【flex加密】应用程序加密1-模拟flash.data.EncryptedLocalStore

应用程序加密1-模拟线上加密商店

Andrew Westberg

在RIA的世界里，flex和air确实已经起飞了，随着财富500强企业逐渐采用flex技术实现ria已经各种企业层次的应用开始出现，应用程序和数据安全问题应该逐渐引起flex/air程序员的注意，保密的级别应该和项目的需求紧密相关。例如如果你想开发的是开源的支持广告的面向大众的应用程序，为了尽可能多的获取用户加密的级别就应该相应的低，同时系统花费在认证用户上的时间要尽可能的小。另一方面如果你是为企业政府开发内部应用的面板程序，那么你可能要采用尽量高的加密级别。

在这一系列的三篇关于如何加密Flex应用程序的文章中，我们首先会讲述如何在Flex应用程序中采用加密存储技术加密一个Flex应用程序。在第二篇文章中我们会尝试使用接口和最小化的加密来对SWC文件进行保护，这个SWC文件正是我们要出售的商业库。在最后的文章中我们会去了解一下NitroLM.com，这是一个商业的API专门从事用户注册认证管理，以及企业级的加密技术

---

在Adobe最新发布的AIR1.0版本中，他们提供了向磁盘存储加密数据的API， flash.data.EncryptedLocalStore类，该类调用WINDOWS DPAI或者是MAC的KEYCHAIN来通过ByteArray数组来存储数据，很不幸的是，在Flex里面我们享受不到这项便利，在这一片教程里面我们会尝试着模拟这样的一个类来存储加密数据

我们要做的第一件事情就是到网络上去下载一个flex的加密库方便使用，这里使用的是Henri创建的AS3Crypto (http://crypto.hurlant.com)，我推荐下载源代码版本，这样你就可以方便的调试并且能够了解整个加密进程是如何进行的。

在这个例子中（可以查看源代码)用户可以在应用程序向WEB SERVICE提请验证过程中，保存自己的用户名和密码，当然这两个数据的保护不是天衣无缝的，因为数据和随机生成的KEY是保存在一起的，至于如何将KEY模糊的放在服务器或者用户端，还是两者协商使得KEY的保护更加安全，在此就留作练习了。

FlexEncryptionExample1 example

下面我大概的讲述一下代码：我们有两个主要的方法，encryptedLoad() 和encryptedSave(). encryptedSave().产生随机的16位KEY然后使用AES-128算法对我们的用户名和密码进行破解，然后将数据保存到BYTE ARRAY

 

private function encryptedSave():void
{
//创建和获得共享对象
var so:SharedObject = SharedObject.getLocal("encryptedStore");

//产生随机的KEY
var key:ByteArray = new ByteArray();
var random:Random = new Random();
random.nextBytes(key, 16);

//将我们的数据加密后保存到ByteArray
var cleartextBytes:ByteArray = new ByteArray();
 	cleartextBytes.writeUTF(username.text);
 	cleartextBytes.writeUTF(password.text);

//使用128位AES算法加密
var aes:ICipher = Crypto.getCipher("aes-ecb", key, Crypto.getPad("pkcs5"));
 	aes.encrypt(cleartextBytes);

//将数据和KEY一起保存
//Note: 注意通常你出于安全考虑你不会这样做
//      当然前面提到了，这项工作就留作练习了
//      security and/or obvuscation.
var dataToStore:ByteArray = new ByteArray();
 	dataToStore.writeBytes(key);
 	dataToStore.writeBytes(cleartextBytes);

//将数据保存进共享对象
 	so.data.ws_creds = dataToStore;
 	so.flush();

//清空域
 	username.text="";
password.text="";
}

encryptedLoad()读取我们保存的KEY然后将其加入ByteArray，username和password解密后会被分别解析到各自的域中

 

private function encryptedLoad():void
{
//从共享对象获取保存的数据
var so:SharedObject = SharedObject.getLocal("encryptedStore");

var dataToLoad:ByteArray = so.data.ws_creds;

//读取键值
var key:ByteArray = new ByteArray();
 	dataToLoad.readBytes(key, 0, 16);

//读取密文
var encryptedBytes:ByteArray = new ByteArray();
 	dataToLoad.readBytes(encryptedBytes);

//解密
var aes:ICipher = Crypto.getCipher("aes-ecb", key, Crypto.getPad("pkcs5"));
 	aes.decrypt(encryptedBytes);

 	encryptedBytes.position = 0;

 	username.text = encryptedBytes.readUTF();
password.text = encryptedBytes.readUTF();
}

真心的希望这篇文章对你有用

• comments: 2
<!-- <h4 class="entry-tags-header"></h4> -->
tags:

Encryption in Flex Applications 1 - Simulate EncryptedLocalStore

Andrew Westberg
March 31, 2008 | Permalink | Comments (2)

<!-- AddThis Bookmark Button BEGIN --> <!-- AddThis Bookmark Button END -->

In the RIA world, Flex and AIR applications have really taken off. With that has come increased adoption by Fortune 500 companies and new enterprise-level apps taking advantage of the Adobe Flash platform. Application and data security should always be a concern of the Flex/AIR developer. The level of paranoia the developer should implement must be weighed against the goals of the project. For example, if you’re developing an open source or advertising-supported application intended for a wide public audience, you probably want to implement fairly minimal security measures in order to reach the widest audience and limit the amount of time you spend managing users in the system. On the other hand, if you’re being contracted to write a dashboard application for a large company or government for internal use, you’d probably want to implement security measures at the high-end of the spectrum.

In this series of three articles on the topic of Encryption in Flex Applications, we’ll first cover a basic data encryption and storage example in a Flex application. In article two, we’ll look at using an interface and doing some minimal encryption on a SWC file to protect an example commercial library we want to sell. In the final installment, we’ll take a look at using some of the features of NitroLM.com which is a commercial API for user registration, management, and entire application encryption.

---

In Adobe’s newly-released version of AIR 1.0, they provide an API for storing encrypted data to the hard drive. The flash.data.EncryptedLocalStore class uses the Windows DPAPI or KeyChain on MacOS to store and retrieve encrypted data as a ByteArray. Unfortunately, this capability isn’t available to us in a Flex application. In this example, I’ll demonstrate creating similar functionality by encrypting data stored in a local SharedObject.

The first thing we need is to download an encryption library to use in our Flex application. I’m using AS3Crypto (http://crypto.hurlant.com) created by Henri Torgemane. I recommend downloading the source code so you can debug easier and see how the encryption is working.

In this example (view-source enabled), the user can save a username and password between runs of the application to be used by a web service. It’s not totally secure since the randomly generated key is stored along with the encrypted data. I’ll leave it as an exercise for the reader to come up with clever ways to obfuscate the key or use alternative server-side repositories that are more secure.

FlexEncryptionExample1 example

Let’s walk through the code. We have two main methods, encryptedLoad() and encryptedSave(). encryptedSave() generates a random 16 byte key, and runs the AES-128 encryption algorithm on our username and password that we’ve packaged into a ByteArray.

 

private function encryptedSave():void
{
//create or retrieve the current shared object
var so:SharedObject = SharedObject.getLocal("encryptedStore");

//generate a random key
var key:ByteArray = new ByteArray();
var random:Random = new Random();
random.nextBytes(key, 16);

//store our data to encrypt into a ByteArray
var cleartextBytes:ByteArray = new ByteArray();
 	cleartextBytes.writeUTF(username.text);
 	cleartextBytes.writeUTF(password.text);

//encrypt using 128b AES encryption using a random key
var aes:ICipher = Crypto.getCipher("aes-ecb", key, Crypto.getPad("pkcs5"));
 	aes.encrypt(cleartextBytes);

//store key along with the data to decrypt
//Note: normally you'd never do this for security reasons,
//      but I'll leave it to the reader to handle additional
//      security and/or obvuscation.
var dataToStore:ByteArray = new ByteArray();
 	dataToStore.writeBytes(key);
 	dataToStore.writeBytes(cleartextBytes);

//save the blob of encrypted stuff in the SharedObject
 	so.data.ws_creds = dataToStore;
 	so.flush();

//clear out the fields
 	username.text="";
password.text="";
}

encryptedLoad() reads in our key and uses it to decrypt the rest of the ByteArray. The values are then loaded into their respective form fields from the decrypted ByteArray.

 

private function encryptedLoad():void
{
//create or retrieve the current shared object
var so:SharedObject = SharedObject.getLocal("encryptedStore");

var dataToLoad:ByteArray = so.data.ws_creds;

//read in our key
var key:ByteArray = new ByteArray();
 	dataToLoad.readBytes(key, 0, 16);

//read in our encryptedText
var encryptedBytes:ByteArray = new ByteArray();
 	dataToLoad.readBytes(encryptedBytes);

//decrypt using 128b AES encryption
var aes:ICipher = Crypto.getCipher("aes-ecb", key, Crypto.getPad("pkcs5"));
 	aes.decrypt(encryptedBytes);

 	encryptedBytes.position = 0;

 	username.text = encryptedBytes.readUTF();
password.text = encryptedBytes.readUTF();
}

Hopefully with this example, you can start to see some of the possibilities for encrypting your data using Adobe Flex/AIR.

• comments: 2
<!-- <h4 class="entry-tags-header"></h4> -->
tags:
• encryption
• flex
• licensing
• security