我正在编写一种产生加密日志文件的记录器,但是加密技术不是我的强项。现在我可以写入文件几条消息,然后关闭文件。然后再打开它,附加一些消息,再次关闭,并进行解密后发现文件中间有填充字节。是否有办法在不必每次想附加一些消息时都要解密文件的情况下处理加密文件?
编辑:稍微多提供一些细节。当前实现利用了CipherOutputStream。据我所知,使用它无法寻找。如果我控制输出数据大小可被块大小整除,那么我能否使用'NoPadding'选项呢?
如何向AES加密文件追加内容
16
- Aleksandr Kravets
10
你的问题是解密文件中出现了填充吗?你是否使用FileOutputStream和CipherOutputStream结合使用? - Simon Baslé
@edralzar:是的,我使用FileOutputStream和CipherOutputStream。 - Aleksandr Kravets
@ChristianSchlichtherle:我不太明白你在说什么。我没有编写任何综合框架,这只是为我的项目提供的特定解决方案。我只需要一种类型的加密。我还将编写日志解密分析器,所以对我来说使用特定的加密类型并不成问题。 - Aleksandr Kravets
好的,但你是否考虑过不对日志进行身份验证的后果?没有身份验证,攻击者可以任意修改日志。这可能是个问题,也可能不是,但你应该考虑一下。 - Christian Schlichtherle
@ChristianSchlichtherle:你所说的“认证”是什么意思?就像我所说的,密码学不是我的强项。 - Aleksandr Kravets
显示剩余5条评论
5个回答
17
如果您正在使用CBC模式中的AES,则可以使用倒数第二个块作为IV来解密最后一个块,该块可能仅部分填充,然后再加密最后一个块的明文并跟随新的明文。
这是一个概念证明:
我想指出的是,输出结果与一次性加密没有任何区别。这不是一种自定义的加密形式,而是标准的AES/CBC/PKCS5Padding加密方式。唯一特定于实现的细节是,在空文件的情况下,我在开始数据之前写入了iv。
编辑:使用CipherOutputStream改进(适合我的口味)解决方案:
这是一个概念证明:
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.RandomAccessFile;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class AppendAES {
public static void appendAES(File file, byte[] data, byte[] key) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
RandomAccessFile rfile = new RandomAccessFile(file,"rw");
byte[] iv = new byte[16];
byte[] lastBlock = null;
if (rfile.length() % 16L != 0L) {
throw new IllegalArgumentException("Invalid file length (not a multiple of block size)");
} else if (rfile.length() == 16) {
throw new IllegalArgumentException("Invalid file length (need 2 blocks for iv and data)");
} else if (rfile.length() == 0L) {
// new file: start by appending an IV
new SecureRandom().nextBytes(iv);
rfile.write(iv);
// we have our iv, and there's no prior data to reencrypt
} else {
// file length is at least 2 blocks
rfile.seek(rfile.length()-32); // second to last block
rfile.read(iv); // get iv
byte[] lastBlockEnc = new byte[16];
// last block
// it's padded, so we'll decrypt it and
// save it for the beginning of our data
rfile.read(lastBlockEnc);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key,"AES"), new IvParameterSpec(iv));
lastBlock = cipher.doFinal(lastBlockEnc);
rfile.seek(rfile.length()-16);
// position ourselves to overwrite the last block
}
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key,"AES"), new IvParameterSpec(iv));
byte[] out;
if (lastBlock != null) { // lastBlock is null if we're starting a new file
out = cipher.update(lastBlock);
if (out != null) rfile.write(out);
}
out = cipher.doFinal(data);
rfile.write(out);
rfile.close();
}
public static void decryptAES(File file, OutputStream out, byte[] key) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
// nothing special here, decrypt as usual
FileInputStream fin = new FileInputStream(file);
byte[] iv = new byte[16];
if (fin.read(iv) < 16) {
throw new IllegalArgumentException("Invalid file length (needs a full block for iv)");
};
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key,"AES"), new IvParameterSpec(iv));
byte[] buff = new byte[1<<13]; //8kiB
while (true) {
int count = fin.read(buff);
if (count == buff.length) {
out.write(cipher.update(buff));
} else {
out.write(cipher.doFinal(buff,0,count));
break;
}
}
fin.close();
}
public static void main(String[] args) throws Exception {
byte[] key = new byte[]{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
for (int i = 0; i<1000; i++) {
appendAES(new File("log.aes"),"All work and no play makes Jack a dull boy. ".getBytes("UTF-8"),key);
}
decryptAES(new File("log.aes"), new FileOutputStream("plain.txt"), key);
}
}
我想指出的是,输出结果与一次性加密没有任何区别。这不是一种自定义的加密形式,而是标准的AES/CBC/PKCS5Padding加密方式。唯一特定于实现的细节是,在空文件的情况下,我在开始数据之前写入了iv。
编辑:使用CipherOutputStream改进(适合我的口味)解决方案:
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.RandomAccessFile;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class AppendAES {
public static CipherOutputStream appendAES(File file, SecretKeySpec key) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
return appendAES(file, key, null);
}
public static CipherOutputStream appendAES(File file, SecretKeySpec key, SecureRandom sr) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
RandomAccessFile rfile = new RandomAccessFile(file,"rw");
byte[] iv = new byte[16];
byte[] lastBlock = null;
if (rfile.length() % 16L != 0L) {
throw new IllegalArgumentException("Invalid file length (not a multiple of block size)");
} else if (rfile.length() == 16) {
throw new IllegalArgumentException("Invalid file length (need 2 blocks for iv and data)");
} else if (rfile.length() == 0L) {
// new file: start by appending an IV
if (sr == null) sr = new SecureRandom();
sr.nextBytes(iv);
rfile.write(iv);
} else {
// file length is at least 2 blocks
rfile.seek(rfile.length()-32);
rfile.read(iv);
byte[] lastBlockEnc = new byte[16];
rfile.read(lastBlockEnc);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
lastBlock = cipher.doFinal(lastBlockEnc);
rfile.seek(rfile.length()-16);
}
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
byte[] out;
if (lastBlock != null) {
out = cipher.update(lastBlock);
if (out != null) rfile.write(out);
}
CipherOutputStream cos = new CipherOutputStream(new FileOutputStream(rfile.getFD()),cipher);
return cos;
}
public static CipherInputStream decryptAES(File file, SecretKeySpec key) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
FileInputStream fin = new FileInputStream(file);
byte[] iv = new byte[16];
if (fin.read(iv) < 16) {
throw new IllegalArgumentException("Invalid file length (needs a full block for iv)");
};
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
CipherInputStream cis = new CipherInputStream(fin,cipher);
return cis;
}
public static void main(String[] args) throws Exception {
byte[] keyBytes = new byte[]{
0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
};
SecretKeySpec key = new SecretKeySpec(keyBytes,"AES");
for (int i = 0; i<100; i++) {
CipherOutputStream cos = appendAES(new File("log.aes"),key);
cos.write("All work and no play ".getBytes("UTF-8"));
cos.write("makes Jack a dull boy. \n".getBytes("UTF-8"));
cos.close();
}
CipherInputStream cis = decryptAES(new File("log.aes"), key);
BufferedReader bread = new BufferedReader(new InputStreamReader(cis,"UTF-8"));
System.out.println(bread.readLine());
cis.close();
}
}
- maybeWeCouldStealAVan
2
非常感谢 - 我有同样的需求,并确认这段代码有效。但是:每次我添加一条消息并调用flush()时,数据都没有被写出 - 最后一个块上的填充可能只在我调用close()时才被写入。如果要求在flush()后消息完整,并且如果我不想在每个消息上关闭()和重新打开文件,我该怎么做? - Tim Cooper
@TimCooper 这个能不能增强一下,让它可以适用于所有算法而不仅仅是AES/CBC?我正在寻找这种实现方式,无论是AES/DES还是其他算法,代码都应该可以正常工作,而不必担心填充问题。 - Pradeep
7
我喜欢maybeWeCouldStealAVan提供的解决方案。但是它没有正确实现'flush()',我发现每次追加消息时关闭和重新打开文件是必要的,以确保您不会失去任何东西。所以我重新编写了它。我的解决方案将在每次刷新时写出最后一个块,但当添加下一条消息时,会重写此块。使用这种两步向前、一步向后的方法,无法使用OutputStream,而是直接在RandomAccessFile之上实现它。
import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.*;
import java.security.*;
public class FlushableCipherOutputStream extends OutputStream
{
private static int HEADER_LENGTH = 16;
private SecretKeySpec key;
private RandomAccessFile seekableFile;
private boolean flushGoesStraightToDisk;
private Cipher cipher;
private boolean needToRestoreCipherState;
/** the buffer holding one byte of incoming data */
private byte[] ibuffer = new byte[1];
/** the buffer holding data ready to be written out */
private byte[] obuffer;
/** Each time you call 'flush()', the data will be written to the operating system level, immediately available
* for other processes to read. However this is not the same as writing to disk, which might save you some
* data if there's a sudden loss of power to the computer. To protect against that, set 'flushGoesStraightToDisk=true'.
* Most people set that to 'false'. */
public FlushableCipherOutputStream(String fnm, SecretKeySpec _key, boolean append, boolean _flushGoesStraightToDisk)
throws IOException
{
this(new File(fnm), _key, append,_flushGoesStraightToDisk);
}
public FlushableCipherOutputStream(File file, SecretKeySpec _key, boolean append, boolean _flushGoesStraightToDisk)
throws IOException
{
super();
if (! append)
file.delete();
seekableFile = new RandomAccessFile(file,"rw");
flushGoesStraightToDisk = _flushGoesStraightToDisk;
key = _key;
try {
cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
byte[] iv = new byte[16];
byte[] headerBytes = new byte[HEADER_LENGTH];
long fileLen = seekableFile.length();
if (fileLen % 16L != 0L) {
throw new IllegalArgumentException("Invalid file length (not a multiple of block size)");
} else if (fileLen == 0L) {
// new file
// You can write a 16 byte file header here, including some file format number to represent the
// encryption format, in case you need to change the key or algorithm. E.g. "100" = v1.0.0
headerBytes[0] = 100;
seekableFile.write(headerBytes);
// Now appending the first IV
SecureRandom sr = new SecureRandom();
sr.nextBytes(iv);
seekableFile.write(iv);
cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
} else if (fileLen <= 16 + HEADER_LENGTH) {
throw new IllegalArgumentException("Invalid file length (need 2 blocks for iv and data)");
} else {
// file length is at least 2 blocks
needToRestoreCipherState = true;
}
} catch (InvalidKeyException e) {
throw new IOException(e.getMessage());
} catch (NoSuchAlgorithmException e) {
throw new IOException(e.getMessage());
} catch (NoSuchPaddingException e) {
throw new IOException(e.getMessage());
} catch (InvalidAlgorithmParameterException e) {
throw new IOException(e.getMessage());
}
}
/**
* Writes one _byte_ to this output stream.
*/
public void write(int b) throws IOException {
if (needToRestoreCipherState)
restoreStateOfCipher();
ibuffer[0] = (byte) b;
obuffer = cipher.update(ibuffer, 0, 1);
if (obuffer != null) {
seekableFile.write(obuffer);
obuffer = null;
}
}
/** Writes a byte array to this output stream. */
public void write(byte data[]) throws IOException {
write(data, 0, data.length);
}
/**
* Writes <code>len</code> bytes from the specified byte array
* starting at offset <code>off</code> to this output stream.
*
* @param data the data.
* @param off the start offset in the data.
* @param len the number of bytes to write.
*/
public void write(byte data[], int off, int len) throws IOException
{
if (needToRestoreCipherState)
restoreStateOfCipher();
obuffer = cipher.update(data, off, len);
if (obuffer != null) {
seekableFile.write(obuffer);
obuffer = null;
}
}
/** The tricky stuff happens here. We finalise the cipher, write it out, but then rewind the
* stream so that we can add more bytes without padding. */
public void flush() throws IOException
{
try {
if (needToRestoreCipherState)
return; // It must have already been flushed.
byte[] obuffer = cipher.doFinal();
if (obuffer != null) {
seekableFile.write(obuffer);
if (flushGoesStraightToDisk)
seekableFile.getFD().sync();
needToRestoreCipherState = true;
}
} catch (IllegalBlockSizeException e) {
throw new IOException("Illegal block");
} catch (BadPaddingException e) {
throw new IOException("Bad padding");
}
}
private void restoreStateOfCipher() throws IOException
{
try {
// I wish there was a more direct way to snapshot a Cipher object, but it seems there's not.
needToRestoreCipherState = false;
byte[] iv = cipher.getIV(); // To help avoid garbage, re-use the old one if present.
if (iv == null)
iv = new byte[16];
seekableFile.seek(seekableFile.length() - 32);
seekableFile.read(iv);
byte[] lastBlockEnc = new byte[16];
seekableFile.read(lastBlockEnc);
cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
byte[] lastBlock = cipher.doFinal(lastBlockEnc);
seekableFile.seek(seekableFile.length() - 16);
cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
byte[] out = cipher.update(lastBlock);
assert out == null || out.length == 0;
} catch (Exception e) {
throw new IOException("Unable to restore cipher state");
}
}
public void close() throws IOException
{
flush();
seekableFile.close();
}
}
您可以使用以下方法查看如何使用它并进行测试:
import org.junit.Test;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.*;
import java.io.BufferedWriter;
public class TestFlushableCipher {
private static byte[] keyBytes = new byte[]{
// Change these numbers lest other StackOverflow readers can read your log files
-53, 93, 59, 108, -34, 17, -72, -33, 126, 93, -62, -50, 106, -44, 17, 55
};
private static SecretKeySpec key = new SecretKeySpec(keyBytes,"AES");
private static int HEADER_LENGTH = 16;
private static BufferedWriter flushableEncryptedBufferedWriter(File file, boolean append) throws Exception
{
FlushableCipherOutputStream fcos = new FlushableCipherOutputStream(file, key, append, false);
return new BufferedWriter(new OutputStreamWriter(fcos, "UTF-8"));
}
private static InputStream readerEncryptedByteStream(File file) throws Exception
{
FileInputStream fin = new FileInputStream(file);
byte[] iv = new byte[16];
byte[] headerBytes = new byte[HEADER_LENGTH];
if (fin.read(headerBytes) < HEADER_LENGTH)
throw new IllegalArgumentException("Invalid file length (failed to read file header)");
if (headerBytes[0] != 100)
throw new IllegalArgumentException("The file header does not conform to our encrypted format.");
if (fin.read(iv) < 16) {
throw new IllegalArgumentException("Invalid file length (needs a full block for iv)");
}
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
return new CipherInputStream(fin,cipher);
}
private static BufferedReader readerEncrypted(File file) throws Exception
{
InputStream cis = readerEncryptedByteStream(file);
return new BufferedReader(new InputStreamReader(cis));
}
@Test
public void test() throws Exception {
File zfilename = new File("c:\\WebEdvalData\\log.x");
BufferedWriter cos = flushableEncryptedBufferedWriter(zfilename, false);
cos.append("Sunny ");
cos.append("and green. \n");
cos.close();
int spaces=0;
for (int i = 0; i<10; i++) {
cos = flushableEncryptedBufferedWriter(zfilename, true);
for (int j=0; j < 2; j++) {
cos.append("Karelia and Tapiola" + i);
for (int k=0; k < spaces; k++)
cos.append(" ");
spaces++;
cos.append("and other nice things. \n");
cos.flush();
tail(zfilename);
}
cos.close();
}
BufferedReader cis = readerEncrypted(zfilename);
String msg;
while ((msg=cis.readLine()) != null) {
System.out.println(msg);
}
cis.close();
}
private void tail(File filename) throws Exception
{
BufferedReader infile = readerEncrypted(filename);
String last = null, secondLast = null;
do {
String msg = infile.readLine();
if (msg == null)
break;
if (! msg.startsWith("}")) {
secondLast = last;
last = msg;
}
} while (true);
if (secondLast != null)
System.out.println(secondLast);
System.out.println(last);
System.out.println();
}
}
- Tim Cooper
1
嗨,它完美地运行了,谢谢。如何在电脑上查看这些加密文件?有什么方法可以做到吗?谢谢。 - praveenb
3
AES是一种分块密码。这意味着它不会逐个字符加密消息,而是保存数据直到达到特定大小的块,然后进行写入。因此,这本身就会给你带来问题,因为你的日志消息可能无法匹配块大小。这是第一个问题。
第二个问题是,“AES”本身并不能完整描述你正在做的事情。分块密码可以在不同的“模式”下使用(请参见维基百科上的这篇好的描述)。其中许多模式将先前流中的信息与后来的数据混合。这使加密更加安全,但也会导致问题(因为你需要存储将在关闭和打开文件之间混合的信息)。
要解决第一个问题,你需要一个流密码。顾名思义,这可以处理数据流。现在事实证明,上述某些密码模式可以使分块密码像流密码一样工作。
但是,流密码可能无法解决第二个问题-为此,你需要在某处存储需要在使用之间传递的数据,以便正确初始化附加的流。
如果你问了所有这些问题,你有多确定最终结果是安全的?即使有以上指导,你仍可能犯很多错误。我建议要么找到一个现有的库来完成此操作,要么降低你的要求,以便解决一个更简单的问题(在这种情况下,你真的需要追加吗?或者,像上面建议的那样,在文件中添加某种标记,以便找到不同的部分?)
第二个问题是,“AES”本身并不能完整描述你正在做的事情。分块密码可以在不同的“模式”下使用(请参见维基百科上的这篇好的描述)。其中许多模式将先前流中的信息与后来的数据混合。这使加密更加安全,但也会导致问题(因为你需要存储将在关闭和打开文件之间混合的信息)。
要解决第一个问题,你需要一个流密码。顾名思义,这可以处理数据流。现在事实证明,上述某些密码模式可以使分块密码像流密码一样工作。
但是,流密码可能无法解决第二个问题-为此,你需要在某处存储需要在使用之间传递的数据,以便正确初始化附加的流。
如果你问了所有这些问题,你有多确定最终结果是安全的?即使有以上指导,你仍可能犯很多错误。我建议要么找到一个现有的库来完成此操作,要么降低你的要求,以便解决一个更简单的问题(在这种情况下,你真的需要追加吗?或者,像上面建议的那样,在文件中添加某种标记,以便找到不同的部分?)
- andrew cooke
2
无论提供多少数据给AES加密,都会被填充为128位的块大小。这是固定的。 - Cratylus
没错。如果我理解正确,使用“NoPadding”将强制CipherOutputStream忽略最后一个数据块,如果它的大小不等于块大小。 - Aleksandr Kravets
1
无论能否向密码文本追加数据取决于两个因素:
- 您需要对AES使用Counter(CTR)模式,因为它是唯一允许您在加密数据中随机查找的模式。 在这种情况下,您想要查找到加密数据的末尾。 请注意,在CTR模式下,不需要将密码文本填充到密码块大小。
- 您不能在没有重新输入整个消息(无论是密码文本还是纯文本)的情况下使用任何消息认证码(MAC)。 这是设计如此-如果可以这样做,那么MAC将被攻破。
- Christian Schlichtherle
4
但是文件的追加操作与加密数据有什么关系呢?当您使用追加进行文件写入时,数据可能是二进制等格式。在这种情况下,它是加密的。加密如何在这里起作用? - Cratylus
@user384706 追加数据会改变MAC地址,而MAC地址是文件整体的指纹。 - andrew cooke
@andrewcooke:OP没有提到MAC。他只想加密。 - Cratylus
以下是关于编程的内容,由答案进行讨论。 - andrew cooke
0
有没有任何方法可以在不必每次解密文件的情况下与加密文件一起工作并附加一些消息?
如果对已加密的文件进行再加密,则可能无法解密。
您可以实现自定义加密,其中可能有某种指示器表示下一部分是附加的消息。这样,它可以使用相同的方法解密每个消息。
您也可以尝试这个https://dev59.com/YXRB5IYBdhLWcg3wa2q2#629762
如果对已加密的文件进行再加密,则可能无法解密。
您可以实现自定义加密,其中可能有某种指示器表示下一部分是附加的消息。这样,它可以使用相同的方法解密每个消息。
您也可以尝试这个https://dev59.com/YXRB5IYBdhLWcg3wa2q2#629762
- Sully
网页内容由stack overflow 提供, 点击上面的可以查看英文原文,
原文链接
原文链接