aes-rsa-java
aes-rsa-java copied to clipboard
wustrive2008
AES+RSA结合应用java示例
Hi, I am an Android developer. I had a few questions for you. How can I contact you at WeChat? My username in WeChat: @rchookan_developer
Hi there, we found that the following places using insecure hash functions: ``` /home/xwt/IdeaProjects/aes-rsa-java/src/main/java/com/wustrive/aesrsa/util/Digest.java:19: error: [algorithm.not.allowed] Algorithm: MD5 is not allowed by the current rules MessageDigest md = MessageDigest.getInstance("MD5"); ^...
几个问题
看了下这个方案的 Java 代码,有几个问题: 1. https://github.com/wustrive2008/aes-rsa-java/blob/master/src/main/java/com/wustrive/aesrsa/util/RandomUtil.java 这个竟然用的是java.util.Random。 java.util.Random 不是密码学安全的! 2. "AES/ECB/PKCS5Padding"; AES绝对不要使用 ECB 模式! https://zh.wikipedia.org/wiki/%E5%9D%97%E5%AF%86%E7%A0%81%E7%9A%84%E5%B7%A5%E4%BD%9C%E6%A8%A1%E5%BC%8F 3. HMAC 用 javax.crypto.Mac 就行了 http://stackoverflow.com/questions/3208160/how-to-generate-an-hmac-in-java-equivalent-to-a-python-example 不需要自己实现。 楼主的实现冗余代码太多。 建议废掉 HMAC-MD5 和 HMAC-SHA1,这俩已经不安全了。 1. https://github.com/wustrive2008/aes-rsa-java/blob/master/src/main/java/com/wustrive/aesrsa/util/EncryptionUtil.java 这个提取一个 byte...
This PR was automatically created by Snyk using the credentials of a real user.Snyk has created this PR to upgrade commons-lang:commons-lang from 2.5 to 2.6. :information_source: Keep your dependencies up-to-date....
This PR was automatically created by Snyk using the credentials of a real user.Snyk has created this PR to upgrade log4j:log4j from 1.2.16 to 1.2.17. :information_source: Keep your dependencies up-to-date....
This PR was automatically created by Snyk using the credentials of a real user.Snyk has created this PR to upgrade com.alibaba:fastjson from 1.2.7 to 1.2.83_noneautotype. :information_source: Keep your dependencies up-to-date....