今天项目对接Spring Cloud配置中心时,pom新增了一些spring cloud的依赖,启动都没问题
但是VUE web端登录一直提示用户不存在,经过排查,发现运行时解密完部分乱码,单独测试类解密正确
头疼了一天,下面分享一下解决方案;运行时解密出来的如下:
�E=)�C?s����HR\u�߫��$�����2����H߈N�Go:�-C��$�E�A�� admin
前面莫名其妙的多出来一堆乱码字符串,刚开始以为是前端加密的问题,以及jar版本冲突问题,去掉springcloud依赖包可以正常解决。
故折腾了多半天的pom版本问题,依然无解,就在我要放弃更换加密方式时,按了一下^ shift s ,sonarlint弹了出来,给出了如下内容
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Critical
java:S5542
Encryption operation mode and the padding scheme should be chosen appropriately to guarantee data confidentiality, integrity and authenticity:
· For block cipher encryption algorithms (like AES):
* The GCM (Galois Counter Mode) mode which works internally with zero/no padding scheme, is recommended, as it is designed to provide both data authenticity (integrity) and confidentiality. Other similar modes are CCM, CWC, EAX, IAPM and OCB.
* The CBC (Cipher Block Chaining) mode by itself provides only data confidentiality, it’s recommended to use it along with Message Authentication Code or similar to achieve data authenticity (integrity) too and thus to prevent padding oracle attacks.
* The ECB (Electronic Codebook) mode doesn’t provide serious message confidentiality: under a given key any given plaintext block always gets encrypted to the same ciphertext block.This mode should not be used.
· For RSA encryption algorithm, the recommended padding scheme is OAEP.
Noncompliant Code Example
Cipher c1 = Cipher.getInstance("AES"); // Noncompliant: by default ECB mode is chosen
Cipher c2 = Cipher.getInstance("AES/ECB/NoPadding"); // Noncompliant: ECB doesn't provide serious message confidentiality
Cipher c3 = Cipher.getInstance("RSA/None/NoPadding"); // Noncompliant: RSA without OAEP padding scheme is not recommanded
Compliant Solution
// Recommended for block ciphers
Cipher c1 = Cipher.getInstance("AES/GCM/NoPadding"); // Compliant
// Recommended for RSA
Cipher c3 = Cipher.getInstance("RSA/None/OAEPWITHSHA-256ANDMGF1PADDING"); // Compliant
// or the ECB mode can be used for RSA when "None" is not available with the security provider used - in that case, ECB will be treated as "None" for RSA.
Cipher c3 = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING"); // Compliant
See
OWASP Top 10 2017 Category A6 - Security Misconfiguration
Mobile AppSec Verification Standard - Cryptography Requirements
OWASP Mobile Top 10 2016 Category M5 - Insufficient Cryptography
MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CERT, MSC61-J. - Do not use insecure or weak cryptographic algorithms
SANS Top 25 - Porous Defenses在我试了上述三种解决方案后,很抱歉,全部是无法解析密文,比原来更蛋疼。但我没有放弃,查询了其他解密参数。发现了一组RSA的解密方案
在此之前程序中使用如下代码加密解密:
Cipher cipher = Cipher.getInstance("RSA");这样是不对的,不应该只传RSA,应该完整的把RSA的填充方式也写上:
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");再次运行,得到了我们想要的数据
这次属实是Sonarlint给了我思路,不然就要大改结构了
在这里推荐大家安装Sonarlint和阿里编码规约插件进行代码排错,也是一种很不错的方法,还能改进代码质量;
关于 RSA/ECB/PKCS1Padding 我在网上找了好多资料,关于加密方案的内容少之又少,太水了
如果你有关于此加密更详细的解释,请在评论区告知我,谢谢