加密 – AES PKCS7填充

我刚开始学习Bouncy Castle的AES加密/解密.我正在使用带有256位密钥的AES / CBC / PKCS7PADDING.

BC可以成功加密和解密文本,但是在解密之后我注意到总是有一些空填充(0x00),因此我的哈希比较失败了.例如,假设原始输入字符串为“1234567890”,则解密的字节数组始终为:

{0x49,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x48,0x00,0x00,0x00,0x00,0x00,0x00}

为什么填充不是0x06,0x06,0x06,0x06,0x06,0x06?有没有办法在加密后确定性地告诉填充长度(可能是0),这样我可以在加密之前得到完全相同的字符串?

最佳答案 当您指定PKCS7时,BC将在加密前将填充添加到数据中,并在解密时再次将其删除.使用AES的PKCS7将始终添加至少1个字节的填充,并将添加足够的数据以使输入成为AES块大小的倍数.当验证填充的解密是正确的时,并且在PKCS7的情况下,还用作最后解密数据块的填充量以及实际数据量的指示符.

如果您尝试在解密步骤中解密加密和填充数据而未指定PKCS7,则填充仍将在解密数据中.

编辑:

为了说明我的观点..这里有一些Java代码用AES / CBC / PKCS7加密“1234567890”,然后在有和没有PKCS7填充的情况下再次解密它:

public class BCTest {
    public static void doTest() throws Exception {
        Security.addProvider(new BouncyCastleProvider());

        byte[] clearData = "1234567890".getBytes();
        SecretKey secretKey = new SecretKeySpec("0123456789ABCDEF".getBytes(), "AES");
        AlgorithmParameterSpec IVspec = new IvParameterSpec("0123456789ABCDEF".getBytes());

        // encrypt with PKCS7 padding
        Cipher encrypterWithPad = Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC");
        encrypterWithPad.init(Cipher.ENCRYPT_MODE, secretKey, IVspec);
        byte[] encryptedData = encrypterWithPad.doFinal(clearData);
        System.out.println("Encryped data (" + encryptedData.length + " bytes): \t" + toHexString(encryptedData));

        // decrypt with PKCS7 pad
        Cipher decrypterWithPad = Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC");
        decrypterWithPad.init(Cipher.DECRYPT_MODE, secretKey, IVspec);
        byte[] buffer1 = new byte[encryptedData.length]; 
        int decryptLen1 = decrypterWithPad.doFinal(encryptedData, 0, encryptedData.length, buffer1); 
        System.out.println("Decrypted with Pad (" + decryptLen1 + " bytes):  \t" + toHexString(buffer1));

        // decrypt without PKCS7 pad
        Cipher decrypterWithoutPad = Cipher.getInstance("AES/CBC/NOPADDING", "BC");
        decrypterWithoutPad.init(Cipher.DECRYPT_MODE, secretKey, IVspec);
        byte[] buffer2 = new byte[encryptedData.length]; 
        int decryptLen2 = decrypterWithoutPad.doFinal(encryptedData, 0, encryptedData.length, buffer2); 
        System.out.println("Decrypted without Pad (" + decryptLen2 + " bytes):\t" + toHexString(buffer2));
    }

    private static String toHexString(byte[] bytes) {
        return javax.xml.bind.DatatypeConverter.printHexBinary(bytes);
    }

    public static void main(String[] args) throws Exception {
        BCTest.doTest(); 
    }
}

输出:

Encryped data (16 bytes):           602CAE14358D0AC5C96E2D46D17E58E3
Decrypted with Pad (10 bytes):      31323334353637383930000000000000
Decrypted without Pad (16 bytes):   31323334353637383930060606060606

当使用padding选项解密时,输出已经填充了条带 – 并且密码指示10个字节的解密数据 – 缓冲区的其余部分填充为0.在没有填充选项的情况下解密,导致填充现在成为解密数据的一部分.

EDIT2:

现在看到原始代码,确认我的预感.方法GetOutputSize不返回解密字符串的输出大小,而只返回输出缓冲区中所需的最大空间.该方法在BC代码中有以下文档:

/**
* return the size of the output buffer required for an update plus a
* doFinal with an input of len bytes.
*
* @param len the length of the input.
* @return the space required to accommodate a call to update and doFinal
* with len bytes of input.
*/

DoFinal返回放入缓冲区的解密数据的实际长度.

所以

byte[] plainTextBuffer = new byte[cipher.GetOutputSize(data.Length - IV_LENGTH)];
int length = cipher.DoFinal(data, iv.Length, data.Length - iv.Length, plainTextBuffer, 0);

plainTextBuffer会比实际的解密数据略大 – 实际的数据长度是长度.

点赞