Java中的用户身份验证,使用CBC模式下的128位AES加密和PKCS#5填充
[英]User Authentication in Java using 128-bit AES encryption in CBC mode with PKCS #5 padding
问题描述
I am using 128-bit AES encryption in CBC mode with PKCS #5 padding to save passwords to my database. 
我正在CBC模式下使用128位AES加密,并使用PKCS#5填充将密码保存到我的数据库中。 However, when I try to log in, the system tells me the password is invalid even though I use the correct password. 但是,当我尝试登录时,即使我使用正确的密码,系统也会告诉我密码无效。
On my UserSetup class, these are my codes for encrypting the passwords and saving them to my database: 在我的UserSetup类上,以下是我的代码,用于加密密码并将其保存到我的数据库中:
try {
String input = simple_text.getText();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
byte[] iv = new byte[cipher.getBlockSize()];
new SecureRandom().nextBytes(iv);
IvParameterSpec ivSpec = new IvParameterSpec(iv);
MessageDigest digest = MessageDigest.getInstance("SHA-256");
digest.update(keyString.getBytes());
byte[] key = new byte[16];
System.arraycopy(digest.digest(), 0, key, 0, key.length);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
// encrypt
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
byte[] encrypted = cipher.doFinal(input.getBytes("UTF-8"));
System.out.println("encrypted: " + new String(encrypted));
encrypt_text .setText(new String(encrypted));
} catch (Exception e2) {
JOptionPane.showMessageDialog(null, e2);
}
try {
String sql = "INSERT INTO user(username,password) VALUES(?,?) ON DUPLICATE KEY UPDATE username=VALUES(username),password=VALUES(password)";
pst=conn.prepareStatement(sql);
pst.setString(1, fLoginName.getText());
pst.setString(2, encrypt_text.getText());
pst.execute();
JOptionPane.showMessageDialog(null, "saved");
} catch (Exception e2) {
JOptionPane.showMessageDialog(null, e2);
}
On my Login Class, I have the following codes: 在我的登录课程中,我有以下代码:
String sql ="select * from user where username=? and password=?";
if(loginNameField.getText().equals("me") && passwordField.getText().equals("me")){
frmLoginWindow.dispose();
new GridMain().setVisible(true);
}else{
try{
pst=conn.prepareStatement(sql);
pst.setString(1,loginNameField.getText());
pst.setString(2,passwordField.getText());
rs=pst.executeQuery();
if(rs.next()){
//JOptionPane.showMessageDialog(null, "Username and Password is correct ");
rs.close();
pst.close();
// close();
frmLoginWindow.dispose();
new GridMain().setVisible(true);
}
else{
JOptionPane.showMessageDialog(null, "Username and Password is not correct");
}
}
catch(Exception e)
{
JOptionPane.showMessageDialog(null, e);
} finally {
try{
rs.close();
pst.close();
}
catch(Exception e) {}
}
}
My encrypted passwords are saving successfully, but I need a way to match my login password with the encrypted passowrd, since AES encryption does not give the same encrypted value even if you encrypt the same password. 我的加密密码已成功保存,但是我需要一种将登录密码与加密密码进行匹配的方法,因为即使您对同一密码进行加密,AES加密也不会提供相同的加密值。
1 个解决方案
解决方案1
2 2014-11-07 11:59:36
AES is an encryption algorithm. AES是一种加密算法。 You try to use it as a password hash algorithm. 您尝试将其用作密码哈希算法。 The problem is that encrypting the same thing several times will not yield the same result every time. 问题在于,多次加密同一件事不会每次都产生相同的结果。 The initialization vector (IV) introduces randomness into the process so that you will not get the same result twice. 初始化向量(IV)将随机性引入到过程中,因此不会两次获得相同的结果。
You would need to decrypt the password to check it or switch to a password hashing algorithm such as PBKDF2. 您将需要解密密码以进行检查或切换到密码哈希算法,例如PBKDF2。 Keep in mind that AES produces binary data ( byte[] ) which you cannot simply convert to String . 请记住,AES会生成二进制数据( byte[] ),您不能简单地将其转换为String 。 You need to encode it with something like Base64. 您需要使用Base64之类的代码对其进行编码。 This may also be necessary for the output of hashing functions. 这对于散列函数的输出也可能是必需的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.