我创建一个应用程序来存储加密的数据。
I'm creating a app to store encrypted data.
在这个问题,OP SI建议存储用户的凭证清晰。
In this question, the OP si advised to store user's credential in clear.
但是,如果我想存储与SecretKeySpec(用于加密数据的一个)创建一个加密的密码?从我的理解密钥本身进行加密。
But what if I'd like to store an encrypted password created with SecretKeySpec (the one used to encrypt data)? From my understanding the secret key is itself encrypted.
所以,我可以我存储和检索。
So I can I store and retrieve it.
请注意:我不要求如何存储preferences,只是如果我是如何SecretKeySpec工作原理以及如何,排序,序列化和检索的加密密码的理解
Note: I'm not asking how to store preferences, just if my understanding of how SecretKeySpec works and how to, sort of, serialize and retrieve the encrypted password.
修改:对不起,我忘了指定它需要与API级别4兼容
EDIT: Sorry, I forgot to specify it needs to be compatible with API level 4.
直接从开发者网站
聪明地安全!
重要的是要明白的AccountManager不是一个加密服务或钥匙串。它存储帐户凭据就如同你通过他们,以纯文本格式。在大多数设备上,这是不是一个特别的关注,因为它们存储在数据库中,这只是访问的根。但根深蒂固的设备上,凭据是任何人都能读与亚行对设备的访问。
It's important to understand that AccountManager is not an encryption service or a keychain. It stores account credentials just as you pass them, in plain text. On most devices, this isn't a particular concern, because it stores them in a database that is only accessible to root. But on a rooted device, the credentials would be readable by anyone with adb access to the device.
考虑到这一点,你不应该在用户的实际密码传递给AccountManager.addAccountExplicitly()。相反,你应该存储加密的安全令牌,这将是有限的使用给攻击者的。如果您的用户凭据保护有价值的东西,您应该谨慎考虑做类似的事情。
With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly(). Instead, you should store a cryptographically secure token that would be of limited use to an attacker. If your user credentials are protecting something valuable, you should carefully consider doing something similar.
记住:当涉及到安全code,遵循流言终结者的规则:不要在家里尝试这个!实施任何自定义帐户code之前,请咨询安全专家。
Remember: When it comes to security code, follow the "Mythbusters" rule: don't try this at home! Consult a security professional before implementing any custom account code.
现在,保安免责声明是出的方式,是时候回去工作。你已经实施了您的自定义帐户code中的肉;剩下的就是管道。
Now that the security disclaimers are out of the way, it's time to get back to work. You've already implemented the meat of your custom account code; what's left is plumbing.
上一篇:如何获取和设置的WPF文本框的当前光标位置光标、文本框、位置、WPF
下一篇:如何重新启动模拟器测试ACTION_BOOT_COMPLETED?模拟器、重新启动、测试、ACTION_BOOT_COMPLETED