問題描述

我在 Java 8 中使用 AES/GCM/NoPadding 加密，我想知道我的代碼是否存在安全漏洞.我的代碼似乎工作，因?yàn)樗梢约用芎徒饷芪谋?，但有一些?xì)節(jié)不清楚.

I'm using AES/GCM/NoPadding encryption in Java 8 and I'm wondering whether my code has a security flaw. My code seems to work, in that it encrypts and decrypts text, but a few details are unclear.

我的主要問題是:

Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] iv = cipher.getIV(); // ?????

該 IV 是否滿足對于給定密鑰，IV 不得重復(fù)"的要求.來自 RFC 4106?

我也很感謝我的相關(guān)問題的任何答案/見解(見下文)，但第一個(gè)問題最困擾我.我不知道在哪里可以找到回答這個(gè)問題的源代碼或文檔.

I'd also appreciate any answers / insight for my related questions (see below), but that first question is bugging me the most. I don't know where to find source code or documentation that answers this.

這里是完整的代碼，大致.如果我在寫這篇文章時(shí)引入了錯(cuò)誤，我深表歉意:

Here is the full code, roughly. I apologize in case I introduced errors while writing this post:

class Encryptor {
  Key key;

  Encryptor(byte[] key) {
    if (key.length != 32) throw new IllegalArgumentException();
    this.key = new SecretKeySpec(key, "AES");
  }

  // the output is sent to users
  byte[] encrypt(byte[] src) throws Exception {
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
    cipher.init(Cipher.ENCRYPT_MODE, key);
    byte[] iv = cipher.getIV(); // See question #1
    assert iv.length == 12; // See question #2
    byte[] cipherText = cipher.doFinal(src);
    assert cipherText.length == src.length + 16; // See question #3
    byte[] message = new byte[12 + src.length + 16]; // See question #4
    System.arraycopy(iv, 0, message, 0, 12);
    System.arraycopy(cipherText, 0, message, 12, cipherText.length);
    return message;
  }

  // the input comes from users
  byte[] decrypt(byte[] message) throws Exception {
    if (message.length < 12 + 16) throw new IllegalArgumentException();
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
    GCMParameterSpec params = new GCMParameterSpec(128, message, 0, 12);
    cipher.init(Cipher.DECRYPT_MODE, key, params);
    return cipher.doFinal(message, 12, message.length - 12);
  }
}

假設(shè)用戶破解我的密鑰 = 游戲結(jié)束.

Suppose that users cracking my secret key = game over.

更詳細(xì)的問題/相關(guān)問題:

More detailed questions / related questions:

1. cipher.getIV() 返回的 IV 以這種方式使用對我來說安全嗎?

• 它是否避免了在 Galois/Counter 模式中重復(fù)使用 IV、組合鍵的災(zāi)難?
• 當(dāng)我有多個(gè)應(yīng)用程序同時(shí)運(yùn)行此代碼時(shí)仍然安全嗎?所有應(yīng)用程序都從同一 src 數(shù)據(jù)(可能在同一毫秒內(nèi))向用戶顯示加密消息?
• 返回的 IV 是由什么制成的?它是一個(gè)原子計(jì)數(shù)器加上一些隨機(jī)噪聲嗎?
• 我是否需要避免 cipher.getIV() 并使用自己的計(jì)數(shù)器自己構(gòu)造一個(gè) IV?
• 假設(shè)我使用的是 Oracle JDK 8 + JCE Unlimited Strength 擴(kuò)展，實(shí)現(xiàn) cipher.getIV() 的源代碼是否可以在線獲得?
• Does it avoid the catastrophe of reusing the IV,key combination in Galois/Counter Mode?
• Is it still safe when I have multiple applications running this code at once, all displaying encrypted messages to users from the same src data (possibly in the same millisecond)?
• What's the returned IV made of? Is it an atomic counter plus some random noise?
• Do I need to avoid cipher.getIV() and construct an IV myself, with my own counter?
• Is the source code implementing cipher.getIV() available online somewhere, assuming I'm using Oracle JDK 8 + JCE Unlimited Strength extension?

1. 那個(gè) IV 總是 12 字節(jié)長嗎?

1. Is that IV always 12 bytes long?

身份驗(yàn)證標(biāo)簽是否總是 16 字節(jié)(128 位)長?

Is the authentication tag always 16 bytes (128 bits) long?

使用 #2 和 #3，并且沒有填充，這是否意味著我的加密消息總是 12 + src.length + 16 字節(jié)長?(所以我可以安全地將它們壓縮成一個(gè)字節(jié)數(shù)組，我知道正確的長度?)

With #2 and #3, and the lack of padding, does that mean my encrypted messages are always 12 + src.length + 16 bytes long? (And so I can safely squish them into one byte array, for which I know the correct length?)

在給定用戶知道的恒定 src 數(shù)據(jù)的情況下，向用戶顯示無限數(shù)量的 src 數(shù)據(jù)加密是否安全?

Is it safe for me to display an unbounded number of src data encryptions to users, given constant src data that the users know?

如果 src 數(shù)據(jù)每次都不同(例如，包括 System.currentTimeMillis() 或隨機(jī)數(shù))，我向用戶顯示無限數(shù)量的 src 數(shù)據(jù)加密是否安全?

Is it safe for me to display an unbounded number of src data encryptions to users, if the src data is different every time (e.g. including System.currentTimeMillis() or random numbers)?

如果我在加密之前用隨機(jī)數(shù)填充 src 數(shù)據(jù)會有幫助嗎?在前面和后面說 8 個(gè)隨機(jī)字節(jié)，還是只在一端?或者這根本沒有幫助/讓我的加密變得更糟?

Would it help if I padded the src data with random numbers before encryption? Say 8 random bytes in front and back, or only on one end? Or would that not help at all / make my encryption worse?

(因?yàn)檫@些問題都是關(guān)于我自己的代碼的同一塊，并且它們彼此密切相關(guān)，并且其他人在實(shí)現(xiàn)相同的功能時(shí)可能/應(yīng)該有相同的問題集，因此拆分感覺是錯(cuò)誤的問題分成多個(gè)帖子.如果這更適合 StackOverflow 的格式，我可以單獨(dú)重新發(fā)布它們.讓我知道！)

(Because these questions are all about the same block of my own code, and they are strongly related to each other, and others might/should have the same set of questions when implementing the same functionality, it felt wrong to split the questions into multiple posts. I can re-post them separately if that is more appropriate for StackOverflow's format. Let me know!)

推薦答案

Q1:cipher.getIV() 返回的IV，我這樣使用安全嗎?

是的，至少對于 Oracle 提供的實(shí)現(xiàn)來說是這樣.它是使用默認(rèn)的 SecureRandom 實(shí)現(xiàn)單獨(dú)生成的.因?yàn)樗拇笮∈?12 字節(jié)(GCM 的默認(rèn)值)，所以你有 96 位的隨機(jī)性.計(jì)數(shù)器重復(fù)的機(jī)會非常小.您可以在 Oracle JDK 所基于的 OpenJDK (GPL'ed) 中查找源代碼.

Yes, it is at least for the Oracle provided implementation. It is generated separately using the default SecureRandom implementation. As it is 12 bytes in size (the default for GCM) then you have 96 bits of randomness. The chance that the counter repeats is abysmally small. You can look up the source in the OpenJDK (GPL'ed) which the Oracle JDK is based on.

不過，我仍然建議您生成自己的 12 個(gè)隨機(jī)字節(jié)，因?yàn)槠渌峁┱叩男袨榭赡軙兴煌?

I would however still recommend you to generate your own 12 random bytes as other providers may behave differently.

Q2:IV 總是 12 字節(jié)長嗎?

這是極有可能的，因?yàn)樗?GCM 默認(rèn)值，但其他長度 對 GCM 有效.然而，該算法必須對 12 字節(jié)以外的任何其他大小進(jìn)行額外的計(jì)算.由于弱點(diǎn)，強(qiáng)烈建議將其保持在 12 字節(jié)/96 位，API 可能會限制您選擇 IV 大小.

It's extremely likely as it is the GCM default, but other lengths are valid for GCM. The algorithm will however have to do additional calculations for any other size than 12 bytes. Due to weaknesses it is strongly recommended to keep it at 12 bytes / 96 bits and API's may restrict you to that choice of IV size.

Q3:認(rèn)證標(biāo)簽總是16字節(jié)(128位)長嗎?

不，它可以具有從 64 位到 128 位的任何字節(jié)大小，以 8 位為增量.如果它更小，它只是由身份驗(yàn)證標(biāo)簽的最左邊字節(jié)組成.您可以使用 GCMParameterSpec 作為 init 調(diào)用的第三個(gè)參數(shù).

No, it can have any size in bytes ranging from 64 bits to 128 bits with 8 bit increments. If it is smaller it simply consists of the leftmost bytes of the authentication tag though. You can specify another size of tag using GCMParameterSpec as third parameter for your init call.

請注意，GCM 的強(qiáng)度很大程度上取決于標(biāo)簽的大小.我建議將其保持為 128 位.如果您想生成大量密文，96 位應(yīng)該是最小值尤其是.

Note that the strength of GCM is strongly dependent on the size of the tag. I would recommend keeping it to 128 bits. 96 bits should be the minimum especially if you want to generate a lot of ciphertext.

Q4:使用#2 和#3，并且沒有填充，這是否意味著我的加密消息總是 12 + src.length + 16 字節(jié)長?(所以我可以安全地將它們壓縮成一個(gè)字節(jié)數(shù)組，我知道正確的長度?)

見上文.對于 Oracle 提供程序，情況就是如此.使用 GCMParameterSpec 確定.

See above. For the Oracle provider this is the case. Use GCMParameterSpec to be sure of it.

Q5:在給定用戶知道的恒定 src 數(shù)據(jù)的情況下，向用戶顯示無限數(shù)量的 src 數(shù)據(jù)加密是否安全?

幾乎未綁定，是的.大約 2^48 次加密后，我會開始擔(dān)心.但是，通常您應(yīng)該設(shè)計(jì)鍵更改.

Virtually unbound, yes. I would start worrying after about 2^48 encryptions. In general you should however design for key change.

Q6:如果 src 數(shù)據(jù)每次都不同(例如包括 System.currentTimeMillis() 或隨機(jī)數(shù))，我向用戶顯示無限數(shù)量的 src 數(shù)據(jù)加密是否安全?

查看問題 5 的答案 &Q7

See answer to Q5 & Q7

Q7:如果我在加密之前用隨機(jī)數(shù)填充src數(shù)據(jù)會有幫助嗎?在前面和后面說 8 個(gè)隨機(jī)字節(jié)，還是只在一端?或者這根本沒有幫助/讓我的加密變得更糟?

不，這根本沒有幫助.GCM 在下面使用 CTR 模式，所以它只會用密鑰流加密.它不會充當(dāng) IV.現(xiàn)在，如果您有不斷變化的消息要加密，您可以查看 AES-GCM-SIV，但請注意，該算法未在任何 JCA 提供程序中實(shí)現(xiàn).

No, it would not help at all. GCM uses CTR mode underneath, so it would just be encrypted with the key stream. It would not act as an IV. Nowadays you could look at AES-GCM-SIV if you have an ever changing message to encrypt, but note that that algorithm is not implemented in any of the JCA providers.

如果您需要大量密文(高于 2^48！，或 2^32 - ~40 億 - 謹(jǐn)慎起見)，那么我建議您使用該隨機(jī)數(shù)和您的密鑰作為密鑰派生函數(shù)或 KDF.HKDF 目前是同類中最好的，但您可能需要使用 Bouncy Castle 或自己實(shí)施.

If you need a lot of ciphertexts (higher than 2^48!, or 2^32 - ~4 billion - for the cautious) then I would suggest you use that random number and your key for a key derivation function or KDF. HKDF is currently best of breed, but you may need to use Bouncy Castle or implement it yourself.

這篇關(guān)于如何處理“AES/GCM/NoPadding"的 IV 和身份驗(yàn)證標(biāo)簽?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！

【網(wǎng)站聲明】本站部分內(nèi)容來源于互聯(lián)網(wǎng),旨在幫助大家更快的解決問題，如果有圖片或者內(nèi)容侵犯了您的權(quán)益，請聯(lián)系我們刪除處理，感謝您的支持！