我们的系统一般都有用户、密码,用户登录向后端传送密码,明文传输过程中很容易被抓包盗取。我们可以有一下几种解决办法。
https诞生了,它不仅可以将你要传输的密码加密传输,甚至你的所有请求数据在网络传输中都是加密的,别人拿到数据包也没用。
https真的安全吗?
https是加密传输, 所以抓到包也没有用, 是密文的。 真是的这样吗? 以百度为例,如下图,可以看到传的用户名,密码(经过了加密)还是可以正常看到明文的。
为什么用https抓包, 还是能看到明文内容呢? 这里我们要理解https的栈流程, 梳理一下就知道, 加密层位于http层和tcp层之间, 所以抓到的http层的数据并没有加密。 同理, 在后台接收端, 经历解密后, 到达http层的数据也是明文。 要注意, https不是对http报文进行加密, 而是对传输数据进行加密, 最终还原http原始报文。
这里不得不再次强调,https保证的是传输过程中第三方抓包看到的是密文。客户端和服务端,无论如何都可以拿到明文。其实大多数人认为https加密传输安全是因为没有真正理解https的真实原理。为了更安全就需要自定义加密了。
上边说道,https能避免传输的过程中,如果有人截获到数据包只能看到加密后的信息,但是防不了在服务端和客户端截取数据的人。服务器端自不必说,如果黑客都能取到服务器的数据了那你加不加密估计也没什么意义了,但客户端就不一样了,许多密码泄露都是在客户端泄露的。所以客户端密码保护很重要!显然https这点就做不到了。那么,就只有写程序的人自己定义加密方式了。
还是以百度为例,在登录之前,百度前端获取了一次公钥,用公钥加密后传输加密后的密文密码,后端可以进行解密,这样做到了全流程加密传输。
我们以非对称加密RSA为例。
引入redis,是因为分布式系统,公钥、私钥需要保存在一个公共缓存中。
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-thymeleaf -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.4</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.12.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/commons-codec/commons-codec -->
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.15</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-ext-jdk15on -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-ext-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.alibaba.fastjson2/fastjson2 -->
<dependency>
<groupId>com.alibaba.fastjson2</groupId>
<artifactId>fastjson2</artifactId>
<version>2.0.11</version>
</dependency>
<!--redis start-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<!--spring2.0集成redis所需common-pool2 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-pool2</artifactId>
</dependency>
<!--redis end-->
</dependencies>package com.ybw.rsa.demo.service;
/**
* RSA接口
*
* @author ybwei
* @version V1.0
* @className RsaService
* @date 2022/8/13
**/
public interface RsaService {
/**
* 私钥解密
*
* @param encryptText
* @methodName: decryptWithPrivate
* @return: java.lang.String
* @author: ybwei
* @date: 2022/8/12
**/
String decryptWithPrivate(String encryptText) throws Exception;
/**
* 公钥加密-测试
*
* @param plaintext 明文内容
* @methodName: encrypt
* @return: byte[]
* @author: ybwei
* @date: 2022/8/12
**/
byte[] encrypt(String plaintext) throws Exception;
/**
* 私钥解密-测试
*
* @param cipherText 加密后的字节数组
* @methodName: decrypt
* @return: java.lang.String
* @author: ybwei
* @date: 2022/8/12
**/
String decrypt(byte[] cipherText) throws Exception;
/**
* 获取公钥
*
* @methodName: getPublicKey
* @return: java.lang.String
* @author: ybwei
* @date: 2022/8/12
**/
String getPublicKey() throws Exception;
}
package com.ybw.rsa.demo.service.impl;
import com.ybw.rsa.demo.constant.RedisPreConstant;
import com.ybw.rsa.demo.constant.RsaConstant;
import com.ybw.rsa.demo.service.RsaService;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.stereotype.Service;
import javax.annotation.PostConstruct;
import javax.annotation.Resource;
import javax.crypto.Cipher;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.*;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.concurrent.TimeUnit;
/**
* rsa加密
*
* @author ybw
* @version V1.0
* @className RsaServiceImpl
* @date 2022/8/12
**/
@Service
@Slf4j
public class RsaServiceImpl implements RsaService {
@Resource
private RedisTemplate redisTemplate;
/**
* 初始化
*
* @methodName: init
* @return: void
* @author: ybw
* @date: 2022/8/12
**/
@PostConstruct
public void init() throws Exception {
log.info("RsaServiceImpl init start");
Provider provider = new org.bouncycastle.jce.provider.BouncyCastleProvider();
Security.addProvider(provider);
SecureRandom random = new SecureRandom();
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", provider);
generator.initialize(RsaConstant.KEY_SIZE, random);
KeyPair keyPair = generator.generateKeyPair();
//将公钥和私钥存放,登录时会不断请求获取公钥,我们可以将其放到缓存中,而不放入数据库了
//我在想,这个是不是有必要存放到Redis,在分布式场景中?
//貌似有些必要,万一获取到的pubkey是server1中的,拿着server1的pubkey去server2去解密?
storeRsa(keyPair);
log.info("RsaServiceImpl init end");
}
/**
* 将RSA存入缓存
*
* @param keyPair
* @methodName: storeRsa
* @return: void
* @author: ybwei
* @date: 2022/8/13
**/
private void storeRsa(KeyPair keyPair) {
//1、存储公钥key
String publicRedisKey = getRedisKey(RsaConstant.PUBLIC_KEY);
PublicKey publicKey = keyPair.getPublic();
//公钥字符串
String publicKeyStr = new String(Base64.encodeBase64(publicKey.getEncoded()));
redisTemplate.opsForValue().set(publicRedisKey, publicKeyStr, 1, TimeUnit.DAYS);
//2、存储私钥key
String privateRedisKey = getRedisKey(RsaConstant.PRIVATE_KEY);
PrivateKey privateKey = keyPair.getPrivate();
//私钥字符串
String privateKeyStr = new String(Base64.encodeBase64(privateKey.getEncoded()));
redisTemplate.opsForValue().set(privateRedisKey, privateKeyStr, 1, TimeUnit.DAYS);
}
/**
* @className RsaServiceImpl
* @author ybw
* @date 2022/8/12
* @version V1.0
**/
private String getRedisKey(String publicKey) {
return new StringBuilder()
.append(RedisPreConstant.RSA)
.append(publicKey)
.toString();
}
/**
* 从字符串中加载公钥
*
* @methodName: loadPublicKeyByStr
* @return: java.security.interfaces.RSAPublicKey
* @author: ybwei
* @date: 2022/8/13
**/
public RSAPublicKey loadPublicKeyByStr() throws Exception {
try {
//公钥数据字符串
String publicKeyStr = getPublicKey();
byte[] buffer = Base64.decodeBase64(publicKeyStr);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(buffer);
return (RSAPublicKey) keyFactory.generatePublic(keySpec);
} catch (NoSuchAlgorithmException e) {
throw new Exception("无此算法");
} catch (InvalidKeySpecException e) {
throw new Exception("公钥非法");
} catch (NullPointerException e) {
throw new Exception("公钥数据为空");
}
}
/**
* 从字符串中加载私钥
*
* @methodName: loadPrivateKeyByStr
* @return: java.security.interfaces.RSAPrivateKey
* @author: ybwei
* @date: 2022/8/13
**/
public RSAPrivateKey loadPrivateKeyByStr() throws Exception {
try {
//私钥数据字符串
String privateKeyStr = getPrivateKey();
byte[] buffer = Base64.decodeBase64(privateKeyStr);
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(buffer);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
return (RSAPrivateKey) keyFactory.generatePrivate(keySpec);
} catch (NoSuchAlgorithmException e) {
throw new Exception("无此算法");
} catch (InvalidKeySpecException e) {
throw new Exception("私钥非法");
} catch (NullPointerException e) {
throw new Exception("私钥数据为空");
}
}
/**
* 私钥解密(解密前台公钥加密的密文)
*
* @param encryptText 公钥加密的数据
* @return 私钥解密出来的数据
* @throws Exception e
*/
@Override
public String decryptWithPrivate(String encryptText) throws Exception {
if (StringUtils.isBlank(encryptText)) {
return null;
}
byte[] en_byte = Base64.decodeBase64(encryptText.getBytes());
Provider provider = new org.bouncycastle.jce.provider.BouncyCastleProvider();
Security.addProvider(provider);
Cipher ci = Cipher.getInstance("RSA/ECB/PKCS1Padding", provider);
PrivateKey privateKey = loadPrivateKeyByStr();
ci.init(Cipher.DECRYPT_MODE, privateKey);
byte[] res = ci.doFinal(en_byte);
return new String(res);
}
/**
* 公钥加密
*
* @param plaintext 明文内容
* @return byte[]
* @throws UnsupportedEncodingException e
*/
@Override
public byte[] encrypt(String plaintext) throws Exception {
String encode = URLEncoder.encode(plaintext, "utf-8");
RSAPublicKey rsaPublicKey = loadPublicKeyByStr();
//获取公钥指数
BigInteger e = rsaPublicKey.getPublicExponent();
//获取公钥系数
BigInteger n = rsaPublicKey.getModulus();
//获取明文字节数组
BigInteger m = new BigInteger(encode.getBytes());
//进行明文加密
BigInteger res = m.modPow(e, n);
return res.toByteArray();
}
/**
* 私钥解密
*
* @param cipherText 加密后的字节数组
* @return 解密后的数据
* @throws UnsupportedEncodingException e
*/
@Override
public String decrypt(byte[] cipherText) throws Exception {
RSAPrivateKey prk = loadPrivateKeyByStr();
// 获取私钥参数-指数/系数
BigInteger d = prk.getPrivateExponent();
BigInteger n = prk.getModulus();
// 读取密文
BigInteger c = new BigInteger(cipherText);
// 进行解密
BigInteger m = c.modPow(d, n);
// 解密结果-字节数组
byte[] mt = m.toByteArray();
//转成String,此时是乱码
String en = new String(mt);
//再进行编码,最后返回解密后得到的明文
return URLDecoder.decode(en, "UTF-8");
}
/**
* 获取公钥
*
* @methodName: getPublicKey
* @return: java.lang.String
* @author: ybw
* @date: 2022/8/12
**/
@Override
public String getPublicKey() throws Exception {
//1、获取redis key
String publicRedisKey = getRedisKey(RsaConstant.PUBLIC_KEY);
//2、获取公钥字符串
String publicKeyStr = (String) redisTemplate.opsForValue().get(publicRedisKey);
if (StringUtils.isNotBlank(publicKeyStr)) {
log.info("RsaServiceImpl getPublicKey publicKeyStr:{}", publicKeyStr);
return publicKeyStr;
}
//3、初始化
init();
//4、重新获取公钥字符串
return getPublicKey();
}
/**
* 获取私钥
*
* @methodName: getPrivateKey
* @return: java.lang.String
* @author: ybw
* @date: 2022/8/12
**/
public String getPrivateKey() throws Exception {
//1、获取redis key
String privateRedisKey = getRedisKey(RsaConstant.PRIVATE_KEY);
//2、获取私钥数据字符串
String privateKeyStr = (String) redisTemplate.opsForValue().get(privateRedisKey);
if (StringUtils.isNotBlank(privateKeyStr)) {
log.info("RsaServiceImpl getPrivateKey privateKeyStr:{}", privateKeyStr);
return privateKeyStr;
}
//3、初始化
init();
//4、重新获取公钥字符串
return getPrivateKey();
}
}
获取公钥
package com.ybw.rsa.demo.controller;
import com.ybw.rsa.demo.service.RsaService;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.annotation.Resource;
/**
* @author ybwei
* @version V1.0
* @className RSAController
* @date 2022/8/12
**/
@RestController
public class RSAController {
@Resource
private RsaService rsaService;
/**
* 获取公钥
*
* @methodName: getPublicKey
* @return: java.lang.String
* @author: ybw
* @date: 2022/8/12
**/
@GetMapping("/getPublicKey")
public String getPublicKey() throws Exception {
return rsaService.getPublicKey();
}
}
登录接口(解密逻辑)
package com.ybw.rsa.demo.controller;
import com.alibaba.fastjson2.JSON;
import com.ybw.rsa.demo.service.RsaService;
import com.ybw.rsa.demo.vo.req.LoginReqVO;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.*;
import javax.annotation.Resource;
@Controller
@Slf4j
public class LoginController {
@Resource
private RsaService rsaService;
/**
* @param loginReqVO
* @methodName: login
* @return: java.lang.String
* @author: ybw
* @date: 2022/8/12
**/
@PostMapping(value = "/login")
@ResponseBody
public String login(@RequestBody LoginReqVO loginReqVO) throws Exception {
log.info("loginReqVO:{}", JSON.toJSONString(loginReqVO));
//解密后的密码
String password = rsaService.decryptWithPrivate(loginReqVO.getPassword());
log.info("解密后密码,password:{}", password);
return "OK";
}
}
密码解密成功
[INFO ] 2022-08-13 23:46:02.239 [http-nio-8081-exec-8] c.y.r.d.service.impl.RsaServiceImpl - RsaServiceImpl getPublicKey publicKeyStr:MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJuAH3mGIYUm2CRWifRbRWFef9dKaK3M9WtI0o7ikjQI5NQocEimaqHhoIxYOjb3Z5XIT1ZkI0Roa7L+J8psfVcXeKr3UxT3OnQCdJphC8bRfv9Hzu0sayqtLj7T9t7nptyAfDcME7cRaGiNJoXrMYl8hkFXzDDRbO2tFwymwGkwIDAQAB
[INFO ] 2022-08-13 23:46:02.254 [http-nio-8081-exec-9] c.y.r.d.controller.LoginController - loginReqVO:{"password":"JYZckB2tGtpuJQfqYRLYVGd/jHHPtPtWmEOf+BAtLTydyhvoQoNbejVE5ufoeV1FrQzOgTfx0aUCH3sBrm/xcKP2QWHxzp68tqD9n4ZpWkSP+D8tJmTQgIPHkCOtYekpqVa3/QKKI0c8fU7ADu4FrMRbQLadmIYdi1wsrfIqvK8=","username":"admin"}
[INFO ] 2022-08-13 23:46:02.726 [http-nio-8081-exec-9] c.y.r.d.service.impl.RsaServiceImpl - RsaServiceImpl getPrivateKey privateKeyStr:MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMm4AfeYYhhSbYJFaJ9FtFYV5/10porcz1a0jSjuKSNAjk1ChwSKZqoeGgjFg6NvdnlchPVmQjRGhrsv4nymx9Vxd4qvdTFPc6dAJ0mmELxtF+/0fO7SxrKq0uPtP23uem3IB8NwwTtxFoaI0mhesxiXyGQVfMMNFs7a0XDKbAaTAgMBAAECgYATN3Jd3Kh2Wgk7VdK9CZjqcop353r405xKTZz8/ziatnWtVTR48ZkM2nKZz1HWagdGpye2G8McKR6AtUka8uXVJj+8z3eeGaS+TMlzPbdOK+COp9OZex5HZHTsBqsCGUZ+BJjWMgc8+2Y60e8F53jaCAyVvd8TGNZmjBO7wKccQQJBAPFodMkO7wlDeJJdQvSqXsBvs0TQn2AdTzqj5VUNTy1LVf7b+YOR2aSYjonp1RGi4P2LDONL1gJWoWXmHK0YrnECQQDV6WaSwvjvY8Rxmx3hbxA1/WTFqv/RCOf8n0UxQuZ1YoNjv1enlX6cqMuDfmHiiC/pWf9D7Qnph+sX1Eqc+c9DAkEApSL+WJc1nxGfhgf0CGgO/vaqHBXWICqMiyGYfFDpa6OQRRH3IjCAQF73ipIBZdoUrHwVKdszn0/hglIiJaqvkQJAVfJ9gCJOmwDfATZt/xH81XSGdNWMC5UkgOANkQlsR2XZnM5YjcEHKjK38pFpCvflKEE8yzIGdYpi7yQhBolouQJBAIQaLXw68AYtohzJvxFtjyer+sgzN2JYYHKaGQtT0WGxTnuMrJuQteFxlFGvLOJl+EcfPetdzu5uF7MnZfz+MhU=
[INFO ] 2022-08-13 23:46:02.730 [http-nio-8081-exec-9] c.y.r.d.controller.LoginController - 解密后密码,password:123456