前端js传输明文漏洞

我这是用的是用到的是Google的aes加密算法,下载地址https://github.com/brix/crypto-js/tree/master,中间还是踩了一些坑,aes加密算法有多种模式,具体可看https://www.cnblogs.com/shawWey/p/8425663.html
我这是用到的是CBC模式,废话不多说,直接上代码:

js代码

//aes加密
function encrypt(word) {
     var key = CryptoJS.enc.Utf8.parse("1234560405060708"); //16位
     var iv = CryptoJS.enc.Utf8.parse("1234560405060708");
     var encrypted = '';
     if (typeof(word) == 'string') {
         var srcs = CryptoJS.enc.Utf8.parse(word);
         encrypted = CryptoJS.AES.encrypt(srcs, key, {
             iv: iv,
             mode: CryptoJS.mode.CBC,
             padding: CryptoJS.pad.Pkcs7
         });
     } else if (typeof(word) == 'object') {//对象格式的转成json字符串
         data = JSON.stringify(word);
         var srcs = CryptoJS.enc.Utf8.parse(data);
         encrypted = CryptoJS.AES.encrypt(srcs, key, {
             iv: iv,
             mode: CryptoJS.mode.CBC,
             padding: CryptoJS.pad.Pkcs7
         })
     }
     return encrypted.ciphertext.toString();
 }
 // aes解密
 function decrypt(word) {
     var key = CryptoJS.enc.Utf8.parse("1234567890000000");
     var iv = CryptoJS.enc.Utf8.parse("1234567890000000");
     var encryptedHexStr = CryptoJS.enc.Hex.parse(word);
     var srcs = CryptoJS.enc.Base64.stringify(encryptedHexStr);
     var decrypt = CryptoJS.AES.decrypt(srcs, key, {
         iv: iv,
         mode: CryptoJS.mode.CBC,
         padding: CryptoJS.pad.Pkcs7
     });
     var decryptedStr = decrypt.toString(CryptoJS.enc.Utf8);
     return decryptedStr.toString();
 }

java代码


package cn.stylefeng.guns.core.util;

import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.RandomUtils;
import org.apache.commons.lang3.StringUtils;

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.util.Random;

/**
 * @ClassName:AESUtil
 * @Author:txzhang
 * @Date:2020/1/16—11:39
 * @Description: Google aes CBC模式 加解密
 **/
@Slf4j
public class AESCBCUtil {

    private static final String ENCODING = "GBK";

    private static final String KEY_ALGORITHM = "AES";
    /**
     * 加解密算法/工作模式/填充方式
     */
    private static final String DEFAULT_CIPHER_ALGORITHM = "AES/CBC/PKCS5Padding";
    /**
     * 填充向量
     */
    public static final String FILL_VECTOR = "1234560405060708";

    private static final String ALL_CHAR = "0123456789abcdefghijklmnopqrstuvwxyz";
    private static final int charLength = 36;

    /**
     * 加密字符串
     *
     * @param content  字符串
     * @param password 密钥KEY
     * @return
     * @throws Exception
     */
    public static String encrypt(String content, String password) {
        if (StringUtils.isAnyEmpty(content, password)) {
            log.error("AES encryption params is null");
            return null;
        }

        byte[] raw = hex2byte(password);
        SecretKeySpec skeySpec = new SecretKeySpec(raw, KEY_ALGORITHM);
        Cipher cipher = null;
        try {
            cipher = Cipher.getInstance(DEFAULT_CIPHER_ALGORITHM);
            IvParameterSpec iv = new IvParameterSpec(FILL_VECTOR.getBytes());
            cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);
            byte[] anslBytes = content.getBytes(ENCODING);
            byte[] encrypted = cipher.doFinal(anslBytes);
            return byte2hex(encrypted).toUpperCase();
        } catch (Exception e) {
            log.error("AES encryption operation has exception,content:{},password:{}", content, password, e);
        }
        return null;
    }

    /**
     * 解密
     *
     * @param content  解密前的字符串
     * @param key 解密KEY
     * @return
     * @throws Exception
     * @author cdduqiang
     * @date 2014年4月3日
     */
    public static String decrypt(String content, String key) {
        if (StringUtils.isAnyEmpty(content, key)) {
            log.error("AES decryption params is null");
            return null;
        }
        try {
            byte[] raw = hex2byte(key);
            SecretKeySpec skeySpec = new SecretKeySpec(raw, KEY_ALGORITHM);
            Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER_ALGORITHM);
            IvParameterSpec iv = new IvParameterSpec(FILL_VECTOR.getBytes());
            cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv);
            byte[] encrypted1 = hex2byte(content);
            byte[] original = cipher.doFinal(encrypted1);
            return new String(original, ENCODING);
        } catch (Exception e) {
            log.error("AES decryption operation has exception,content:{},password:{}", content, key, e);
        }
        return null;
    }

    private static byte[] hex2byte(String strhex) {
        if (strhex == null) {
            return null;
        }
        int l = strhex.length();
        if (l % 2 == 1) {
            return null;
        }
        byte[] b = new byte[l / 2];
        for (int i = 0; i != l / 2; i++) {
            b[i] = (byte) Integer.parseInt(strhex.substring(i * 2, i * 2 + 2), 16);
        }
        return b;
    }

    public static String byte2hex(byte[] b) {
        String hs = "";
        String stmp = "";
        for (int n = 0; n < b.length; n++) {
            stmp = (java.lang.Integer.toHexString(b[n] & 0XFF));
            if (stmp.length() == 1) {
                hs = hs + "0" + stmp;
            } else {
                hs = hs + stmp;
            }
        }
        return hs.toUpperCase();
    }

    /**
     * key生成器
     * @return
     */
    public static String generatorKey(int length) {
        StringBuffer result = new StringBuffer();
        Random random = new Random();
        for (int i = 0; i < length; i++) {
            int index = random.nextInt(charLength);
            result.append(ALL_CHAR.charAt(index));
        }
        return result.toString();
    }

    public static void main(String[] args) {
        String pwd = "123456";
        String key = "1234567890000000";
        String key2 = byte2hex(key.getBytes());
        String encrypt = encrypt(pwd, key2);
        System.out.println(encrypt);

        System.out.println(decrypt(encrypt, key2));
    }
}

简单贴一下controller代码

@RequestMapping(value = "/login", method = RequestMethod.POST)
public String loginVali(HttpSession session) {
      String username = super.getPara("username").trim();
      String password = super.getPara("password").trim();
      String remember = super.getPara("remember");
      String key = AESCBCUtil.byte2hex(AESCBCUtil.FILL_VECTOR.getBytes());
      String newPwd = AESCBCUtil.decrypt(password, key);
      Subject currentUser = ShiroKit.getSubject();
      UsernamePasswordToken token = new UsernamePasswordToken(username, newPwd.toCharArray());

      //如果开启了记住我功能
      if ("on".equals(remember)) {
          token.setRememberMe(true);
      } else {
          token.setRememberMe(false);
      }
      //
	...
}

参考:
https://blog.csdn.net/xzx4959/article/details/81951037
https://www.cnblogs.com/shawWey/p/8425663.html
https://www.cnblogs.com/liyingying/p/6259756.html
https://www.jianshu.com/p/6eef6cf17c25

发布了45 篇原创文章 · 获赞 12 · 访问量 17万+
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 游动-白 设计师: 上身试试

分享到微信朋友圈

×

扫一扫,手机浏览