java - 在 Android 4.2 及更早版本中使用 PBKDF2WithHmacSHA1 和 DESede/CBC/PKCS5Padding

Question

在我的 Android 应用程序中，我想使用 DESede/CBC/PKCS5Padding 加密密码，我的解决方案适用于 Lollipop(5.x)、Android KitKat(4.4.x) 和 Android Jelly Bean(4.3.x)

private static final String KEY = "a2[..]";
private static final String SALT = "t[..]";
private static final String IV = "u[..]";
private static final String DES_EDE_PKCS5 = "DESede/CBC/PKCS5Padding"

public static String encrypt(String password) {
    byte[] byteSalt = Base64.decode(SALT, Base64.DEFAULT);
    byte[] bytesIv = Base64.decode(IV, Base64.DEFAULT);
    String mdp = "";        
    try {           
        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");          
        KeySpec spec = new PBEKeySpec(KEY.toCharArray(), byteSalt, NB_ITER_RFC, SIZE_KEY);          
        SecretKey secretKey = factory.generateSecret(spec);             
        Cipher c = Cipher.getInstance(DES_EDE_PKCS5);           
        IvParameterSpec ivParam = new IvParameterSpec(bytesIv);         
        c.init(Cipher.ENCRYPT_MODE, secretKey, ivParam);                
        byte[] encrypted = c.doFinal(password.getBytes("UTF-8"));
        mdp = Base64.encodeToString(encrypted, Base64.DEFAULT);                 
    }
    catch [..]
    return mdp;
}

但它不适用于以下版本(4.2.x 及以下)，此加密密码似乎会随机更改，例如:

D/andro-Chiffrement-encrypt(10739): password chiffré = P7vWc+7hFuUaWQghVeO+zA==
D/andro-Chiffrement-encrypt(10739): password chiffré = jGr6nlvnYLd/AK/d7nkUrA==
D/andro-Chiffrement-encrypt(10739): password chiffré = I2weyEddIav7EulAiuQDbg==
D/andro-Chiffrement-encrypt(10739): password chiffré = HF7OFpUXYuwOm81WekReDg==

如何解决 Android 4.2.x 上的这个问题？

我在 Bouncy CaSTLe 库中发现了这一点，但我没有找到如何实现“IV”( vector 生成器)。你有什么想法吗？

PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator();
gen.init(PBEParametersGenerator.PKCS12PasswordToBytes(passCharArray), byteSalt, NB_ITER_RFC);
KeyParameter params = (KeyParameter) gen.generateDerivedParameters(SIZE_KEY);
String password2 = Base64.encodeToString(params.getKey(), Base64.DEFAULT);

Answer 1

从 Android 4.4 开始，SecretKeyFactory API 发生了变化。也许这会有所帮助:

In Android 4.3 and earlier platform versions, the javax.crypto.SecretKeyFactory implementation of the PBKDF2WithHmacSHA1 key-generation algorithm only uses the lower 8 bits of Java characters in passphrases. In Android 4.4, the algorithm is changed to use all available bits in Unicode characters, in compliance with recommendations in PCKS #5.

This change could affect applications that use symmetric encryption and meet all of the following conditions: 1. Use SecretKeyFactory to generate symmetric keys, and 2. Use PBKDF2WithHmacSHA1 as their key-generation algorithm for SecretKeyFactory, and 3. Allow Unicode input for passphrases

原文如下:

https://plus.google.com/+AndroidDevelopers/posts/fTY97ekzn6Z

在这里您可以了解 SecretKeyFactory Api 的更改:

http://android-developers.blogspot.it/2013/12/changes-to-secretkeyfactory-api-in.html