一种简单的方法是在Java中使用基于密码的加密。这使你可以使用密码来加密和解密文本。
这基本上意味着初始化一个
javax.crypto.Cipherwith算法
"AES/CBC/PKCS5Padding"并从
javax.crypto.SecretKeyFactory该
"PBKDF2WithHmacSHA512"算法获取密钥。
这是一个代码示例(已更新以替换不太安全的基于MD5的变体):
import java.io.IOException;import java.io.UnsupportedEncodingException;import java.security.AlgorithmParameters;import java.security.GeneralSecurityException;import java.security.NoSuchAlgorithmException;import java.security.spec.InvalidKeySpecException;import java.util.base64;import javax.crypto.Cipher;import javax.crypto.SecretKey;import javax.crypto.SecretKeyFactory;import javax.crypto.spec.IvParameterSpec;import javax.crypto.spec.PBEKeySpec;import javax.crypto.spec.SecretKeySpec;public class ProtectedConfigFile { public static void main(String[] args) throws Exception { String password = System.getProperty("password"); if (password == null) { throw new IllegalArgumentException("Run with -Dpassword=<password>"); } // The salt (probably) can be stored along with the encrypted data byte[] salt = new String("12345678").getBytes(); // Decreasing this speeds down startup time and can be useful during testing, but it also makes it easier for brute force attackers int iterationCount = 40000; // Other values give me java.security.InvalidKeyException: Illegal key size or default parameters int keyLength = 128; SecretKeySpec key = createSecretKey(password.toCharArray(), salt, iterationCount, keyLength); String originalPassword = "secret"; System.out.println("Original password: " + originalPassword); String encryptedPassword = encrypt(originalPassword, key); System.out.println("Encrypted password: " + encryptedPassword); String decryptedPassword = decrypt(encryptedPassword, key); System.out.println("Decrypted password: " + decryptedPassword); } private static SecretKeySpec createSecretKey(char[] password, byte[] salt, int iterationCount, int keyLength) throws NoSuchAlgorithmException, InvalidKeySpecException { SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512"); PBEKeySpec keySpec = new PBEKeySpec(password, salt, iterationCount, keyLength); SecretKey keyTmp = keyFactory.generateSecret(keySpec); return new SecretKeySpec(keyTmp.getEnpred(), "AES"); } private static String encrypt(String property, SecretKeySpec key) throws GeneralSecurityException, UnsupportedEncodingException { Cipher pbeCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); pbeCipher.init(Cipher.ENCRYPT_MODE, key); AlgorithmParameters parameters = pbeCipher.getParameters(); IvParameterSpec ivParameterSpec = parameters.getParameterSpec(IvParameterSpec.class); byte[] cryptoText = pbeCipher.doFinal(property.getBytes("UTF-8")); byte[] iv = ivParameterSpec.getIV(); return base64Enpre(iv) + ":" + base64Enpre(cryptoText); } private static String base64Enpre(byte[] bytes) { return base64.getEnprer().enpreToString(bytes); } private static String decrypt(String string, SecretKeySpec key) throws GeneralSecurityException, IOException { String iv = string.split(":")[0]; String property = string.split(":")[1]; Cipher pbeCipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); pbeCipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(base64Depre(iv))); return new String(pbeCipher.doFinal(base64Depre(property)), "UTF-8"); } private static byte[] base64Depre(String property) throws IOException { return base64.getDeprer().depre(property); }}仍然存在一个问题:你应该在哪里存储用于加密密码的密码?你可以将其存储在源文件中并对其进行模糊处理,但是再次找到它并不难。另外,你可以在启动Java进程(
-DpropertyProtectionPassword=...)时将其作为系统属性提供。
如果你使用同样受密码保护的KeyStore,则仍然存在相同的问题。基本上,你将需要在某个地方拥有一个主密码,而且很难保护。
