【问题标题】:winzipaes is slow to decrypt a 10 MB file on Androidwinzipaes 在 Android 上解密 10 MB 文件的速度很慢
【发布时间】:2014-12-30 10:27:12
【问题描述】:

我尝试在三星 S5 上从一个使用 AES 加密的 zip 文件中解密一个 10 MB 的文件,但速度太慢了,这让我很吃惊。我对AES很熟悉,所以不知道是不是很费时间。以下是我的测试结果。谁能告诉我这些结果是否合理?

有没有办法加速AES解密?

PS。我使用 SpongyCastle 来避免类加载器冲突,我还修改了 winzipaes 以使用 SpongyCastle。

测试 1
设备:三星 S5
压缩包:7za a -tzip -mx=0 -p1234 -mem=AES256 test.zip 1MB_file 10MB_file
1MB_file: 1 MB
10MB_file:10 MB
test.zip:12.5 MB
压缩率:1.00
解密解压:
--> 1MB_file: 3167 毫秒
--> 10MB_file: 34137 毫秒

测试 2
设备:三星 S5
压缩包:7za a -tzip -mx=1 -p1234 -mem=AES256 test.zip 1MB_file 10MB_file
1MB_file: 1 MB
10MB_file:10 MB
test.zip:5.4 MB
压缩率:2.31
解密解压:
--> 1MB_file: 1290 毫秒
--> 10MB_file: 15369 毫秒

测试 3
设备:三星 S5
压缩包:7za a -tzip -mx=9 -p1234 -mem=AES256 test.zip 1MB_file 10MB_file
1MB_file: 1 MB
10MB_file:10 MB
test.zip:5.1 MB
压缩率:2.46
解密解压:
--> 1MB_file: 1202 毫秒
--> 10MB_file: 14460 毫秒

winzipaes:https://code.google.com/p/winzipaes/
海绵城堡:http://rtyley.github.io/spongycastle/

================================================ ====================================

使用@Maarten Bodewes - owlstead 解决方案

测试 2
设备:三星 S5
压缩包:7za a -tzip -mx=1 -p1234 -mem=AES256 test.zip 1MB_file 10MB_file
1MB_file: 1 MB
10MB_file:10 MB
test.zip:5.4 MB
压缩率:2.31
解密解压:
--> 1MB_file:206 毫秒(原为 1290 毫秒)
--> 10MB_file:1782 毫秒(原为 15369 毫秒)

【问题讨论】:

  • 您能显示生成的文件大小吗?这是估计 MB/s 所必需的。
  • "7za a -tzip -mx=1 -p1234 -mem=AES256 test.zip 1MB_file 10MB_file" test.zip 输入输出分别为 1MB_file 和 10MB_file,其中 1MB_file 大小为 1mb, 10MB_file 的大小为 10 mbs,test.zip 约为 5 mbs。压缩率约为2.5。这是你要问的吗?
  • 请注意,zip AES 代码并不是最智能的代码:它需要 每个文件 的密钥派生,即使密码相同(如上)。这尤其愚蠢,因为攻击者只需要找到成功解密一个文件的密码即可解密其余文件。
  • 非常感谢!速度快了 10 倍!嗯,实际上 zip 文件是一个包含 XML 数字签名的 W3C 包。使用 AES 加密进行压缩只会使解密文件变得更加困难。您的代码非常有用。我刚刚进行了测试。我没读过。现在,我将理解您的代码。谢谢~~~

标签: java android encryption aes bouncycastle


【解决方案1】:

是的,有一些方法可以加快速度,因为 winzipaes 的源代码使用了一种相当低效的解密方式:它通过计算 IV 和初始化密码来解密每个块(用于 CTR 模式解密)。这可能意味着密钥被重新初始化太频繁了。此外,处理 16 字节块中的数据也不是很有效。这主要是因为 WinZip 执行的 AES-CTR 使用小端计数器而不是大端计数器(按照标准)。

解密似乎还包括在密文上计算 HMAC-SHA1,这也会增加大量开销。如果您只需要存储文本的机密性,那么您可以跳过该步骤,尽管 MAC 确实具有显着的安全优势,提供加密安全的完整性和真实性。

为了说明我的意思,我创建了一个小示例代码,它至少在我的 Java SE 机器上运行得更快。根据 Wayne(原海报)的说法,这将 Android 代码的速度提高了 10 倍左右,在我的 Java SE 测试中,我“只”看到了大约 3 倍的加速。

变化:

  • 创建了用于 ZIP 的特殊 little endian 计数器模式
  • 由于上述原因而简化/优化了解密器代码
  • 删除了每个文件的双密钥派生(D'oh!)
  • 不验证 MAC 的选项(回报相对较小,SHA1 相当快)
  • 使用AESFastEngine,没关系,但是嘿...

很可能可以为加密器创建相同类型的优化。

注意事项:

  • .zip 加密是每个存储的文件,因此效率很低,因为每个存储的文件也需要进行一次密钥派生。 .zip 文件本身的加密效率会更高。
  • 使用 JCA 版本的解密器可能会提供加速,并且 Android 可能能够在更高版本中使用 OpenSSL 代码(但它必须逐块执行加密)。

-

/**
 * Adapter for bouncy castle crypto implementation (decryption).
 *
 * @author olaf@merkert.de
 * @author owlstead
 */
public class AESDecrypterOwlstead extends AESCryptoBase implements AESDecrypter {


    private final boolean verify;

    public AESDecrypterOwlstead(boolean verify) {
        this.verify = verify;
    }

    // TODO consider keySize (but: we probably need to adapt the key size for the zip file as well)
    public void init( String pwStr, int keySize, byte[] salt, byte[] pwVerification ) throws ZipException {
        byte[] pwBytes = pwStr.getBytes();

        super.saltBytes = salt;

        PBEParametersGenerator generator = new PKCS5S2ParametersGenerator();
        generator.init( pwBytes, salt, ITERATION_COUNT );

        cipherParameters = generator.generateDerivedParameters(KEY_SIZE_BIT*2 + 16);
        byte[] keyBytes = ((KeyParameter)cipherParameters).getKey();

        this.cryptoKeyBytes = new byte[ KEY_SIZE_BYTE ];
        System.arraycopy( keyBytes, 0, cryptoKeyBytes, 0, KEY_SIZE_BYTE );

        this.authenticationCodeBytes = new byte[ KEY_SIZE_BYTE ];
        System.arraycopy( keyBytes, KEY_SIZE_BYTE, authenticationCodeBytes, 0, KEY_SIZE_BYTE );

        // based on SALT + PASSWORD (password is probably correct)
        this.pwVerificationBytes = new byte[ 2 ];
        System.arraycopy( keyBytes, KEY_SIZE_BYTE*2, this.pwVerificationBytes, 0, 2 );

        if( !ByteArrayHelper.isEqual( this.pwVerificationBytes, pwVerification ) ) {
            throw new ZipException("wrong password - " + ByteArrayHelper.toString(this.pwVerificationBytes) + "/ " + ByteArrayHelper.toString(pwVerification));
        }

        cipherParameters = new KeyParameter(cryptoKeyBytes);

        // checksum added to the end of the encrypted data, update on each encryption call

        if (this.verify) {
            this.mac = new HMac( new SHA1Digest() );
            this.mac.init( new KeyParameter(authenticationCodeBytes) );
        }

        this.aesCipher = new SICZIPBlockCipher(new AESFastEngine());
        this.blockSize = aesCipher.getBlockSize();

        // incremented on each 16 byte block and used as encryption NONCE (ivBytes)

        // warning: non-CTR; little endian IV and starting with 1 instead of 0

        nonce = 1;

        byte[] ivBytes = ByteArrayHelper.toByteArray( nonce, 16 );

        ParametersWithIV ivParams = new ParametersWithIV(cipherParameters, ivBytes);
        aesCipher.init( false, ivParams );
    }

    // --------------------------------------------------------------------------

    protected CipherParameters cipherParameters;

    protected SICZIPBlockCipher aesCipher;

    protected HMac mac;


    @Override
    public void decrypt(byte[] in, int length) {
        if (verify) {
            mac.update(in, 0, length);
        }
        aesCipher.processBytes(in, 0, length, in, 0);
    }

    public byte[] getFinalAuthentication() {
        if (!verify) {
            return null;
        }
        byte[] macBytes = new byte[ mac.getMacSize() ];
        mac.doFinal( macBytes, 0 );
        byte[] macBytes10 = new byte[10];
        System.arraycopy( macBytes, 0, macBytes10, 0, 10 );
        return macBytes10;
    }
}

当然你还需要引用的SICZIPCipher:

/**
 * Implements the Segmented Integer Counter (SIC) mode on top of a simple
 * block cipher. This mode is also known as CTR mode. This CTR mode
 * was altered to comply with the ZIP little endian counter and
 * different starting point.
 */
public class SICZIPBlockCipher
    extends StreamBlockCipher
    implements SkippingStreamCipher
{
    private final BlockCipher     cipher;
    private final int             blockSize;

    private byte[]          IV;
    private byte[]          counter;
    private byte[]          counterOut;
    private int             byteCount;

    /**
     * Basic constructor.
     *
     * @param c the block cipher to be used.
     */
    public SICZIPBlockCipher(BlockCipher c)
    {
        super(c);

        this.cipher = c;
        this.blockSize = cipher.getBlockSize();
        this.IV = new byte[blockSize];
        this.counter = new byte[blockSize];
        this.counterOut = new byte[blockSize];
        this.byteCount = 0;
    }

    public void init(
        boolean             forEncryption, //ignored by this CTR mode
        CipherParameters    params)
        throws IllegalArgumentException
    {
        if (params instanceof ParametersWithIV)
        {
            ParametersWithIV ivParam = (ParametersWithIV)params;
            byte[] iv = ivParam.getIV();
            System.arraycopy(iv, 0, IV, 0, IV.length);

            // if null it's an IV changed only.
            if (ivParam.getParameters() != null)
            {
                cipher.init(true, ivParam.getParameters());
            }

            reset();
        }
        else
        {
            throw new IllegalArgumentException("SICZIP mode requires ParametersWithIV");
        }
    }

    public String getAlgorithmName()
    {
        return cipher.getAlgorithmName() + "/SICZIP";
    }

    public int getBlockSize()
    {
        return cipher.getBlockSize();
    }

    public int processBlock(byte[] in, int inOff, byte[] out, int outOff)
          throws DataLengthException, IllegalStateException
    {
        processBytes(in, inOff, blockSize, out, outOff);

        return blockSize;
    }

    protected byte calculateByte(byte in)
          throws DataLengthException, IllegalStateException
    {
        if (byteCount == 0)
        {
            cipher.processBlock(counter, 0, counterOut, 0);

            return (byte)(counterOut[byteCount++] ^ in);
        }

        byte rv = (byte)(counterOut[byteCount++] ^ in);

        if (byteCount == counter.length)
        {
            byteCount = 0;

            incrementCounter();
        }

        return rv;
    }

    private void incrementCounter()
    {
        // increment counter by 1.
        for (int i = 0; i < counter.length && ++counter[i] == 0; i++)
        {
            ; // do nothing - pre-increment and test for 0 in counter does the job.
        }
    }

    private void decrementCounter()
    {
        // TODO test - owlstead too lazy to test

        if (counter[counter.length - 1] == 0)
        {
            boolean nonZero = false;

            for (int i = 0; i < counter.length; i++)
            {
                if (counter[i] != 0)
                {
                    nonZero = true;
                }
            }

            if (!nonZero)
            {
                throw new IllegalStateException("attempt to reduce counter past zero.");
            }
        }

        // decrement counter by 1.
        for (int i = 0; i < counter.length && --counter[i] == -1; i++)
        {
            ;
        }
    }

    private void adjustCounter(long n)
    {
        if (n >= 0)
        {
            long numBlocks = (n + byteCount) / blockSize;

            for (long i = 0; i != numBlocks; i++)
            {
                incrementCounter();
            }

            byteCount = (int)((n + byteCount) - (blockSize * numBlocks));
        }
        else
        {
            long numBlocks = (-n - byteCount) / blockSize;

            for (long i = 0; i != numBlocks; i++)
            {
                decrementCounter();
            }

            int gap = (int)(byteCount + n + (blockSize * numBlocks));

            if (gap >= 0)
            {
                byteCount = 0;
            }
            else
            {
                decrementCounter();
                byteCount =  blockSize + gap;
            }
        }
    }

    public void reset()
    {
        System.arraycopy(IV, 0, counter, 0, counter.length);
        cipher.reset();
        this.byteCount = 0;
    }

    public long skip(long numberOfBytes)
    {
        adjustCounter(numberOfBytes);

        cipher.processBlock(counter, 0, counterOut, 0);

        return numberOfBytes;
    }

    public long seekTo(long position)
    {
        reset();

        return skip(position);
    }

    public long getPosition()
    {
        byte[] res = new byte[IV.length];

        System.arraycopy(counter, 0, res, 0, res.length);

        for (int i = 0; i < res.length; i++)
        {
            int v = (res[i] - IV[i]);

            if (v < 0)
            {
               res[i + 1]--;
               v += 256;
            }

            res[i] = (byte)v;
        }

        // TODO still broken - owlstead too lazy to fix for zip
        return Pack.bigEndianToLong(res, res.length - 8) * blockSize + byteCount;
    }
}

【讨论】:

  • 已下载源代码。问题很好解决,但似乎根本不是优化的解决方案。
  • 这听起来像是一个写得很糟糕的库。我猜想快速优化是在 ECB 模式下使用密码(仅初始化一次)并手动执行非标准 CTR。
  • @ntoskrnl(抱歉,最后一句话):我选择重写SICBlockCipher,它只是循环计数器更新的另一种方式。
猜你喜欢
  • 1970-01-01
  • 2021-03-04
  • 1970-01-01
  • 1970-01-01
  • 2023-03-07
  • 2010-11-19
  • 2012-03-14
  • 1970-01-01
  • 2022-11-10
相关资源
最近更新 更多