本文档介绍了使用 Android 加密工具的正确方法,并提供了一些使用示例。如果您的应用需要更高的密钥安全性,请使用 Android 密钥库系统。
注意:除非另有说明,否则本文中的建议适用于所有 Android 版本。
仅使用 Android 密钥库系统指定提供程序
如果您使用的是 Android 密钥库系统,您必须指定一个提供程序。
但在其他情况下,Android 并不保证为指定算法提供特定的提供程序。如果指定提供程序时未使用 Android 密钥库系统,则可能会导致未来版本出现兼容性问题。
选择建议的算法
如果您可以自由选择使用哪种算法(例如在不需要与第三方系统兼容时),我们建议您使用以下算法:
类
建议
Cipher
采用 CBC 或 GCM 模式且具有 256 位密钥的 AES(例如 AES/GCM/NoPadding)
MessageDigest
SHA-2 系列(例如,SHA-256)
Mac
SHA-2 系列 HMAC(例如,HMACSHA256)
Signature
使用 ECDSA 的 SHA-2 系列(例如,SHA256withECDSA)
注意:在读取和写入本地文件时,您的应用可以使用 Security 库以更安全的方式执行这些操作。该库会指定一个建议的加密算法供您使用。
执行常见的加密操作
下面几部分提供的代码段演示了如何在应用中完成常见的加密操作。
读取文件
Kotlin
// Although you can define your own key generation parameter specification, it's
// recommended that you use the value specified here.
val mainKey = MasterKey.Builder(applicationContext)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build()
val fileToRead = "my_sensitive_data.txt"
val encryptedFile = EncryptedFile.Builder(
applicationContext,
File(DIRECTORY, fileToRead),
mainKey,
EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build()
val inputStream = encryptedFile.openFileInput()
val byteArrayOutputStream = ByteArrayOutputStream()
var nextByte: Int = inputStream.read()
while (nextByte != -1) {
byteArrayOutputStream.write(nextByte)
nextByte = inputStream.read()
}
val plaintext: ByteArray = byteArrayOutputStream.toByteArray()Java
// Although you can define your own key generation parameter specification, it's
// recommended that you use the value specified here.
Context context = getApplicationContext();
MasterKey mainKey = new MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build();
String fileToRead = "my_sensitive_data.txt";
EncryptedFile encryptedFile = new EncryptedFile.Builder(context,
new File(DIRECTORY, fileToRead),
mainKey,
EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build();
InputStream inputStream = encryptedFile.openFileInput();
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
int nextByte = inputStream.read();
while (nextByte != -1) {
byteArrayOutputStream.write(nextByte);
nextByte = inputStream.read();
}
byte[] plaintext = byteArrayOutputStream.toByteArray();
写入文件
Kotlin
// Although you can define your own key generation parameter specification, it's
// recommended that you use the value specified here.
val mainKey = MasterKey.Builder(applicationContext)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build()
// Creates a file with this name, or replaces an existing file
// that has the same name. Note that the file name cannot contain
// path separators.
val fileToWrite = "my_sensitive_data.txt"
val encryptedFile = EncryptedFile.Builder(
applicationContext,
File(DIRECTORY, fileToWrite),
mainKey,
EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build()
val fileContent = "MY SUPER-SECRET INFORMATION"
.toByteArray(StandardCharsets.UTF_8)
encryptedFile.openFileOutput().apply {
write(fileContent)
flush()
close()
}Java
// Although you can define your own key generation parameter specification, it's
// recommended that you use the value specified here.
Context context = getApplicationContext();
MasterKey mainKey = new MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build();
// Creates a file with this name, or replaces an existing file
// that has the same name. Note that the file name cannot contain
// path separators.
String fileToWrite = "my_sensitive_data.txt";
EncryptedFile encryptedFile = new EncryptedFile.Builder(context,
new File(DIRECTORY, fileToWrite),
mainKey,
EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build();
byte[] fileContent = "MY SUPER-SECRET INFORMATION"
.getBytes(StandardCharsets.UTF_8);
OutputStream outputStream = encryptedFile.openFileOutput();
outputStream.write(fileContent);
outputStream.flush();
outputStream.close();
加密消息
Kotlin
val plaintext: ByteArray = ...
val keygen = KeyGenerator.getInstance("AES")
keygen.init(256)
val key: SecretKey = keygen.generateKey()
val cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING")
cipher.init(Cipher.ENCRYPT_MODE, key)
val ciphertext: ByteArray = cipher.doFinal(plaintext)
val iv: ByteArray = cipher.ivJava
byte[] plaintext = ...;
KeyGenerator keygen = KeyGenerator.getInstance("AES");
keygen.init(256);
SecretKey key = keygen.generateKey();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] ciphertext = cipher.doFinal(plaintext);
byte[] iv = cipher.getIV();
生成消息摘要
Kotlin
val message: ByteArray = ...
val md = MessageDigest.getInstance("SHA-256")
val digest: ByteArray = md.digest(message)Java
byte[] message = ...;
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(message);
生成数字签名
您需要拥有一个包含签名密钥的 PrivateKey 对象;签名密钥可以在运行时生成、从与您的应用捆绑在一起的文件中读取,或者根据您的需要从其他一些来源获取。
Kotlin
val message: ByteArray = ...
val key: PrivateKey = ...
val s = Signature.getInstance("SHA256withECDSA")
.apply {
initSign(key)
update(message)
}
val signature: ByteArray = s.sign()Java
byte[] message = ...;
PrivateKey key = ...;
Signature s = Signature.getInstance("SHA256withECDSA");
s.initSign(key);
s.update(message);
byte[] signature = s.sign();
验证数字签名
您需要拥有一个包含签名者公钥的 PublicKey 对象;该公钥可以从与您的应用捆绑在一起的文件中读取、从证书中提取,或者根据您的需要从其他一些来源获取。
Kotlin
val message: ByteArray = ...
val signature: ByteArray = ...
val key: PublicKey = ...
val s = Signature.getInstance("SHA256withECDSA")
.apply {
initVerify(key)
update(message)
}
val valid: Boolean = s.verify(signature)Java
byte[] message = ...;
byte[] signature = ...;
PublicKey key = ...;
Signature s = Signature.getInstance("SHA256withECDSA");
s.initVerify(key);
s.update(message);
boolean valid = s.verify(signature);
实现方面的复杂问题
Android 加密实现的一些细节看似不寻常,但因兼容性方面的考虑而存在。本部分探讨了您最有可能遇到的一些细节。
OAEP MGF1 消息摘要
RSA OAEP 加密算法由两个不同的消息摘要进行参数化,它们分别为:“主”摘要和 MGF1 摘要。Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding") 等包含摘要名称的加密算法标识符可指定主摘要,并使 MGF1 摘要处于未指定状态。在 Android 密钥库中,SHA-1 用于 MGF1 摘要;而在其他 Android 加密提供程序中,这两个摘要相同。
为了更好地控制您的应用使用的摘要,您应该请求带有 OAEPPadding 的加密算法(像 Cipher.getInstance("RSA/ECB/OAEPPadding") 一样),并向 init() 提供 OAEPParameterSpec 以明确选择这两个摘要。
Kotlin
val key: Key = ...
val cipher = Cipher.getInstance("RSA/ECB/OAEPPadding")
.apply {
// To use SHA-256 the main digest and SHA-1 as the MGF1 digest
init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT))
// To use SHA-256 for both digests
init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT))
}Java
Key key = ...;
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding");
// To use SHA-256 the main digest and SHA-1 as the MGF1 digest
cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
// To use SHA-256 for both digests
cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT));
已弃用的功能
下面几部分介绍了您不应再在应用中使用的已弃用功能。
Bouncy Castle 算法
许多算法的 Bouncy Castle 实现都已弃用。这只会影响您明确请求了 Bouncy Castle 提供程序的情况,如以下示例所示:
Kotlin
Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC")
// OR
Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"))Java
Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC");
// OR
Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"));
如上所述,我们不建议请求特定的提供程序,因此,如果您遵循该准则,则此弃用应该不会对您产生影响。
无需使用 IV 的基于密码的加密算法
需要初始化矢量 (IV) 的基于密码的加密 (PBE) 算法可以通过密钥(经过适当的构造)获得,或者通过明确传递的 IV 获得。目前,在传递不包含 IV 且未明确 IV 的 PBE 密钥时,Android 上的 PBE 加密算法会假定 IV 为零。
使用 PBE 加密算法时,请务必传递明确的 IV,如以下代码段所示:
Kotlin
val key: SecretKey = ...
val cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC")
val iv = ByteArray(16)
SecureRandom().nextBytes(iv)
cipher.init(Cipher.ENCRYPT_MODE, key, IvParameterSpec(iv))Java
SecretKey key = ...;
Cipher cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC");
byte[] iv = new byte[16];
new SecureRandom().nextBytes(iv);
cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
Crypto 提供程序
自 Android 9(API 级别 28)起,Crypto Java 加密架构 (JCA) 提供程序已被移除。如果您的应用请求 Crypto 提供程序实例(例如通过调用以下方法来请求),则会出现 NoSuchProviderException。
Kotlin
SecureRandom.getInstance("SHA1PRNG", "Crypto")Java
SecureRandom.getInstance("SHA1PRNG", "Crypto");
支持的算法
下面列出了 Android 的各个 API 级别都支持的 JCA 算法标识符。
AlgorithmParameterGenerator
算法
支持的 API 级别
AES
1-8
DES
1-8
DESede
1-8
DH
1+
DSA
1+
AlgorithmParameters
算法
支持的 API 级别
AES
1+
BLOWFISH
10+
ChaCha20
28+
DES
1+
DESede
1+
DH
1+
DSA
1+
EC
26+
GCM
22+
IES
1-8
OAEP
1+
PBEwithHmacSHA1AndAES_128
26+
PBEwithHmacSHA1AndAES_256
26+
PBEwithHmacSHA224AndAES_128
26+
PBEwithHmacSHA224AndAES_256
26+
PBEwithHmacSHA256AndAES_128
26+
PBEwithHmacSHA256AndAES_256
26+
PBEwithHmacSHA384AndAES_128
26+
PBEwithHmacSHA384AndAES_256
26+
PBEwithHmacSHA512AndAES_128
26+
PBEwithHmacSHA512AndAES_256
26+
PKCS12PBE
1+
PSS
1-8、24+
CertPathBuilder
算法
支持的 API 级别
PKIX
1+
CertPathValidator
算法
支持的 API 级别
PKIX
1+
CertStore
算法
支持的 API 级别
Collection
1+
CertificateFactory
算法
支持的 API 级别
X.509
1+
Cipher
算法
模式
填充
支持的 API 级别
备注
AES
CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
GCM
NoPadding
10+
AES_128
CBC
ECB
NoPadding
PKCS5Padding
26+
GCM
NoPadding
26+
AES_256
CBC
ECB
NoPadding
PKCS5Padding
26+
GCM
NoPadding
26+
ARC4
ECB
NoPadding
10+
NONE
NoPadding
28+
BLOWFISH
CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
10+
ChaCha20
NONE
Poly1305
NoPadding
28+
具有 20 轮、96 位随机数以及 32 位计数器的 ChaCha(如 RFC 7539 中所述)。
DES
CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
DESede
CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
RSA
ECB
NONE
NoPadding
OAEPPadding
PKCS1Padding
1+
OAEPwithSHA-1andMGF1Padding
OAEPwithSHA-256andMGF1Padding
10+
OAEPwithSHA-224andMGF1Padding
OAEPwithSHA-384andMGF1Padding
OAEPwithSHA-512andMGF1Padding
23+
KeyAgreement
算法
支持的 API 级别
DH
1+
ECDH
11+
KeyFactory
算法
支持的 API 级别
DH
1+
DSA
1+
EC
11+
RSA
1+
X.509
1-8
KeyGenerator
算法
支持的 API 级别
AES
1+
AESWRAP
1-8
ARC4
14+
BLOWFISH
10+
ChaCha20
28+
DES
1+
DESede
1+
DESedeWRAP
1-8
HmacMD5
1+
HmacSHA1
11+
HmacSHA224
1-8、22+
HmacSHA256
1+
HmacSHA384
1+
HmacSHA512
1+
RC4
10-13
KeyManagerFactory
算法
支持的 API 级别
PKIX
1+
KeyPairGenerator
算法
支持的 API 级别
DH
1+
DSA
1+
EC
11+
RSA
1+
KeyStore
算法
支持的 API 级别
AndroidCAStore
14+
AndroidKeyStore
18+
BCPKCS12
1-8
BKS
1+
BouncyCastle
1+
PKCS12
1+
PKCS12-DEF
1-8
Mac
算法
支持的 API 级别
DESMAC
1-8
DESMAC/CFB8
1-8
DESedeMAC
1-8
DESedeMAC/CFB8
1-8
DESedeMAC64
1-8
DESwithISO9797
1-8
HmacMD5
1+
HmacSHA1
1+
HmacSHA224
1-8、22+
HmacSHA256
1+
HmacSHA384
1+
HmacSHA512
1+
ISO9797ALG3MAC
1-8
PBEwithHmacSHA
1+
PBEwithHmacSHA1
1+
PBEwithHmacSHA224
26+
PBEwithHmacSHA256
26+
PBEwithHmacSHA384
26+
PBEwithHmacSHA512
26+
MessageDigest
算法
支持的 API 级别
MD5
1+
SHA-1
1+
SHA-224
1-8、22+
SHA-256
1+
SHA-384
1+
SHA-512
1+
SSLContext
算法
支持的 API 级别
默认
10+
SSL
10+
SSLv3
10-25
TLS
1+
TLSv1
10+
TLSv1.1
16+
TLSv1.2
16+
SSLEngine
算法
支持的 API 级别
默认处于启用状态
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
9-22
9-19
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
9-22
9-19
SSL_DHE_DSS_WITH_DES_CBC_SHA
9-22
9-19
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
9-22
9-19
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
9-22
9-19
SSL_DHE_RSA_WITH_DES_CBC_SHA
9-22
9-19
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
9-22
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
9-22
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
9-22
SSL_DH_anon_WITH_DES_CBC_SHA
9-22
SSL_DH_anon_WITH_RC4_128_MD5
9-22
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
9-22
9-19
SSL_RSA_EXPORT_WITH_RC4_40_MD5
9-22
9-19
SSL_RSA_WITH_3DES_EDE_CBC_SHA
9+
9-19
SSL_RSA_WITH_DES_CBC_SHA
9-22
9-19
SSL_RSA_WITH_NULL_MD5
9-22
SSL_RSA_WITH_NULL_SHA
9-22
SSL_RSA_WITH_RC4_128_MD5
9-25
9-19
SSL_RSA_WITH_RC4_128_SHA
9-25
9-23
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
1-8
1-8
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
1-8
1-8
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
9-22
9-22
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
20-22
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
9-22
20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
20-22
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
20-22
TLS_DHE_DSS_WITH_DES_CBC_SHA
1-8
1-8
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
1-8
1-8
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
1-8
1-8
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
9-25
9-25
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
20-25
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
20-25
20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
9-25
20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
20-25
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
20-25
20-25
TLS_DHE_RSA_WITH_DES_CBC_SHA
1-8
1-8
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
1-8
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
1-8
TLS_DH_DSS_WITH_DES_CBC_SHA
1-8
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
1-8
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
1-8
TLS_DH_RSA_WITH_DES_CBC_SHA
1-8
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
1-8
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
1-8
TLS_DH_anon_WITH_AES_128_CBC_SHA
9-22
TLS_DH_anon_WITH_AES_128_CBC_SHA256
20-22
TLS_DH_anon_WITH_AES_128_GCM_SHA256
20-22
TLS_DH_anon_WITH_AES_256_CBC_SHA
9-22
TLS_DH_anon_WITH_AES_256_CBC_SHA256
20-22
TLS_DH_anon_WITH_AES_256_GCM_SHA384
20-22
TLS_DH_anon_WITH_DES_CBC_SHA
1-8
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
20-22
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
20+
20+
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
20+
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
20+
20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
20+
20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
20+
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
20+
20+
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
24+
24+
TLS_ECDHE_ECDSA_WITH_NULL_SHA
20-22
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
20-25
20-23
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
21+
21+
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
21+
21+
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
24+
24+
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
20-22
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
20+
20+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
20+
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
20+
20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
20+
20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
20+
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
20+
20+
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
24+
24+
TLS_ECDHE_RSA_WITH_NULL_SHA
20-22
TLS_ECDHE_RSA_WITH_RC4_128_SHA
20-25
20-23
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
20-22
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
20-22
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
20-22
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
20-22
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
20-22
TLS_ECDH_ECDSA_WITH_NULL_SHA
20-22
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
20-22
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
20-22
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
20-22
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
20-22
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
20-22
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
20-22
TLS_ECDH_RSA_WITH_NULL_SHA
20-22
TLS_ECDH_RSA_WITH_RC4_128_SHA
20-22
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
20-22
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
20-22
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
20-22
TLS_ECDH_anon_WITH_NULL_SHA
20-22
TLS_ECDH_anon_WITH_RC4_128_SHA
20-22
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
20+
20+
TLS_FALLBACK_SCSV
21+
TLS_NULL_WITH_NULL_NULL
1-8
TLS_PSK_WITH_3DES_EDE_CBC_SHA
21-22
TLS_PSK_WITH_AES_128_CBC_SHA
21+
21+
TLS_PSK_WITH_AES_256_CBC_SHA
21+
21+
TLS_PSK_WITH_RC4_128_SHA
21-25
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
1-8
1-8
TLS_RSA_WITH_3DES_EDE_CBC_SHA
1-8
1-8
TLS_RSA_WITH_AES_128_CBC_SHA
9+
9+
TLS_RSA_WITH_AES_128_CBC_SHA256
20+
TLS_RSA_WITH_AES_128_GCM_SHA256
20+
20+
TLS_RSA_WITH_AES_256_CBC_SHA
9+
20+
TLS_RSA_WITH_AES_256_CBC_SHA256
20+
TLS_RSA_WITH_AES_256_GCM_SHA384
20+
20+
TLS_RSA_WITH_DES_CBC_SHA
1-8
1-8
TLS_RSA_WITH_NULL_MD5
1-8
TLS_RSA_WITH_NULL_SHA
1-8
TLS_RSA_WITH_NULL_SHA256
20-22
SSLSocket
算法
支持的 API 级别
默认处于启用状态
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
9-22
9-19
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
9-22
9-19
SSL_DHE_DSS_WITH_DES_CBC_SHA
9-22
9-19
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
9-22
9-19
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
9-22
9-19
SSL_DHE_RSA_WITH_DES_CBC_SHA
9-22
9-19
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
9-22
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
9-22
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
9-22
SSL_DH_anon_WITH_DES_CBC_SHA
9-22
SSL_DH_anon_WITH_RC4_128_MD5
9-22
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
9-22
9-19
SSL_RSA_EXPORT_WITH_RC4_40_MD5
9-22
9-19
SSL_RSA_WITH_3DES_EDE_CBC_SHA
9+
9-19
SSL_RSA_WITH_DES_CBC_SHA
9-22
9-19
SSL_RSA_WITH_NULL_MD5
9-22
SSL_RSA_WITH_NULL_SHA
9-22
SSL_RSA_WITH_RC4_128_MD5
9-25
9-19
SSL_RSA_WITH_RC4_128_SHA
9-25
9-23
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
9-22
9-22
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
20-22
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
9-22
11-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
20-22
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
20-22
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
9-25
9-25
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
20-25
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
20-25
20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
9-25
11-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
20-25
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
20-25
20-25
TLS_DH_anon_WITH_AES_128_CBC_SHA
9-22
TLS_DH_anon_WITH_AES_128_CBC_SHA256
20-22
TLS_DH_anon_WITH_AES_128_GCM_SHA256
20-22
TLS_DH_anon_WITH_AES_256_CBC_SHA
9-22
TLS_DH_anon_WITH_AES_256_CBC_SHA256
20-22
TLS_DH_anon_WITH_AES_256_GCM_SHA384
20-22
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
11-22
11-19
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
11+
11+
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
20+
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
20+
20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
11+
11+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
20+
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
20+
20+
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
24+
24+
TLS_ECDHE_ECDSA_WITH_NULL_SHA
11-22
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
11-25
11-23
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
21+
21+
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
21+
21+
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
24+
24+
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
11-22
11-19
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
11+
11+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
20+
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
20+
20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
11+
11+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
20+
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
20+
20+
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
24+
24+
TLS_ECDHE_RSA_WITH_NULL_SHA
11-22
TLS_ECDHE_RSA_WITH_RC4_128_SHA
11-25
11-23
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
11-22
11-19
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
11-22
11-19
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
20-22
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
11-22
11-19
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
20-22
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
20-22
TLS_ECDH_ECDSA_WITH_NULL_SHA
11-22
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
11-22
11-19
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
11-22
11-19
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
11-22
11-19
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
20-22
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
11-22
11-19
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
20-22
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
20-22
TLS_ECDH_RSA_WITH_NULL_SHA
11-22
TLS_ECDH_RSA_WITH_RC4_128_SHA
11-22
11-19
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
11-22
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
11-22
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
11-22
TLS_ECDH_anon_WITH_NULL_SHA
11-22
TLS_ECDH_anon_WITH_RC4_128_SHA
11-22
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
11+
11+
TLS_FALLBACK_SCSV
21+
TLS_PSK_WITH_3DES_EDE_CBC_SHA
21-22
TLS_PSK_WITH_AES_128_CBC_SHA
21+
21+
TLS_PSK_WITH_AES_256_CBC_SHA
21+
21+
TLS_PSK_WITH_RC4_128_SHA
21-25
TLS_RSA_WITH_AES_128_CBC_SHA
9+
9+
TLS_RSA_WITH_AES_128_CBC_SHA256
20+
TLS_RSA_WITH_AES_128_GCM_SHA256
20+
20+
TLS_RSA_WITH_AES_256_CBC_SHA
9+
11+
TLS_RSA_WITH_AES_256_CBC_SHA256
20+
TLS_RSA_WITH_AES_256_GCM_SHA384
20+
20+
TLS_RSA_WITH_NULL_SHA256
20-22
SecretKeyFactory
算法
支持的 API 级别
AES
23+
DES
1+
DESede
1+
HmacSHA1
23+
HmacSHA224
23+
HmacSHA256
23+
HmacSHA384
23+
HmacSHA512
23+
PBEwithHmacSHA1
1+
PBEwithHmacSHA1AndAES_128
26+
PBEwithHmacSHA1AndAES_256
26+
PBEwithHmacSHA224AndAES_128
26+
PBEwithHmacSHA224AndAES_256
26+
PBEwithHmacSHA256AndAES_128
26+
PBEwithHmacSHA256AndAES_256
26+
PBEwithHmacSHA384AndAES_128
26+
PBEwithHmacSHA384AndAES_256
26+
PBEwithHmacSHA512AndAES_128
26+
PBEwithHmacSHA512AndAES_256
26+
PBEwithMD5AND128BITAES-CBC-OPENSSL
1+
PBEwithMD5AND192BITAES-CBC-OPENSSL
1+
PBEwithMD5AND256BITAES-CBC-OPENSSL
1+
PBEwithMD5ANDDES
1+
PBEwithMD5ANDRC2
1+
PBEwithSHA1ANDDES
1+
PBEwithSHA1ANDRC2
1+
PBEwithSHA256AND128BITAES-CBC-BC
1+
PBEwithSHA256AND192BITAES-CBC-BC
1+
PBEwithSHA256AND256BITAES-CBC-BC
1+
PBEwithSHAAND128BITAES-CBC-BC
1+
PBEwithSHAAND128BITRC2-CBC
10+
PBEwithSHAAND128BITRC4
10+
PBEwithSHAAND192BITAES-CBC-BC
1+
PBEwithSHAAND2-KEYTRIPLEDES-CBC
1+
PBEwithSHAAND256BITAES-CBC-BC
1+
PBEwithSHAAND3-KEYTRIPLEDES-CBC
1+
PBEwithSHAAND40BITRC2-CBC
1+
PBEwithSHAAND40BITRC4
10+
PBEwithSHAANDTWOFISH-CBC
10+
PBKDF2withHmacSHA1
10+
PBKDF2withHmacSHA1And8BIT
19+
PBKDF2withHmacSHA224
26+
PBKDF2withHmacSHA256
26+
PBKDF2withHmacSHA384
26+
PBKDF2withHmacSHA512
26+
SecureRandom
算法
支持的 API 级别
SHA1PRNG
1+
Signature
算法
支持的 API 级别
DSA
1+
DSAwithSHA1
1+
DSS
1-19
ECDSA
11+
ECDSAwithSHA1
11+
MD2withRSA
1-3
MD4withRSA
1-8
MD5withRSA
1+
MD5withRSA/ISO9796-2
1-8
NONEwithDSA
1+
NONEwithECDSA
11+
NONEwithRSA
17+
RSASSA-PSS
1-8
SHA1withDSA
1+
SHA1withECDSA
11+
SHA1withRSA
1+
SHA1withRSA/ISO9796-2
1-8
SHA1withRSA/PSS
23+
SHA224withDSA
20+
SHA224withECDSA
20+
SHA224withRSA
20+
SHA224withRSA/PSS
23+
SHA256withDSA
1+
SHA256withECDSA
11+
SHA256withRSA
1+
SHA256withRSA/PSS
23+
SHA384withECDSA
11+
SHA384withRSA
1+
SHA384withRSA/PSS
23+
SHA512withECDSA
11+
SHA512withRSA
1+
SHA512withRSA/PSS
23+
TrustManagerFactory
算法
支持的 API 级别
PKIX
1+