logo标签列表

如何处理C#中AES256加密和Java中解密过程中的BadPaddingException异常

javac#securityencryptionaes
3

我不知道为什么会出现错误。

主线程中的异常:"main"javax.crypto.BadPaddingException:给定的最终块未正确填充。如果在解密期间使用了错误的密钥,则可能出现此类问题。

我知道在解密过程中使用不正确的密钥会导致此错误。但是,如果您查看下面的测试结果,您会发现C#和Java都是相同的(键、IV、Salt以Base64编码)。

  1. C#测试结果

C#测试结果

  1. Java测试结果

Java测试结果

一样啊!(键、IV、Salt)

但是当前会生成BadpaddingException错误。可能的问题是什么? 我附上了我的源文件。

  1. C#(加密)

    class AES {
            private readonly static string keyStr = "This is Key";
            private readonly static string vector = "This is Vector";

            public static Rfc2898DeriveBytes MakeKey(string password){

                byte[] keyBytes = System.Text.Encoding.UTF8.GetBytes(password);
                byte[] saltBytes = SHA512.Create().ComputeHash(keyBytes);
                Rfc2898DeriveBytes result = new Rfc2898DeriveBytes(keyBytes, saltBytes, 65536);

                return result;
            }

            public static Rfc2898DeriveBytes MakeVector(string vector){

                byte[] vectorBytes = System.Text.Encoding.UTF8.GetBytes(vector);
                byte[] saltBytes = SHA512.Create().ComputeHash(vectorBytes);
                Rfc2898DeriveBytes result = new Rfc2898DeriveBytes(vectorBytes, saltBytes, 65536);

                return result;
            }

            public static void Encrypt(String inputFile, String outputFile) {
                using (RijndaelManaged aes = new RijndaelManaged()){
                    //Create Key and Vector
                    Rfc2898DeriveBytes key = AES.MakeKey(AES.keyStr);
                    Rfc2898DeriveBytes vector = AES.MakeVector(AES.vector);

                    //AES256
                    aes.BlockSize = 128;
                    aes.KeySize = 256;

                    // It is equal in java 
                    // Cipher _Cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");    
                    aes.Mode = CipherMode.CBC; 
                    aes.Padding = PaddingMode.PKCS7; 
                    aes.Key = key.GetBytes(32); //256bit key
                    aes.IV  = vector.GetBytes(16); //128bit block size


                    //processing Encrypt
                    ICryptoTransform encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
                    byte[] encrypted;

                    using (MemoryStream msEncrypt = new MemoryStream()) { 
                            using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write)) {
                                byte[] inputBytes = File.ReadAllBytes(inputFile);
                                csEncrypt.Write(inputBytes, 0, inputBytes.Length);
                            }
                            encrypted = msEncrypt.ToArray();     
                        }
                        string encodedString = Convert.ToBase64String(encrypted);
                        File.WriteAllText(outputFile, encodedString);
                    }
                }
            }
  1. Java(解密)

    public class AES256File {
        private static final String algorithm = "AES";
        private static final String blockNPadding = algorithm+"/CBC/PKCS5Padding";
        private static final String password = "This is Key";
        private static final String IV = "This is Vector";

        private static IvParameterSpec ivSpec;
        private static Key keySpec;

        public static void MakeKey(String password) throws NoSuchAlgorithmException, UnsupportedEncodingException, InvalidKeySpecException{
            SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            MessageDigest digest = MessageDigest.getInstance("SHA-512");
            byte[] keyBytes = password.getBytes("UTF-8");

            // C# : byte[] saltBytes = SHA512.Create().ComputeHash(keyBytes);
            byte[] saltBytes = digest.digest(keyBytes);

            //256bit
            PBEKeySpec pbeKeySpec = new PBEKeySpec(password.toCharArray(), saltBytes, 65536, 256);
            Key secretKey = factory.generateSecret(pbeKeySpec);

            byte[] key = new byte[32];
            System.arraycopy(secretKey.getEncoded(), 0, key, 0, 32);

            SecretKeySpec secret = new SecretKeySpec(key, "AES");
            setKeySpec(secret);
        }

        public static void MakeVector(String IV) throws NoSuchAlgorithmException, UnsupportedEncodingException, InvalidKeySpecException{
            SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
            MessageDigest digest = MessageDigest.getInstance("SHA-512");
            byte[] vectorBytes = IV.getBytes("UTF-8");
            byte[] saltBytes = digest.digest(vectorBytes);

            // 128bit
            PBEKeySpec pbeKeySpec = new PBEKeySpec(IV.toCharArray(), saltBytes, 65536, 128);
            Key secretIV = factory.generateSecret(pbeKeySpec);

            byte[] iv = new byte[16];
            System.arraycopy(secretIV.getEncoded(), 0, iv, 0, 16);

            IvParameterSpec ivSpec = new IvParameterSpec(iv);
            setIvSpec(ivSpec);
        }

        public void decrypt(File source, File dest) throws Exception {
            Cipher c = Cipher.getInstance(blockNPadding);
            c.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
            fileProcessing(source, dest, c);
        }

        public  void fileProcessing(File source, File dest, Cipher c) throws Exception{
            InputStream input = null;
            OutputStream output = null;

            try{
                input = new BufferedInputStream(new FileInputStream(source));
                output = new BufferedOutputStream(new FileOutputStream(dest));
                byte[] buffer = new byte[input.available()];
                int read = -1;
                while((read = input.read(buffer)) != -1){
                    output.write(c.update(buffer, 0, read));
                }
                byte[] deryptedBytes = c.doFinal(buffer); // -----------------------> Error!! Showing! 
                byte[] decodedBytes = Base64.getDecoder().decode(deryptedBytes);
                String decodeString = new String(decodedBytes, "UTF-8");
                decodedBytes = decodeString.getBytes(StandardCharsets.UTF_8);
                output.write(decodedBytes);

            }finally{
                if(output != null){
                    try{output.close();}catch(IOException e){}
                }
                if(input != null){
                    try{input.close();}catch(IOException e){}
                }
            }
        }

我已经进行了如下验证。

  1. C#中的验证密钥和IV

    //Key Verification
        var salt = Convert.ToBase64String(saltBytes);
                Console.Write("Salt Result : ");
                Console.WriteLine(salt);

        var result_test = Convert.ToBase64String(result.GetBytes(32));
                Console.Write("Key Test Result: ");
                Console.WriteLine(result_test);
    //IV Verification (Salt is Using same code)
        var result_test = Convert.ToBase64String(result.GetBytes(16));
                Console.Write("IV Test Result: ");
                Console.WriteLine(result_test);
  1. Java中的验证密钥和初始向量

    //Key Verification
        /* print Salt */
        String base64 = Base64.getEncoder().encodeToString(saltBytes);
        System.out.println("Salt Result : " + base64);

        /* print Key */
        String result_test = Base64.getEncoder().encodeToString(key);
        System.out.println("Key Test Result : " + result_test);

        /* print generated Key */
        System.out.println("Secret Key Result : " + Base64.getEncoder().encodeToString(secret.getEncoded()));

    //IV Verification (Salt is Using same code)
        /* print IV */
        String result_test = Base64.getEncoder().encodeToString(iv);
        System.out.println("IV Test Result : " + result_test);

        /* print generated IV */
        System.out.println("IV Result : " + Base64.getEncoder().encodeToString(ivSpec.getIV()));

更新

C# .NET Framework 4.5/Java8 修改了@Topaco所说的内容,并确认其效果良好。

非常感谢@Topaco和@Gusto2,我将按照@Gusto2的建议对已修改的安全部分进行更改!

2个回答
1
while((read = input.read(buffer)) != -1){
       output.write(c.update(buffer, 0, read));
}
byte[] deryptedBytes = c.doFinal(buffer)

你正在将输入解密到文件中,然后再次使用相同的密码实例将最后读取的块解密到一个单独的数组而不是文件中。
快速修复:
while((read = input.read(buffer)) != -1){
       output.write(c.update(buffer, 0, read));
}
output.write(c.doFinal()); // write the padded block

如果您想创建并打印一个解密的字符串,您需要创建一个新的Cipher实例(或者重新初始化实例可能已经足够,我不确定),假设缓冲区包含了整个输入。
c.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
// assuming the buffer contains the whole input again
byte[] deryptedBytes = c.doFinal(buffer); // decrypting the whole file again

正确的方法:

  • IV 用于安全地重复使用相同的加密密钥。因此,如果您的密钥不是随机的,则应为每个加密生成新的随机 IV(并将 IV 与密文一起传递,通常是前置的)。否则,加密不是语义上安全的,您可能会为两个填充攻击打开漏洞。因此,从密钥推导 IV 可能不是非常安全的。

  • 我建议使用任何 MAC(认证代码)传递密文以确保完整性(例如 HMAC)

  • 您仍然将所有文件输入完全读入内存,这对于非常大的文件不起作用。您可以将缓冲区初始化为任意长度(几 MB?),并将输入文件分块处理

1

1) 在C#的Encrypt方法中,明文首先被加密,然后进行Base64编码。因此,在解密过程中,数据必须先进行Base64解码,然后再解密。目前这个过程处理的顺序是错误的,即先解密数据,然后再进行解码。因此,在Java的fileProcessing方法中需要进行替换。

while((read = input.read(buffer)) != -1){
    output.write(c.update(buffer, 0, read));
}

带有。
while((read = input.read(buffer)) != -1) {
    byte[] bufferEncoded = buffer;
    if (read != buffer.length) { 
        bufferEncoded = Arrays.copyOf(buffer, read);
    }
    byte[] bufferDecoded = Base64.getDecoder().decode(bufferEncoded);
    output.write(c.update(bufferDecoded));
}

2) 在doFinal方法中不需要传递buffer(或bufferDecoded),因为这已经在update方法中完成了。因此,

byte[] deryptedBytes = c.doFinal(buffer);

必须被替换为

output.write(c.doFinal());

3)由于Base64解码已经在1)的try块中完成,因此所有跟随doFinal语句的行都必须被删除。总体而言,这将导致

try {
    input = new BufferedInputStream(new FileInputStream(source));
    output = new BufferedOutputStream(new FileOutputStream(dest));
    byte[] buffer = new byte[input.available()];
    int read = -1;
    while((read = input.read(buffer)) != -1) {
        byte[] bufferEncoded = buffer;
        if (read != buffer.length) { 
            bufferEncoded = Arrays.copyOf(buffer, read);
        }
        byte[] bufferDecoded = Base64.getDecoder().decode(bufferEncoded);
        output.write(c.update(bufferDecoded));
    }
    output.write(c.doFinal()); 
}

4) 为了确保正确的Base64解码,缓冲区的大小必须是4的倍数。因此,更可靠的方法是替换

byte[] buffer = new byte[input.available()];

使用

byte[] buffer = new byte[4 * (input.available() / 4)];

只要数据被一次性读入(这不是保证的,例如请参阅https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/InputStream.html#available()),就没有问题。但是,如果数据被分成几个块进行读取,则重要的是读取4字节的倍数,否则Base64解码将失败。这可以通过使用缓冲区大小来轻松证明,该大小不是4的倍数。如果缓冲区大小是针对较大文件“显式”定义的,则还必须考虑此点。
通过您的答案,我得到了很多帮助,发现我的解码顺序是错误的,但是为什么错误仍然会作为结果输出呢? - Liquid.Bear
我没有改变C#代码,而是参考了你的测试源代码进行更改,但仍然出现了BadPaddingException异常。我可以有机会检查一下你的测试源代码吗? - Liquid.Bear
好的,它在另一台计算机上运行良好(Java 10),但奇怪的是,在我的计算机上(Java 8)它不起作用。非常感谢!我将继续查找原因(BadPaddingException)。 - Liquid.Bear
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接