在 Android 中隐藏密钥库密码的最佳方法是什么?
我是 Android 开发和实现 SSLSockets 的新手。经过一番挖掘后,我能够设置一个可以工作的简单服务器/客户端。我觉得这个实现可能需要一些工作,并且很难理解如何将密码加载到密钥库中而不需要纯文本形式。这是客户端的一些代码。正如你所看到的,我将密码硬编码到本地变量中。有没有更好的方法来加载密钥库密码,这样我就不会在代码中以纯文本形式保存它?
char [] KSPASS = "password".toCharArray();
char [] KEYPASS = "password".toCharArray();
try {
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), KSPASS);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, KEYPASS);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
Arrays.fill(KSPASS, ' ');
Arrays.fill(KEYPASS, ' ');
KSPASS = null;
KEYPASS = null;
更新:
事实证明客户端根本不需要知道密钥库密码。我修改了代码以将 null 作为密码传递。到目前为止,初步测试已经可以与服务器进行通信。在服务器端,我仍然加载密钥库密码。
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), null);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, null);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
I'm new to Android development and implementing SSLSockets. After doing some digging I was able to setup a simple server/client that is working. The implementation I feel could use some work and stumped on how to load in the password to the keystore without having it in plain text. Here is some code that is on the client side. As you can see I have the password hard coded into a local var. Is there a better way to load in the keystore password so I do not have it in plain text in the code?
char [] KSPASS = "password".toCharArray();
char [] KEYPASS = "password".toCharArray();
try {
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), KSPASS);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, KEYPASS);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
Arrays.fill(KSPASS, ' ');
Arrays.fill(KEYPASS, ' ');
KSPASS = null;
KEYPASS = null;
Update:
It turns out the client did not need to know the keystore password at all. I've modified the code to pass null in as the password. So far initial tests have worked with communication to the server. On the server side I still load the keystore password.
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), null);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, null);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好吧,这不是一个容易的问题。
例如,您可以在应用程序启动时向用户请求密码,以使密码在代码中没有进行硬编码。我认为这是最安全的方法。
如果这是不可能的,那么如果有人可以访问罐子并“查看”代码并随后使用密码,就会出现您的问题。您可以将保护这些罐子的用户委派给用户。
如果不可能,则可以对密码进行加密并将其存储在某个地方。然后,在您的代码中,您硬代码键以解密密码。因此,看着罐子的人看不到您的真实密码。只是解密密钥。当然,如果一个真正的努力,他可以得到钥匙,并尝试找到密码的位置并解密密码并获取钥匙,但需要更多的努力才能做到。
最后,这取决于您拥有哪些安全要求
Well this is not an easy problem to begin with.
You could for example request the password from the user on application startup so that the password is not hardcoded in your code.I think this is the most secure approach.
If this is not possible, then your problem arises if someone has access to the jars and "sees" the code and subsequently the password. You could delegate to the user protecting these jars.
If this is not possible then you could encrypt the password and store it somewhere. Then in your code you hard code the key to decrypt the password. So someone looking into the jar can not see your real password.Only the decryption key. Of course if one put real effort he could get the key and try to find where the password is located and decrypt it and get the key but it requires more effort to do.
In the end it depends on what security requirements you have
如果您确实想保护用户凭据,那么每当您想要访问凭据时,您必须要求他们验证其身份。然而,如果您每次登录时都要求他们提供密码,大多数用户会感到恼火,因此作为开发人员,您必须决定您对安全性的关心程度,还是为用户提供简单易用的界面。
您可以考虑的一种选择是存储密码,但使用用户提供的 PIN 来加密密码。然后,每当用户想要访问其密码时,他们只需提供 PIN,您可以使用该 PIN 来解密密码。
If you truly want to protect the users credentials then you must ask them to verify their identity whenever you want access to the credentials. However most users will get annoyed if you ask them for their password every time they login, so you as the developer must decide how much you care about security vs providing a simple easy interface for your users.
One option you could consider is to store the passwords but to encrypt the password using a PIN provided by the user. Then whenever the user wants to access their password they simply provide the PIN, which you use to decrypt the password.