java 使用 keytool 生成 128 位密钥
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/881661/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Generating 128-bit keys with keytool
提问by Chry Cheng
Is there a way to generate a 128-bit key pair suitable for encryption using Sun's keytool program? It seems that the algorithms available in http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyPairGeneratorare either not supported or do not allow keys shorter than 512 bits.
有没有办法用Sun 的keytool 程序生成适合加密的128 位密钥对?似乎http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#KeyPairGenerator中可用的算法要么不受支持,要么不允许短于 512 位的密钥。
The key pair will be used with the ff. code snippet:
密钥对将与 ff 一起使用。代码片段:
Security.addProvider(new BouncyCastleProvider());
KeyStore keyStore = KeyStore.getInstance("PKCS12");
FileInputStream keyStoreSource = new FileInputStream("keystore");
try {
keyStore.load(keyStoreSource, "password".toCharArray());
} finally {
keyStoreSource.close();
}
String alias = (String) keyStore.aliases().nextElement();
PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, "password".toCharArray());
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias);
CMSEnvelopedDataStreamGenerator generator = new CMSEnvelopedDataStreamGenerator();
generator.addKeyTransRecipient(certificate);
OutputStream output2 = generator.open(output, CMSEnvelopedDataGenerator.AES128_CBC, BouncyCastleProvider.PROVIDER_NAME);
try {
IOUtils.copy(input, output2);
} finally {
output2.close();
output.close();
}
where output is some OutputStream where the encrypted data will be saved and input is some InputStream where the plaintext data will be read.
其中 output 是一些 OutputStream ,其中将保存加密的数据, input 是一些 InputStream ,其中将读取纯文本数据。
回答by igorp1024
You just need to specify different storetype
您只需要指定不同的 storetype
keytool -genseckey -alias check2 -keyalg AES -keysize 128 -storepass changeit -storetype JCEKS -keystore ks.jck
keytool -genseckey -alias check2 -keyalg AES -keysize 128 -storepass changeit -storetype JCEKS -keystore ks.jck
回答by joeforker
Certificates are used for public key cryptography and do not contain encryption keys for the symmetric block cipher AES-128. Instead, public key cryptography is used only to encrypt or negotiate the 128-bit AES key and the rest of the conversation uses AES.
证书用于公钥加密,不包含对称分组密码 AES-128 的加密密钥。相反,公钥密码术仅用于加密或协商 128 位 AES 密钥,其余对话使用 AES。
The 128-bit AES key is not a certificate, it's just 128 bits from a cryptographically strong random number generator or derived from a passphrase using a hashing algorithm such as PBKDF2. How you get these bits will depend on your application. SSL/TLS must negotiate a random key, but a hard disk encryption program would derive the key from a passphrase.
128 位 AES 密钥不是证书,它只是来自加密强随机数生成器的 128 位或使用散列算法(如PBKDF2 )从密码派生而来。您如何获得这些位将取决于您的应用程序。SSL/TLS 必须协商一个随机密钥,但硬盘加密程序会从密码短语中导出密钥。
回答by Sani Singh Huttunen
It would make sense that shorter than 512-bit key pairs cannot be generated. Public Key cryptography needs a longer key than symmetric key cryptography to sustain the same level of security. A 128-bit key pair is not recommended for public key cryptography.
不能生成短于 512 位的密钥对是有道理的。公钥密码术需要比对称密钥密码术更长的密钥才能维持相同级别的安全性。不建议将 128 位密钥对用于公钥加密。
