【问题标题】:Public Key Cryptography on AndroidAndroid 上的公钥加密
【发布时间】:2011-11-27 13:41:44
【问题描述】:

我知道有这样的代码: http://www.java2s.com/Code/Android/Security/RSAencryptdecryptfunctionRSAECBPKCS1Padding.htm

/*
 Copyright (c) 2010, Sungjin Han <meinside@gmail.com>
 All rights reserved.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

  * Redistributions of source code must retain the above copyright notice,
    this list of conditions and the following disclaimer.
  * Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
  * Neither the name of meinside nor the names of its contributors may be
    used to endorse or promote products derived from this software without
    specific prior written permission.

 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 */

//package org.andlib.helpers;
public static KeyPair generateRsaKeyPair(int keySize, BigInteger publicExponent)
{
KeyPair keys = null;
try
{
  KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
  RSAKeyGenParameterSpec spec = new RSAKeyGenParameterSpec(keySize, publicExponent);
  keyGen.initialize(spec);
  keys = keyGen.generateKeyPair();
}
catch(Exception e)
{
//  Logger.e(e.toString());
}
return keys;


}



/**
   * generates a RSA public key with given modulus and public exponent
   * 
   * @param modulus (must be positive? don't know exactly)
   * @param publicExponent
   * @return
   */
  public static PublicKey generateRsaPublicKey(BigInteger modulus, BigInteger publicExponent)
  {
    try
    {
      return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(modulus,     publicExponent));
    }
    catch(Exception e)
    {
    //  Logger.e(e.toString());
    }
    return null;
  }

  /**
   * generates a RSA private key with given modulus and private exponent
   * 
   * @param modulus (must be positive? don't know exactly)
   * @param privateExponent
   * @return
   */
  public static PrivateKey generateRsaPrivateKey(BigInteger modulus, BigInteger privateExponent)
  {
    try
    {
      return KeyFactory.getInstance("RSA").generatePrivate(new RSAPrivateKeySpec(modulus, privateExponent));
    }
    catch(Exception e)
    {
    //  Logger.e(e.toString());
    }
    return null;
  }

  /**
   * RSA encrypt function (RSA / ECB / PKCS1-Padding)
   * 
   * @param original
   * @param key
   * @return
   */
  public static byte[] rsaEncrypt(byte[] original, PublicKey key)
  {
    try
    {
      Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
      cipher.init(Cipher.ENCRYPT_MODE, key);
      return cipher.doFinal(original);
    }
    catch(Exception e)
    {
    //  Logger.e(e.toString());
    }
    return null;
  }

  /**
   * RSA decrypt function (RSA / ECB / PKCS1-Padding)
   * 
   * @param encrypted
   * @param key
   * @return
   */
  public static byte[] rsaDecrypt(byte[] encrypted, PrivateKey key)
  {
    try
    {
      Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
      cipher.init(Cipher.DECRYPT_MODE, key);
      return cipher.doFinal(encrypted);
    }
    catch(Exception e)
    {
    //  Logger.e(e.toString());
    }
    return null;
  }

一些问题:

上面链接的代码是否存在侧面攻击,或者它是否安全?

如果第一个问题的答案是否定的,那么是否有一个模块可以处理侧向攻击?

我正在使用 Froyo 并且已经尝试了一段时间的谷歌搜索。感谢所有帮助,谢谢。

【问题讨论】:

    标签: android cryptography


    【解决方案1】:

    “侧面攻击”是什么意思?它是否安全取决于很多事情,主要取决于你如何使用它,以及你在加密/解密什么。有趣的是,许可证比代码长,而代码基本上没有什么特别之处:只是吞下异常......

    这与Android无关,顺便说一句。

    【讨论】:

    • 是的,我想我的意思是,Android 中的 API 可以防止侧面攻击。现在定义侧攻击:侧攻击是由于系统的实现而可能发生的攻击。因此,理论上健全的系统可能会因为实施不佳或不完整而变得不安全。
    • 首先,API不能说安全与否,只是实现。其次,您的问题很笼统:Android 有多个版本和构建,可在多个设备上运行。如果你想审计一些东西,你应该审计整个系统:设备+内核+Android框架。对于您的情况,即使 RSA 实现本身是正确的,如果随机生成器出现故障(这可能在内核中实现),您最终可能会得到不安全的密钥。即使实际的加密实现是正确的,使用这些也会危及整个系统。
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2013-04-05
    • 2013-04-06
    • 1970-01-01
    • 2018-02-27
    • 2011-11-07
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多