什麼算法創建加密Log4j追加

Question

當我創建了加密輸出到一個log4j的日誌文件RollingFileAppender進行使用。 目前它使用AES/ECB/NoPadding，它工作正常。

下面是我們如何創建密碼

public static Cipher getCipher(boolean encrypt) throws Exception { 
    //https://en.wikipedia.org/wiki/Stream_cipher  
    byte[] key = ("sometestkey").getBytes("UTF-8"); 
    MessageDigest sha = MessageDigest.getInstance("SHA-1"); 
    key = sha.digest(key); 
    key = Arrays.copyOf(key, 16); // use only first 128 bit 

    Key k = new SecretKeySpec(key,"AES"); 
    Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding"); 
    if (encrypt) { 
     cipher.init(Cipher.ENCRYPT_MODE, k); 
    } else { 
     cipher.init(Cipher.DECRYPT_MODE, k); 
    } 
    return cipher; 
} 

下面是我們如何創建附加器：

public class EncryptingRollingFileAppender extends RollingFileAppender { 
    private CipherOutputStream s; 
    private Cipher cipher; 
    public EncryptingRollingFileAppender() {super();} 
    public EncryptingRollingFileAppender(Layout layout, String filename, boolean append) throws IOException {super(layout, filename, append);} 
    public EncryptingRollingFileAppender(Layout layout, String filename) throws IOException {super(layout, filename);} 

    @Override 
    protected OutputStreamWriter createWriter(OutputStream outputStream) { 
     if (cipher==null) { 
      try { 
       cipher = DecryptionTools.getCipher(true); 
       s = new CipherOutputStream(outputStream, cipher); 
      } catch (Throwable t) { 
       throw new RuntimeException("failed to initialise encrypting file appender",t); 
      } 
     } 
     OutputStreamWriter out = super.createWriter(s); 
     return out; 
    } 
} 

我們可以通過使用

getCipher（假）解密文件

創建一個適當的解密流。

的問題是，我們的安全團隊正在討價還價約密鑰管理。 他們不喜歡使用對稱密鑰加密，並希望我們使用密鑰對而不是我們必須以某種方式管理的簡單密碼。

有誰知道非填充ECB加密技術會使用密鑰對，並且適合這種流加密和解密？

Answer 1

使用混合加密和PGP暗示的意見是正確的。
PGP是文件混合加密的實際標準，它是ECB模式AES更強大的解決方案。

由於PGP的性質，它將會略有不同工作，以現有的解決方案。

PGP消息有一個頭和頁腳，所以你會希望每個文件進行單獨加密（你不會只能夠解密各個塊像您可以用普通ECB模式加密）。

看起來你正在使用log4j的1.2，I have created a working implementation of a PGP encrypting RollingFileAppender.

要使用示例，生成裝甲編碼的PGP公鑰，運行主類，然後解密任何PGP工具的文件（我用的GnuPG用於創建密鑰和解密）。

的例子建對log4j:log4j:1.2.17和org.bouncycastle:bcpg-jdk15on:1.56

Answer 2

您是非常接近你想要達到的目標。使用Log4j 1.2（因爲您無法直接在Log4j 2中繼承RollingFileAppender），您可以爲每個日誌文件實時生成密碼，使用RSA加密密碼並將其存儲在其旁邊。然後使用密碼爲日誌appender生成AES CipherOutputStream。

public class EncryptingRollingFileAppender extends RollingFileAppender { 

    private CipherOutputStream s; 

    private Cipher cipher; 

    private byte[] secretKey; 

    public EncryptingRollingFileAppender(Layout layout, String filename, boolean append) throws IOException { 
     super(layout, filename, append); 
     writeKeyFile(filename); 
    } 

    public EncryptingRollingFileAppender(Layout layout, String filename) throws IOException { 
     super(layout, filename); 
     writeKeyFile(filename); 
    } 

    private void writeKeyFile(final String logfilename) throws IOException { 
     final int dot = logfilename.lastIndexOf('.'); 
     final String keyfilename = (dot == -1 ? logfilename : logfilename.substring(0, dot)) + ".key"; 
     try (FileOutputStream out = new FileOutputStream(keyfilename)) { 
      out.write(DecryptionTools.encryptPasswordBase64(secretKey).getBytes(ISO_8859_1)); 
     } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException | KeyStoreException 
       | CertificateException e) { 
     } 
    } 

    @Override 
    protected OutputStreamWriter createWriter(OutputStream outputStream) { 
     System.out.println("createWriter()"); 
     if (cipher == null) { 
      secretKey = DecryptionTools.generateRandomKey(16).getBytes(ISO_8859_1); 
      try { 
       cipher = DecryptionTools.getCipher(true, secretKey); 
      } catch (InvalidKeyException e) { 
       System.out.println("InvalidKeyException"); 
      } 
      s = new CipherOutputStream(outputStream, cipher); 
     } 

     OutputStreamWriter out = super.createWriter(s); 
     return out; 
    } 
} 

You'll需要幾個輔助函數用於讀取文件或從中可以發現here一個Java密鑰存儲私鑰。

測試文件TestEncryptingRollingFileAppender展示瞭如何編寫一個加密的日誌和讀回。

import static com.acme.DecryptionTools.getCipher; 
import static com.acme.DecryptionTools.decryptPasswordBase64; 

public class TestEncryptingRollingFileAppender { 

    @SuppressWarnings("deprecation") 
    @Test 
    public void testAppender() throws IOException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, KeyStoreException, CertificateException, InvalidKeySpecException, IllegalBlockSizeException, BadPaddingException { 

     final File logfile = File.createTempFile("testlog_", ".log"); 
     final String logfilename = logfile.getAbsolutePath(); 

     final Logger lggr = LogManager.getLogger(TestEncryptingRollingFileAppender.class); 
     final EncryptingRollingFileAppender appender = new EncryptingRollingFileAppender(new SimpleLayout(), logfilename, true); 

     appender.append(new LoggingEvent(lggr.getClass().getName(), lggr, Priority.INFO, "Test Log Line #1", null)); 
     appender.append(new LoggingEvent(lggr.getClass().getName(), lggr, Priority.INFO, "Test Log Line #1", null)); 

     final int dot = logfilename.lastIndexOf('.'); 
     byte[] key = decryptPasswordBase64(new String(Files.readAllBytes(Paths.get(logfilename.substring(0, dot)+".key")))); 

     StringBuilder logContent = new StringBuilder(); 
     try (FileInputStream instrm = new FileInputStream(logfilename); 
      CipherInputStream cistrm = new CipherInputStream(instrm, getCipher(false, key))) { 
      int c; 
      while ((c=cistrm.read())!=-1) 
       logContent.append((char) c); 
     } 

     assertEquals("INFO - Test Log Line #1\r\nINFO - Test Log Line #1", logContent.toString()); 

    } 
}