要求相符，

“标准”加密方法是使用PKCS＃5的PBKDF2（基于密码的密钥派生功能＃2）的256位AES。此方法需要Java6。用于生成SecretKey的密码应保存在安全的地方，并且不能共享。如果您的加密数据遭到破坏，该盐可用于防止针对密钥的字典攻击。还应用了16字节的随机初始化向量，因此每个加密的消息都是唯一的。

仔细观察内部结构，发现结构类似于埃里克森的答案。

如问题中所述，这还需要Java密码学扩展（JCE）无限强度管辖权策略（否则，您将遇到InvalidKeyException: Illegal Key Size）。可从Java 6，Java 7和Java 8下载。

用法示例

import org.springframework.security.crypto.encrypt.Encryptors;
import org.springframework.security.crypto.encrypt.TextEncryptor;
import org.springframework.security.crypto.keygen.KeyGenerators;

public class CryptoExample {
    public static void main(String[] args) {
        final String password = "I AM SHERLOCKED";  
        final String salt = KeyGenerators.string().generateKey();

        TextEncryptor encryptor = Encryptors.text(password, salt);      
        System.out.println("Salt: \"" + salt + "\"");

        String textToEncrypt = "*royal secrets*";
        System.out.println("Original text: \"" + textToEncrypt + "\"");

        String encryptedText = encryptor.encrypt(textToEncrypt);
        System.out.println("Encrypted text: \"" + encryptedText + "\"");

        // Could reuse encryptor but wanted to show reconstructing TextEncryptor
        TextEncryptor decryptor = Encryptors.text(password, salt);
        String decryptedText = decryptor.decrypt(encryptedText);
        System.out.println("Decrypted text: \"" + decryptedText + "\"");

        if(textToEncrypt.equals(decryptedText)) {
            System.out.println("Success: decrypted text matches");
        } else {
            System.out.println("Failed: decrypted text does not match");
        }       
    }
}

并输出样本

盐：“ feacbc02a3a697b0”
原文：“ *皇家机密*”
加密的文本：“ 7c73c5a83fa580b5d6f8208768adc931ef3123291ac8bc335a1277a39d256d9a” 
解密文本：“ *王室秘密*”
成功：解密的文字匹配

— 约翰·麦卡锡
source

您可以在不加载整个Spring的情况下使用该模块吗？他们似乎没有使jar文件可供下载。

— theglauber 2014年

5

@theglauber是的，您可以在没有Spring Security或Spring框架的情况下使用该模块。从pom看，唯一的运行时依赖项是apache commons-logging 1.1.1。您可以使用maven插入jar或直接从官方二进制存储库中下载它（有关Spring二进制文件的更多信息，请参见Spring 4二进制文件下载）。

— 约翰·麦卡锡2014年

1

是否可以将密钥长度设置为128位？对我而言，在每台PC上修改安全文件夹都不是一个选择。

— IvanRF

1

@IvanRF对不起，看起来不像。256在源

— John McCarthy

2

在NULL_IV_GENERATOR由Spring工具使用是不安全的。如果应用程序不提供IV，则让提供者选择它，并在初始化后查询它。

— 埃里克森

32

在阅读了埃里克森的建议，并从其他几个帖子和此处的示例中搜集到的信息之后，我尝试使用建议的更改来更新道格的代码。随时进行编辑以使其更好。

初始化向量不再固定
加密密钥是使用erickson的代码派生的
使用SecureRandom（）在setupEncrypt（）中生成8字节盐
解密密钥由加密盐和密码生成
根据解密密钥和初始化向量生成解密密码
删除了十六进制旋转来代替org.apache.commons 编解码器十六进制例程

一些注意事项：它使用128位加密密钥-Java显然不会立即进行256位加密。实现256需要在Java安装目录中安装一些额外的文件。

另外，我也不是加密货币人。谨慎。

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.AlgorithmParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.KeySpec;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;

public class Crypto
{
    String mPassword = null;
    public final static int SALT_LEN = 8;
    byte [] mInitVec = null;
    byte [] mSalt = null;
    Cipher mEcipher = null;
    Cipher mDecipher = null;
    private final int KEYLEN_BITS = 128; // see notes below where this is used.
    private final int ITERATIONS = 65536;
    private final int MAX_FILE_BUF = 1024;

    /**
     * create an object with just the passphrase from the user. Don't do anything else yet 
     * @param password
     */
    public Crypto (String password)
    {
        mPassword = password;
    }

    /**
     * return the generated salt for this object
     * @return
     */
    public byte [] getSalt ()
    {
        return (mSalt);
    }

    /**
     * return the initialization vector created from setupEncryption
     * @return
     */
    public byte [] getInitVec ()
    {
        return (mInitVec);
    }

    /**
     * debug/print messages
     * @param msg
     */
    private void Db (String msg)
    {
        System.out.println ("** Crypt ** " + msg);
    }

    /**
     * this must be called after creating the initial Crypto object. It creates a salt of SALT_LEN bytes
     * and generates the salt bytes using secureRandom().  The encryption secret key is created 
     * along with the initialization vectory. The member variable mEcipher is created to be used
     * by the class later on when either creating a CipherOutputStream, or encrypting a buffer
     * to be written to disk.
     *  
     * @throws NoSuchAlgorithmException
     * @throws InvalidKeySpecException
     * @throws NoSuchPaddingException
     * @throws InvalidParameterSpecException
     * @throws IllegalBlockSizeException
     * @throws BadPaddingException
     * @throws UnsupportedEncodingException
     * @throws InvalidKeyException
     */
    public void setupEncrypt () throws NoSuchAlgorithmException, 
                                                           InvalidKeySpecException, 
                                                           NoSuchPaddingException, 
                                                           InvalidParameterSpecException, 
                                                           IllegalBlockSizeException, 
                                                           BadPaddingException, 
                                                           UnsupportedEncodingException, 
                                                           InvalidKeyException
    {
        SecretKeyFactory factory = null;
        SecretKey tmp = null;

        // crate secureRandom salt and store  as member var for later use
         mSalt = new byte [SALT_LEN];
        SecureRandom rnd = new SecureRandom ();
        rnd.nextBytes (mSalt);
        Db ("generated salt :" + Hex.encodeHexString (mSalt));

        factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");

        /* Derive the key, given password and salt. 
         * 
         * in order to do 256 bit crypto, you have to muck with the files for Java's "unlimted security"
         * The end user must also install them (not compiled in) so beware. 
         * see here:  http://www.javamex.com/tutorials/cryptography/unrestricted_policy_files.shtml
         */
        KeySpec spec = new PBEKeySpec (mPassword.toCharArray (), mSalt, ITERATIONS, KEYLEN_BITS);
        tmp = factory.generateSecret (spec);
        SecretKey secret = new SecretKeySpec (tmp.getEncoded(), "AES");

        /* Create the Encryption cipher object and store as a member variable
         */
        mEcipher = Cipher.getInstance ("AES/CBC/PKCS5Padding");
        mEcipher.init (Cipher.ENCRYPT_MODE, secret);
        AlgorithmParameters params = mEcipher.getParameters ();

        // get the initialization vectory and store as member var 
        mInitVec = params.getParameterSpec (IvParameterSpec.class).getIV();

        Db ("mInitVec is :" + Hex.encodeHexString (mInitVec));
    }



    /**
     * If a file is being decrypted, we need to know the pasword, the salt and the initialization vector (iv). 
     * We have the password from initializing the class. pass the iv and salt here which is
     * obtained when encrypting the file initially.
     *   
     * @param initvec
     * @param salt
     * @throws NoSuchAlgorithmException
     * @throws InvalidKeySpecException
     * @throws NoSuchPaddingException
     * @throws InvalidKeyException
     * @throws InvalidAlgorithmParameterException
     * @throws DecoderException
     */
    public void setupDecrypt (String initvec, String salt) throws NoSuchAlgorithmException, 
                                                                                       InvalidKeySpecException, 
                                                                                       NoSuchPaddingException, 
                                                                                       InvalidKeyException, 
                                                                                       InvalidAlgorithmParameterException, 
                                                                                       DecoderException
    {
        SecretKeyFactory factory = null;
        SecretKey tmp = null;
        SecretKey secret = null;

        // since we pass it as a string of input, convert to a actual byte buffer here
        mSalt = Hex.decodeHex (salt.toCharArray ());
       Db ("got salt " + Hex.encodeHexString (mSalt));

        // get initialization vector from passed string
        mInitVec = Hex.decodeHex (initvec.toCharArray ());
        Db ("got initvector :" + Hex.encodeHexString (mInitVec));


        /* Derive the key, given password and salt. */
        // in order to do 256 bit crypto, you have to muck with the files for Java's "unlimted security"
        // The end user must also install them (not compiled in) so beware. 
        // see here: 
      // http://www.javamex.com/tutorials/cryptography/unrestricted_policy_files.shtml
        factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
        KeySpec spec = new PBEKeySpec(mPassword.toCharArray (), mSalt, ITERATIONS, KEYLEN_BITS);

        tmp = factory.generateSecret(spec);
        secret = new SecretKeySpec(tmp.getEncoded(), "AES");

        /* Decrypt the message, given derived key and initialization vector. */
        mDecipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        mDecipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(mInitVec));
    }


    /**
     * This is where we write out the actual encrypted data to disk using the Cipher created in setupEncrypt().
     * Pass two file objects representing the actual input (cleartext) and output file to be encrypted.
     * 
     * there may be a way to write a cleartext header to the encrypted file containing the salt, but I ran
     * into uncertain problems with that. 
     *  
     * @param input - the cleartext file to be encrypted
     * @param output - the encrypted data file
     * @throws IOException
     * @throws IllegalBlockSizeException
     * @throws BadPaddingException
     */
    public void WriteEncryptedFile (File input, File output) throws 
                                                                                          IOException, 
                                                                                          IllegalBlockSizeException, 
                                                                                          BadPaddingException
    {
        FileInputStream fin;
        FileOutputStream fout;
        long totalread = 0;
        int nread = 0;
        byte [] inbuf = new byte [MAX_FILE_BUF];

        fout = new FileOutputStream (output);
        fin = new FileInputStream (input);

        while ((nread = fin.read (inbuf)) > 0 )
        {
            Db ("read " + nread + " bytes");
            totalread += nread;

            // create a buffer to write with the exact number of bytes read. Otherwise a short read fills inbuf with 0x0
            // and results in full blocks of MAX_FILE_BUF being written. 
            byte [] trimbuf = new byte [nread];
            for (int i = 0; i < nread; i++)
                trimbuf[i] = inbuf[i];

            // encrypt the buffer using the cipher obtained previosly
            byte [] tmp = mEcipher.update (trimbuf);

            // I don't think this should happen, but just in case..
            if (tmp != null)
                fout.write (tmp);
        }

        // finalize the encryption since we've done it in blocks of MAX_FILE_BUF
        byte [] finalbuf = mEcipher.doFinal ();
        if (finalbuf != null)
            fout.write (finalbuf);

        fout.flush();
        fin.close();
        fout.close();

        Db ("wrote " + totalread + " encrypted bytes");
    }


    /**
     * Read from the encrypted file (input) and turn the cipher back into cleartext. Write the cleartext buffer back out
     * to disk as (output) File.
     * 
     * I left CipherInputStream in here as a test to see if I could mix it with the update() and final() methods of encrypting
     *  and still have a correctly decrypted file in the end. Seems to work so left it in.
     *  
     * @param input - File object representing encrypted data on disk 
     * @param output - File object of cleartext data to write out after decrypting
     * @throws IllegalBlockSizeException
     * @throws BadPaddingException
     * @throws IOException
     */
    public void ReadEncryptedFile (File input, File output) throws 
                                                                                                                                            IllegalBlockSizeException, 
                                                                                                                                            BadPaddingException, 
                                                                                                                                            IOException
    {
        FileInputStream fin; 
        FileOutputStream fout;
        CipherInputStream cin;
        long totalread = 0;
        int nread = 0;
        byte [] inbuf = new byte [MAX_FILE_BUF];

        fout = new FileOutputStream (output);
        fin = new FileInputStream (input);

        // creating a decoding stream from the FileInputStream above using the cipher created from setupDecrypt()
        cin = new CipherInputStream (fin, mDecipher);

        while ((nread = cin.read (inbuf)) > 0 )
        {
            Db ("read " + nread + " bytes");
            totalread += nread;

            // create a buffer to write with the exact number of bytes read. Otherwise a short read fills inbuf with 0x0
            byte [] trimbuf = new byte [nread];
            for (int i = 0; i < nread; i++)
                trimbuf[i] = inbuf[i];

            // write out the size-adjusted buffer
            fout.write (trimbuf);
        }

        fout.flush();
        cin.close();
        fin.close ();       
        fout.close();   

        Db ("wrote " + totalread + " encrypted bytes");
    }


    /**
     * adding main() for usage demonstration. With member vars, some of the locals would not be needed
     */
    public static void main(String [] args)
    {

        // create the input.txt file in the current directory before continuing
        File input = new File ("input.txt");
        File eoutput = new File ("encrypted.aes");
        File doutput = new File ("decrypted.txt");
        String iv = null;
        String salt = null;
        Crypto en = new Crypto ("mypassword");

        /*
         * setup encryption cipher using password. print out iv and salt
         */
        try
      {
          en.setupEncrypt ();
          iv = Hex.encodeHexString (en.getInitVec ()).toUpperCase ();
          salt = Hex.encodeHexString (en.getSalt ()).toUpperCase ();
      }
      catch (InvalidKeyException e)
      {
          e.printStackTrace();
      }
      catch (NoSuchAlgorithmException e)
      {
          e.printStackTrace();
      }
      catch (InvalidKeySpecException e)
      {
          e.printStackTrace();
      }
      catch (NoSuchPaddingException e)
      {
          e.printStackTrace();
      }
      catch (InvalidParameterSpecException e)
      {
          e.printStackTrace();
      }
      catch (IllegalBlockSizeException e)
      {
          e.printStackTrace();
      }
      catch (BadPaddingException e)
      {
          e.printStackTrace();
      }
      catch (UnsupportedEncodingException e)
      {
          e.printStackTrace();
      }

        /*
         * write out encrypted file
         */
        try
      {
          en.WriteEncryptedFile (input, eoutput);
          System.out.printf ("File encrypted to " + eoutput.getName () + "\niv:" + iv + "\nsalt:" + salt + "\n\n");
      }
      catch (IllegalBlockSizeException e)
      {
          e.printStackTrace();
      }
      catch (BadPaddingException e)
      {
          e.printStackTrace();
      }
      catch (IOException e)
      {
          e.printStackTrace();
      }


        /*
         * decrypt file
         */
        Crypto dc = new Crypto ("mypassword");
        try
      {
          dc.setupDecrypt (iv, salt);
      }
      catch (InvalidKeyException e)
      {
          e.printStackTrace();
      }
      catch (NoSuchAlgorithmException e)
      {
          e.printStackTrace();
      }
      catch (InvalidKeySpecException e)
      {
          e.printStackTrace();
      }
      catch (NoSuchPaddingException e)
      {
          e.printStackTrace();
      }
      catch (InvalidAlgorithmParameterException e)
      {
          e.printStackTrace();
      }
      catch (DecoderException e)
      {
          e.printStackTrace();
      }

        /*
         * write out decrypted file
         */
        try
      {
          dc.ReadEncryptedFile (eoutput, doutput);
          System.out.println ("decryption finished to " + doutput.getName ());
      }
      catch (IllegalBlockSizeException e)
      {
          e.printStackTrace();
      }
      catch (BadPaddingException e)
      {
          e.printStackTrace();
      }
      catch (IOException e)
      {
          e.printStackTrace();
      }
   }


}

— 乌富
source

13

这基本上是与Erickson相同的答案，并由一个-编程不完善的包装器包围。printStackTrace()

— Maarten Bodewes，2014年

2

@owlstead-这是一个很好的答案。它显示了如何通过加密字节缓冲区而不是将所有内容存储在内存中来加密流。埃里克森（Erickson）的答案不适用于大文件，该文件不适合存储在内存中。因此对wufoo +1。:)

— dynamokaj 2014年

2

@dynamokaj使用的CipherInputStream和CipherOutputStream是不是太大的问题。将表下的所有异常混排是一个问题。问题是盐突然变成了田野，需要静脉注射。它不遵循Java编码约定的事实是一个问题。而且，这仅在不要求的情况下适用于文件的事实是一个问题。而且其余的代码基本上是一个副本，也没有帮助。但也许我会按照建议进行调整，使其变得更好...

— Maarten Bodewes 2014年

@owlstead我同意我可以将编码缩减为1/4之类的东西看起来更好，但是我喜欢他向我介绍了CipherInputStream和CipherOutputStream，因为那正是我昨天需要的！;）

— dynamokaj 2014年

为什么两次？fout.close（）; fout.close（）;

— 玛丽安（MarianPaździoch）

7

从字节数组生成自己的密钥很容易：

byte[] raw = ...; // 32 bytes in size for a 256 bit key
Key skey = new javax.crypto.spec.SecretKeySpec(raw, "AES");

但是，创建256位密钥是不够的。如果密钥生成器无法为您生成256位密钥，则Cipher该类可能也不支持AES 256位。您说您已安装了无限管辖权补丁，因此应支持AES-256密码（但随后也应支持256位密钥，因此这可能是配置问题）。

Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, skey);
byte[] encrypted = cipher.doFinal(plainText.getBytes());

缺少AES-256支持的一种解决方法是采用一些可免费获得的AES-256实现，并将其用作自定义提供程序。这涉及创建自己的Provider子类并将其与结合使用Cipher.getInstance(String, Provider)。但这可能是一个涉及的过程。

— 瓦卡斯
source

5

您应该始终指示模式和填充算法。Java默认使用不安全的ECB模式。

— Maarten Bodewes 2012年

您无法创建自己的提供程序，必须对提供程序进行签名（不能相信我最初会读过此错误）。即使可以，密钥大小的限制也位于的实现中Cipher，而不是在提供程序本身中。您可以在Java 8及更低版本中使用AES-256，但需要使用专有的API。或者，运行时对密钥大小没有限制。

— Maarten Bodewes，2014年

OpenJDK（和Android）的最新版本对添加您自己的安全性/加密提供程序没有限制。但是，这样做的后果自负。如果您忘记使库保持最新状态，则可能会使自己面临安全风险。

— Maarten Bodewes，

1

@ MaartenBodewes + OpenJDK最初从未遇到过“有限加密策略”问题，Oracle JDK在一年前就以8u161和9 up的价格删除了它（也许还有一些较低的现付版本，但我没有检查过）

— dave_thompson_085 '19

6

我过去所做的就是通过类似SHA256的方式对密钥进行哈希处理，然后将哈希值中的字节提取到密钥byte []中。

获得byte []之后，您可以简单地执行以下操作：

SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] encryptedBytes = cipher.doFinal(clearText.getBytes());

— 黑暗乌贼
source

12

对于其他人：这不是一个非常安全的方法。您应该使用PKCS＃5中指定的PBKDF 2。埃里克森在上面说了如何做。DarkSquid的方法容易受到密码攻击，除非您的纯文本大小是AES块大小（128位）的倍数，否则他将无法工作，因为他没有填充。而且它没有指定模式。阅读Wikipedia的“分组密码操作模式”以获取关注。

— 2011年

1

@DarkSquid

Cipher aes256 = Cipher.getInstance("AES/OFB/NoPadding"); 				MessageDigest keyDigest = MessageDigest.getInstance("SHA-256"); 				byte[] keyHash = keyDigest.digest(secret.getBytes("UTF-8")); 				SecretKeySpec key = new SecretKeySpec(keyHash, "AES"); 				aes256.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(initializationVector));

我也按照您的答案中的建议进行操作，但是我仍然遇到此java.security.InvalidKeyException：密钥大小非法是否必须下载JCE策略文件？

— Niranjan Subramanian 2014年

2

不要在任何类型的生产环境中使用此方法。当开始使用基于密码的加密时，许多用户不知所措，并且不了解字典攻击和其他简单的技巧是如何工作的。虽然学习可能会令人沮丧，但研究此内容是值得的投资。这是一篇不错的初学者文章：adambard.com/blog/3-wrong-ways-to-store-a-password

— IcedDante 2014年

1

以下版本添加到@Wufoo的编辑中，使用InputStreams而不是文件，从而使处理各种文件更加容易。它还将IV和Salt存储在文件的开头，因此仅需要跟踪密码。由于IV和Salt不需要保密，因此使生活更加轻松。

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;

import java.security.AlgorithmParameters;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.KeySpec;

import java.util.logging.Level;
import java.util.logging.Logger;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;

public class AES {
    public final static int SALT_LEN     = 8;
    static final String     HEXES        = "0123456789ABCDEF";
    String                  mPassword    = null;
    byte[]                  mInitVec     = null;
    byte[]                  mSalt        = new byte[SALT_LEN];
    Cipher                  mEcipher     = null;
    Cipher                  mDecipher    = null;
    private final int       KEYLEN_BITS  = 128;    // see notes below where this is used.
    private final int       ITERATIONS   = 65536;
    private final int       MAX_FILE_BUF = 1024;

    /**
     * create an object with just the passphrase from the user. Don't do anything else yet
     * @param password
     */
    public AES(String password) {
        mPassword = password;
    }

    public static String byteToHex(byte[] raw) {
        if (raw == null) {
            return null;
        }

        final StringBuilder hex = new StringBuilder(2 * raw.length);

        for (final byte b : raw) {
            hex.append(HEXES.charAt((b & 0xF0) >> 4)).append(HEXES.charAt((b & 0x0F)));
        }

        return hex.toString();
    }

    public static byte[] hexToByte(String hexString) {
        int    len = hexString.length();
        byte[] ba  = new byte[len / 2];

        for (int i = 0; i < len; i += 2) {
            ba[i / 2] = (byte) ((Character.digit(hexString.charAt(i), 16) << 4)
                                + Character.digit(hexString.charAt(i + 1), 16));
        }

        return ba;
    }

    /**
     * debug/print messages
     * @param msg
     */
    private void Db(String msg) {
        System.out.println("** Crypt ** " + msg);
    }

    /**
     * This is where we write out the actual encrypted data to disk using the Cipher created in setupEncrypt().
     * Pass two file objects representing the actual input (cleartext) and output file to be encrypted.
     *
     * there may be a way to write a cleartext header to the encrypted file containing the salt, but I ran
     * into uncertain problems with that.
     *
     * @param input - the cleartext file to be encrypted
     * @param output - the encrypted data file
     * @throws IOException
     * @throws IllegalBlockSizeException
     * @throws BadPaddingException
     */
    public void WriteEncryptedFile(InputStream inputStream, OutputStream outputStream)
            throws IOException, IllegalBlockSizeException, BadPaddingException {
        try {
            long             totalread = 0;
            int              nread     = 0;
            byte[]           inbuf     = new byte[MAX_FILE_BUF];
            SecretKeyFactory factory   = null;
            SecretKey        tmp       = null;

            // crate secureRandom salt and store  as member var for later use
            mSalt = new byte[SALT_LEN];

            SecureRandom rnd = new SecureRandom();

            rnd.nextBytes(mSalt);
            Db("generated salt :" + byteToHex(mSalt));
            factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");

            /*
             *  Derive the key, given password and salt.
             *
             * in order to do 256 bit crypto, you have to muck with the files for Java's "unlimted security"
             * The end user must also install them (not compiled in) so beware.
             * see here:  http://www.javamex.com/tutorials/cryptography/unrestricted_policy_files.shtml
             */
            KeySpec spec = new PBEKeySpec(mPassword.toCharArray(), mSalt, ITERATIONS, KEYLEN_BITS);

            tmp = factory.generateSecret(spec);

            SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");

            /*
             *  Create the Encryption cipher object and store as a member variable
             */
            mEcipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            mEcipher.init(Cipher.ENCRYPT_MODE, secret);

            AlgorithmParameters params = mEcipher.getParameters();

            // get the initialization vectory and store as member var
            mInitVec = params.getParameterSpec(IvParameterSpec.class).getIV();
            Db("mInitVec is :" + byteToHex(mInitVec));
            outputStream.write(mSalt);
            outputStream.write(mInitVec);

            while ((nread = inputStream.read(inbuf)) > 0) {
                Db("read " + nread + " bytes");
                totalread += nread;

                // create a buffer to write with the exact number of bytes read. Otherwise a short read fills inbuf with 0x0
                // and results in full blocks of MAX_FILE_BUF being written.
                byte[] trimbuf = new byte[nread];

                for (int i = 0; i < nread; i++) {
                    trimbuf[i] = inbuf[i];
                }

                // encrypt the buffer using the cipher obtained previosly
                byte[] tmpBuf = mEcipher.update(trimbuf);

                // I don't think this should happen, but just in case..
                if (tmpBuf != null) {
                    outputStream.write(tmpBuf);
                }
            }

            // finalize the encryption since we've done it in blocks of MAX_FILE_BUF
            byte[] finalbuf = mEcipher.doFinal();

            if (finalbuf != null) {
                outputStream.write(finalbuf);
            }

            outputStream.flush();
            inputStream.close();
            outputStream.close();
            outputStream.close();
            Db("wrote " + totalread + " encrypted bytes");
        } catch (InvalidKeyException ex) {
            Logger.getLogger(AES.class.getName()).log(Level.SEVERE, null, ex);
        } catch (InvalidParameterSpecException ex) {
            Logger.getLogger(AES.class.getName()).log(Level.SEVERE, null, ex);
        } catch (NoSuchAlgorithmException ex) {
            Logger.getLogger(AES.class.getName()).log(Level.SEVERE, null, ex);
        } catch (NoSuchPaddingException ex) {
            Logger.getLogger(AES.class.getName()).log(Level.SEVERE, null, ex);
        } catch (InvalidKeySpecException ex) {
            Logger.getLogger(AES.class.getName()).log(Level.SEVERE, null, ex);
        }
    }

    /**
     * Read from the encrypted file (input) and turn the cipher back into cleartext. Write the cleartext buffer back out
     * to disk as (output) File.
     *
     * I left CipherInputStream in here as a test to see if I could mix it with the update() and final() methods of encrypting
     *  and still have a correctly decrypted file in the end. Seems to work so left it in.
     *
     * @param input - File object representing encrypted data on disk
     * @param output - File object of cleartext data to write out after decrypting
     * @throws IllegalBlockSizeException
     * @throws BadPaddingException
     * @throws IOException
     */
    public void ReadEncryptedFile(InputStream inputStream, OutputStream outputStream)
            throws IllegalBlockSizeException, BadPaddingException, IOException {
        try {
            CipherInputStream cin;
            long              totalread = 0;
            int               nread     = 0;
            byte[]            inbuf     = new byte[MAX_FILE_BUF];

            // Read the Salt
            inputStream.read(this.mSalt);
            Db("generated salt :" + byteToHex(mSalt));

            SecretKeyFactory factory = null;
            SecretKey        tmp     = null;
            SecretKey        secret  = null;

            factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");

            KeySpec spec = new PBEKeySpec(mPassword.toCharArray(), mSalt, ITERATIONS, KEYLEN_BITS);

            tmp    = factory.generateSecret(spec);
            secret = new SecretKeySpec(tmp.getEncoded(), "AES");

            /* Decrypt the message, given derived key and initialization vector. */
            mDecipher = Cipher.getInstance("AES/CBC/PKCS5Padding");

            // Set the appropriate size for mInitVec by Generating a New One
            AlgorithmParameters params = mDecipher.getParameters();

            mInitVec = params.getParameterSpec(IvParameterSpec.class).getIV();

            // Read the old IV from the file to mInitVec now that size is set.
            inputStream.read(this.mInitVec);
            Db("mInitVec is :" + byteToHex(mInitVec));
            mDecipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(mInitVec));

            // creating a decoding stream from the FileInputStream above using the cipher created from setupDecrypt()
            cin = new CipherInputStream(inputStream, mDecipher);

            while ((nread = cin.read(inbuf)) > 0) {
                Db("read " + nread + " bytes");
                totalread += nread;

                // create a buffer to write with the exact number of bytes read. Otherwise a short read fills inbuf with 0x0
                byte[] trimbuf = new byte[nread];

                for (int i = 0; i < nread; i++) {
                    trimbuf[i] = inbuf[i];
                }

                // write out the size-adjusted buffer
                outputStream.write(trimbuf);
            }

            outputStream.flush();
            cin.close();
            inputStream.close();
            outputStream.close();
            Db("wrote " + totalread + " encrypted bytes");
        } catch (Exception ex) {
            Logger.getLogger(AES.class.getName()).log(Level.SEVERE, null, ex);
        }
    }

    /**
     * adding main() for usage demonstration. With member vars, some of the locals would not be needed
     */
    public static void main(String[] args) {

        // create the input.txt file in the current directory before continuing
        File   input   = new File("input.txt");
        File   eoutput = new File("encrypted.aes");
        File   doutput = new File("decrypted.txt");
        String iv      = null;
        String salt    = null;
        AES    en      = new AES("mypassword");

        /*
         * write out encrypted file
         */
        try {
            en.WriteEncryptedFile(new FileInputStream(input), new FileOutputStream(eoutput));
            System.out.printf("File encrypted to " + eoutput.getName() + "\niv:" + iv + "\nsalt:" + salt + "\n\n");
        } catch (IllegalBlockSizeException | BadPaddingException | IOException e) {
            e.printStackTrace();
        }

        /*
         * decrypt file
         */
        AES dc = new AES("mypassword");

        /*
         * write out decrypted file
         */
        try {
            dc.ReadEncryptedFile(new FileInputStream(eoutput), new FileOutputStream(doutput));
            System.out.println("decryption finished to " + doutput.getName());
        } catch (IllegalBlockSizeException | BadPaddingException | IOException e) {
            e.printStackTrace();
        }
    }
}

— 道格
source

1

该解决方案似乎使用了一些尴尬的缓冲区处理和绝对低于标准的异常处理，基本上将它们记录下来，然后将其遗忘了。请注意，使用CBC可以存储文件，但不能传输安全。当然可以捍卫PBKDF2和AES的使用，从这个意义上讲，它可能是解决方案的良好基础。

— Maarten Bodewes '16

1

（可能对有类似要求的其他人有所帮助）

我AES-256-CBC在Java中使用加密和解密也有类似的要求。

为了实现（或指定）256字节的加密/解密，Java Cryptography Extension (JCE)策略应设置为"Unlimited"

可以java.security在$JAVA_HOME/jre/lib/security（对于JDK）或$JAVA_HOME/lib/security（对于JRE）下的文件中进行设置

crypto.policy=unlimited

或在代码中

Security.setProperty("crypto.policy", "unlimited");

Java 9和更高版本默认情况下启用了此功能。

— 普拉文
source

0

考虑使用Encryptor4j我是作者的。

首先，请确保您具有无限力量管辖权政策安装文件，然后才能使用256位AES密钥。

然后执行以下操作：

String password = "mysupersecretpassword"; 
Key key = KeyFactory.AES.keyFromPassword(password.toCharArray());
Encryptor encryptor = new Encryptor(key, "AES/CBC/PKCS7Padding", 16);

现在，您可以使用加密器来加密您的消息。您也可以根据需要执行流加密。为了您的方便，它会自动生成并添加一个安全的IV。

如果您希望压缩文件，请查看此答案，使用JAVA使用AES加密大文件，可得到更简单的方法。

— 白眉
source

2

马丁，您好，如果要指出它，您应该始终表明您是图书馆的作家。有很多加密包装程序试图使事情变得容易。这是一份安全文件还是收到过任何评论，值得我们花时间？

— Maarten Bodewes，

-1

使用此类进行加密。有用。

public class ObjectCrypter {


    public static byte[] encrypt(byte[] ivBytes, byte[] keyBytes, byte[] mes) 
            throws NoSuchAlgorithmException,
            NoSuchPaddingException,
            InvalidKeyException,
            InvalidAlgorithmParameterException,
            IllegalBlockSizeException,
            BadPaddingException, IOException {

        AlgorithmParameterSpec ivSpec = new IvParameterSpec(ivBytes);
        SecretKeySpec newKey = new SecretKeySpec(keyBytes, "AES");
        Cipher cipher = null;
        cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, newKey, ivSpec);
        return  cipher.doFinal(mes);

    }

    public static byte[] decrypt(byte[] ivBytes, byte[] keyBytes, byte[] bytes) 
            throws NoSuchAlgorithmException,
            NoSuchPaddingException,
            InvalidKeyException,
            InvalidAlgorithmParameterException,
            IllegalBlockSizeException,
            BadPaddingException, IOException, ClassNotFoundException {

        AlgorithmParameterSpec ivSpec = new IvParameterSpec(ivBytes);
        SecretKeySpec newKey = new SecretKeySpec(keyBytes, "AES");
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, newKey, ivSpec);
        return  cipher.doFinal(bytes);

    }
}

这些是ivBytes和一个随机密钥；

String key = "e8ffc7e56311679f12b6fc91aa77a5eb";

byte[] ivBytes = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
keyBytes = key.getBytes("UTF-8");

— 工程师
source

10

“有效”。是，但是它不满足创建加密安全解决方案的要求（在我看来，它也不符合有关异常处理的Java编码标准）。

— Maarten Bodewes，2014年

2

IV初始化为零。搜索BEAST和ACPA攻击。

— 米歇尔·朱塞佩·法达

wazoo，生成“随机”密钥的方法以及IV均为零的情况是该实现方式的问题，但这些问题很难解决。+1。

— 菲尔（Phil）