貌似是上个周五(2016.12.23)支付宝新推出的AR红包,LBS加图像识别的另一个创新,这个新玩法还是挺新颖的,算是支付宝社交的一个高招。公司的小伙伴玩得不亦乐乎,我也玩了一把。这些不是重点,这两天看博客发现有很多人开始放大招去破解了。送点福利:http://thunf.me/aliAR/ 破解思路大同小异,大都是对图片进行简单的处理,尽可能还原出与原图相似度较高的图片。
话归正传,这段时间项目上马热修复,经过一段时间的调研选型,技术方案尘埃落定,最终用了阿里开源的AndFix。因为是金融产品,对安全性有一定要求,公司的安全部门也会严格监管,所以最后确定了一套安全方案。具体执行落到了我的头上。具体的热修复集成和原理不在此文赘述。github或者网上大牛的博客已经非常详细。安全方案中用到了几个常见的加密算法,非对称加密RSA,对称加密AES,还有MD5校验以及文件加壳,除了AES实现过程中略显蛋疼,其他问题都不大。
按理说,后端应提供上传页面供我们上传补丁包,加密过程也该由他们去实现,但为了省去后端的工作量,我们选择了将自行实现加密过程,然后将经过加密处理的补丁包还有一个必要的信息文件一起部署到服务器。为了实现自动化,决定将加密过程用java代码实现打成jar包,然后用脚本去执行等到加密后的补丁包。这样加密过程在java平台实现,而解密过程是在Android平台实现。后来发现在java平台经AES加密后的文件在Android平台用同一套代码解不开。原因是有某些api存在不兼容的情况。几经挣扎,最后还是解决了,下面贴出这段代码,就是一个简单的工具类。
package hotfix;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
/**
* Created by pengdongyuan491 on 16/11/15.
*/
public class AESHelper {
public static final String VIPARA = "0102030405060708";
private static final String TAG = AESHelper.class.getSimpleName();
/**
* 初始化 AES Cipher
*
* @param sKey
* @param cipherMode
* @return
*/
private static Cipher initAESCipher(String sKey, int cipherMode) {
//创建Key gen
KeyGenerator keyGenerator = null;
Cipher cipher = null;
try {
IvParameterSpec zeroIv = new IvParameterSpec(VIPARA.getBytes());
SecretKeySpec key = new SecretKeySpec(sKey.getBytes(), "AES");
cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(cipherMode, key, zeroIv);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (NoSuchPaddingException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (InvalidKeyException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (InvalidAlgorithmParameterException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return cipher;
}
/**
* 对文件进行AES加密
*
* @param key
* @param sourceFilePath
* @param destFilePath
* @return
*/
public static File encryptFile(String key, String sourceFilePath, String destFilePath) {
System.out.printf(sourceFilePath);
FileInputStream in = null;
FileOutputStream out = null;
File destFile = null;
File sourceFile = null;
try {
sourceFile = new File(sourceFilePath);
System.out.printf( sourceFilePath + "---" + sourceFile.getAbsolutePath());
destFile = new File(destFilePath);
if (sourceFile.exists() && sourceFile.isFile()) {
if (!destFile.getParentFile().exists()) {
destFile.getParentFile().mkdirs();
}
destFile.createNewFile();
in = new FileInputStream(sourceFile);
out = new FileOutputStream(destFile);
Cipher cipher = initAESCipher(key, Cipher.ENCRYPT_MODE);
//以加密流写入文件
CipherInputStream cipherInputStream = new CipherInputStream(in, cipher);
byte[] cache = new byte[1024];
int nRead = 0;
while ((nRead = cipherInputStream.read(cache)) != -1) {
out.write(cache, 0, nRead);
out.flush();
}
cipherInputStream.close();
}
} catch (FileNotFoundException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} catch (IOException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} finally {
try {
out.close();
} catch (IOException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
try {
in.close();
} catch (IOException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
return destFile;
}
/**
* AES方式解密文件
*
* @param key
* @param sourceFilePath
* @param destFilePath
* @return
*/
public static File decryptFile(String key, String sourceFilePath, String destFilePath) {
FileInputStream in = null;
FileOutputStream out = null;
File destFile = null;
File sourceFile = null;
try {
sourceFile = new File(sourceFilePath);
destFile = new File(destFilePath);
if (sourceFile.exists() && sourceFile.isFile()) {
if (!destFile.getParentFile().exists()) {
destFile.getParentFile().mkdirs();
}
destFile.createNewFile();
in = new FileInputStream(sourceFile);
out = new FileOutputStream(destFile);
Cipher cipher = initAESCipher(key, Cipher.DECRYPT_MODE);
CipherOutputStream cipherOutputStream = new CipherOutputStream(out, cipher);
byte[] buffer = new byte[1024];
int r;
while ((r = in.read(buffer)) >= 0) {
cipherOutputStream.write(buffer, 0, r);
}
cipherOutputStream.close();
}
} catch (IOException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
} finally {
try {
in.close();
} catch (IOException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
try {
out.close();
} catch (IOException e) {
e.printStackTrace(); //To change body of catch statement use File | Settings | File Templates.
}
}
return destFile;
}
}
算法中用到了一个填充向量,即VIPARA,这个向量的取值是不固定的,但是加密秘钥必须为16个字节,譬如“abcdefghabcdefgh”,经测试在java和android凭条是通用的,希望对大家日常开发的需求有所帮助。