AES加密-在Android上存储密码
[英]AES encryption - storing passwords on Android
问题描述
I'm new to encryption and android and so asking this question. 
我是加密和android的新手,所以问了这个问题。
How does the applications like password manager, password safe, etc. handle the AES encryption, they all claim their app is safe and secure. 密码管理器,密码安全性等应用程序如何处理AES加密,它们都声称自己的应用程序是安全的。 But my question is, if the passwords are stored on the device database, and the key used is in the code, there's simply no way to completely make it secure. 但是我的问题是,如果密码存储在设备数据库中,并且所使用的密钥在代码中,则根本没有办法完全确保其安全性。 Because in case the device was hacked, the app can be reverse engineered and the key/code could be easily obtained. 因为万一设备被黑客入侵,该应用程序可以进行反向工程并且可以轻松获得密钥/代码。 Even if the code is obfuscated, the key could still be obtained from the obfuscated code, right? 即使混淆了代码,仍然可以从混淆后的代码中获取密钥,对吗? It may just be harder with obfuscation but not impossible. 混淆可能会更困难,但并非没有可能。
Or is there a different way these applications handle the encryption? 还是这些应用程序处理加密的方式不同?
I'm making a similar application and so I really wanted to know what a good encryption key would be and the best place/way to store it. 我正在制作类似的应用程序,因此我真的很想知道什么是好的加密密钥以及最佳的存储方式。 I' don't want to access the key remotely from the app. 我不想从应用程序远程访问密钥。
Thanks in advance. 提前致谢。
1 个解决方案
解决方案1
0 已采纳 2011-11-02 23:15:48
A password manager should use a kind of "master password" to secure its key. 密码管理器应使用一种“主密码”来保护其密钥。 Normally this is done by generating an encryption key off a password with PBKDF2 (Password-Based Key Derivation Function). 通常,这是通过使用PBKDF2 (基于密码的密钥派生功能)从密码生成加密密钥来完成的。 Thus the user has to enter the password before the application is able to decrypt the data. 因此,用户必须在应用程序能够解密数据之前输入密码。
If your application includes the key in any form it is insecure by design. 如果您的应用程序以任何形式包含密钥,则它在设计上是不安全的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.