本文档介绍了使用 Android 加密工具的正确方法,并提供了一些使用示例。如果您的应用需要更高的密钥安全性,请使用 Android 密钥库系统。
仅使用 Android 密钥库系统指定提供程序
如果您使用的是 Android 密钥库系统,您必须指定一个提供程序。
但在其他情况下,Android 并不保证为指定算法提供特定的提供程序。如果指定提供程序时未使用 Android 密钥库系统,则可能会导致未来版本出现兼容性问题。
选择建议的算法
如果您可以自由选择使用哪种算法(例如在不需要与第三方系统兼容时),我们建议您使用以下算法:
类 | 建议 |
---|---|
Cipher | 采用 CBC 或 GCM 模式且具有 256 位密钥的 AES(例如 AES/GCM/NoPadding ) |
MessageDigest | SHA-2 系列(例如,SHA-256 ) |
Mac | SHA-2 系列 HMAC(例如,HMACSHA256 ) |
Signature | 使用 ECDSA 的 SHA-2 系列(例如,SHA256withECDSA ) |
执行常见的加密操作
下面几部分提供的代码段演示了如何在应用中完成常见的加密操作。
读取文件
Kotlin
// Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC val mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec) val fileToRead = "my_sensitive_data.txt" val encryptedFile = EncryptedFile.Builder( File(DIRECTORY, fileToRead), applicationContext, mainKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build() val inputStream = encryptedFile.openFileInput() val byteArrayOutputStream = ByteArrayOutputStream() var nextByte: Int = inputStream.read() while (nextByte != -1) { byteArrayOutputStream.write(nextByte) nextByte = inputStream.read() } val plaintext: ByteArray = byteArrayOutputStream.toByteArray()
Java
Context context = getApplicationContext(); // Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC; String mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec); String fileToRead = "my_sensitive_data.txt"; EncryptedFile encryptedFile = new EncryptedFile.Builder( new File(DIRECTORY, fileToRead), context, mainKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build(); InputStream inputStream = encryptedFile.openFileInput(); ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); int nextByte = inputStream.read(); while (nextByte != -1) { byteArrayOutputStream.write(nextByte); nextByte = inputStream.read(); } byte[] plaintext = byteArrayOutputStream.toByteArray();
写入文件
Kotlin
// Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC val mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec) // Create a file with this name, or replace an entire existing file // that has the same name. Note that you cannot append to an existing file, // and the file name cannot contain path separators. val fileToWrite = "my_sensitive_data.txt" val encryptedFile = EncryptedFile.Builder( File(DIRECTORY, fileToWrite), applicationContext, mainKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build() val fileContent = "MY SUPER-SECRET INFORMATION" .toByteArray(StandardCharsets.UTF_8) encryptedFile.openFileOutput().apply { write(fileContent) flush() close() }
Java
Context context = getApplicationContext(); // Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC; String mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec); // Create a file with this name, or replace an entire existing file // that has the same name. Note that you cannot append to an existing file, // and the file name cannot contain path separators. String fileToWrite = "my_sensitive_data.txt"; EncryptedFile encryptedFile = new EncryptedFile.Builder( new File(DIRECTORY, fileToWrite), context, mainKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build(); byte[] fileContent = "MY SUPER-SECRET INFORMATION" .getBytes(StandardCharsets.UTF_8); OutputStream outputStream = encryptedFile.openFileOutput(); outputStream.write(fileContent); outputStream.flush(); outputStream.close();
加密消息
Kotlin
val plaintext: ByteArray = ... val keygen = KeyGenerator.getInstance("AES") keygen.init(256) val key: SecretKey = keygen.generateKey() val cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING") cipher.init(Cipher.ENCRYPT_MODE, key) val ciphertext: ByteArray = cipher.doFinal(plaintext) val iv: ByteArray = cipher.iv
Java
byte[] plaintext = ...; KeyGenerator keygen = KeyGenerator.getInstance("AES"); keygen.init(256); SecretKey key = keygen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] ciphertext = cipher.doFinal(plaintext); byte[] iv = cipher.getIV();
生成消息摘要
Kotlin
val message: ByteArray = ... val md = MessageDigest.getInstance("SHA-256") val digest: ByteArray = md.digest(message)
Java
byte[] message = ...; MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] digest = md.digest(message);
生成数字签名
您需要拥有一个包含签名密钥的 PrivateKey 对象;签名密钥可以在运行时生成、从与您的应用捆绑在一起的文件中读取,或者根据您的需要从其他一些来源获取。
Kotlin
val message: ByteArray = ... val key: PrivateKey = ... val s = Signature.getInstance("SHA256withECDSA") .apply { initSign(key) update(message) } val signature: ByteArray = s.sign()
Java
byte[] message = ...; PrivateKey key = ...; Signature s = Signature.getInstance("SHA256withECDSA"); s.initSign(key); s.update(message); byte[] signature = s.sign();
验证数字签名
您需要拥有一个包含签名者公钥的 PublicKey 对象;该公钥可以从与您的应用捆绑在一起的文件中读取、从证书中提取,或者根据您的需要从其他一些来源获取。
Kotlin
val message: ByteArray = ... val signature: ByteArray = ... val key: PublicKey = ... val s = Signature.getInstance("SHA256withECDSA") .apply { initVerify(key) update(message) } val valid: Boolean = s.verify(signature)
Java
byte[] message = ...; byte[] signature = ...; PublicKey key = ...; Signature s = Signature.getInstance("SHA256withECDSA"); s.initVerify(key); s.update(message); boolean valid = s.verify(signature);
实现方面的复杂问题
Android 加密实现的一些细节看似不寻常,但因兼容性方面的考虑而存在。本部分探讨了您最有可能遇到的一些细节。
OAEP MGF1 消息摘要
RSA OAEP 加密算法由两个不同的消息摘要进行参数化,它们分别为:“主”摘要和 MGF1 摘要。Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding")
等包含摘要名称的加密算法标识符可指定主摘要,并使 MGF1 摘要处于未指定状态。在 Android 密钥库中,SHA-1 用于 MGF1 摘要;而在其他 Android 加密提供程序中,这两个摘要相同。
为了更好地控制您的应用使用的摘要,您应该请求带有 OAEPPadding 的加密算法(像 Cipher.getInstance("RSA/ECB/OAEPPadding")
一样),并向 init()
提供 OAEPParameterSpec
以明确选择这两个摘要。
Kotlin
val key: Key = ... val cipher = Cipher.getInstance("RSA/ECB/OAEPPadding") .apply { // To use SHA-256 the main digest and SHA-1 as the MGF1 digest init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT)) // To use SHA-256 for both digests init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT)) }
Java
Key key = ...; Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // To use SHA-256 the main digest and SHA-1 as the MGF1 digest cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT)); // To use SHA-256 for both digests cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT));
已弃用的功能
下面几部分介绍了您不应再在应用中使用的已弃用功能。
Bouncy Castle 算法
许多算法的 Bouncy Castle 实现都已弃用。这只会影响您明确请求了 Bouncy Castle 提供程序的情况,如以下示例所示:
Kotlin
Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC") // OR Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"))
Java
Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC"); // OR Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"));
如上所述,我们不建议请求特定的提供程序,因此,如果您遵循该准则,则此弃用应该不会对您产生影响。
无需使用 IV 的基于密码的加密算法
需要初始化矢量 (IV) 的基于密码的加密 (PBE) 算法可以通过密钥(经过适当的构造)获得,或者通过明确传递的 IV 获得。目前,在传递不包含 IV 且未明确 IV 的 PBE 密钥时,Android 上的 PBE 加密算法会假定 IV 为零。
使用 PBE 加密算法时,请务必传递明确的 IV,如以下代码段所示:
Kotlin
val key: SecretKey = ... val cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC") val iv = ByteArray(16) SecureRandom().nextBytes(iv) cipher.init(Cipher.ENCRYPT_MODE, key, IvParameterSpec(iv))
Java
SecretKey key = ...; Cipher cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC"); byte[] iv = new byte[16]; new SecureRandom().nextBytes(iv); cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
Crypto 提供程序
自 Android 9(API 级别 28)起,Crypto Java 加密架构 (JCA) 提供程序已被移除。如果您的应用请求 Crypto 提供程序实例(例如通过调用以下方法来请求),则会出现 NoSuchProviderException
。
Kotlin
SecureRandom.getInstance("SHA1PRNG", "Crypto")
Java
SecureRandom.getInstance("SHA1PRNG", "Crypto");
支持的算法
下面列出了 Android 的各个 API 级别都支持的 JCA 算法标识符。
AlgorithmParameterGenerator
AlgorithmParameters
CertPathBuilder
CertPathValidator
CertStore
CertificateFactory
Cipher
KeyAgreement
KeyFactory
KeyGenerator
KeyManagerFactory
KeyPairGenerator
KeyStore
Mac
MessageDigest
SSLContext
SSLEngine.Supported
SSLSocket.Supported
SecretKeyFactory
SecureRandom
Signature
TrustManagerFactory
AlgorithmParameterGenerator
算法 | 支持的 API 级别 |
---|---|
AES | 1-8 |
DES | 1-8 |
DESede | 1-8 |
DH | 1+ |
DSA | 1+ |
AlgorithmParameters
算法 | 支持的 API 级别 |
---|---|
AES | 1+ |
BLOWFISH | 10+ |
ChaCha20 | 28+ |
DES | 1+ |
DESede | 1+ |
DH | 1+ |
DSA | 1+ |
EC | 26+ |
GCM | 22+ |
IES | 1-8 |
OAEP | 1+ |
PBEwithHmacSHA1AndAES_128 | 26+ |
PBEwithHmacSHA1AndAES_256 | 26+ |
PBEwithHmacSHA224AndAES_128 | 26+ |
PBEwithHmacSHA224AndAES_256 | 26+ |
PBEwithHmacSHA256AndAES_128 | 26+ |
PBEwithHmacSHA256AndAES_256 | 26+ |
PBEwithHmacSHA384AndAES_128 | 26+ |
PBEwithHmacSHA384AndAES_256 | 26+ |
PBEwithHmacSHA512AndAES_128 | 26+ |
PBEwithHmacSHA512AndAES_256 | 26+ |
PKCS12PBE | 1+ |
PSS | 1-8、24+ |
CertPathBuilder
算法 | 支持的 API 级别 |
---|---|
PKIX | 1+ |
CertPathValidator
算法 | 支持的 API 级别 |
---|---|
PKIX | 1+ |
CertStore
算法 | 支持的 API 级别 |
---|---|
Collection | 1+ |
CertificateFactory
算法 | 支持的 API 级别 |
---|---|
X.509 | 1+ |
Cipher
算法 | 模式 | 填充 | 支持的 API 级别 | 备注 |
---|---|---|---|---|
AES | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
GCM | NoPadding | 10+ | ||
AES_128 | CBC ECB |
NoPadding PKCS5Padding |
26+ | |
GCM | NoPadding | 26+ | ||
AES_256 | CBC ECB |
NoPadding PKCS5Padding |
26+ | |
GCM | NoPadding | 26+ | ||
ARC4 | ECB | NoPadding | 10+ | |
NONE | NoPadding | 28+ | ||
BLOWFISH | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
10+ | |
ChaCha20 | NONE Poly1305 |
NoPadding | 28+ | 具有 20 轮、96 位随机数以及 32 位计数器的 ChaCha(如 RFC 7539 中所述)。 |
DES | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
DESede | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
RSA | ECB NONE |
NoPadding OAEPPadding PKCS1Padding |
1+ | |
OAEPwithSHA-1andMGF1Padding OAEPwithSHA-256andMGF1Padding |
10+ | |||
OAEPwithSHA-224andMGF1Padding OAEPwithSHA-384andMGF1Padding OAEPwithSHA-512andMGF1Padding |
23+ |
KeyAgreement
算法 | 支持的 API 级别 |
---|---|
DH | 1+ |
ECDH | 11+ |
KeyFactory
算法 | 支持的 API 级别 |
---|---|
DH | 1+ |
DSA | 1+ |
EC | 11+ |
RSA | 1+ |
X.509 | 1-8 |
KeyGenerator
算法 | 支持的 API 级别 |
---|---|
AES | 1+ |
AESWRAP | 1-8 |
ARC4 | 14+ |
BLOWFISH | 10+ |
ChaCha20 | 28+ |
DES | 1+ |
DESede | 1+ |
DESedeWRAP | 1-8 |
HmacMD5 | 1+ |
HmacSHA1 | 11+ |
HmacSHA224 | 1-8、22+ |
HmacSHA256 | 1+ |
HmacSHA384 | 1+ |
HmacSHA512 | 1+ |
RC4 | 10-13 |
KeyManagerFactory
算法 | 支持的 API 级别 |
---|---|
PKIX | 1+ |
KeyPairGenerator
算法 | 支持的 API 级别 |
---|---|
DH | 1+ |
DSA | 1+ |
EC | 11+ |
RSA | 1+ |
KeyStore
算法 | 支持的 API 级别 |
---|---|
AndroidCAStore | 14+ |
AndroidKeyStore | 18+ |
BCPKCS12 | 1-8 |
BKS | 1+ |
BouncyCastle | 1+ |
PKCS12 | 1+ |
PKCS12-DEF | 1-8 |
Mac
算法 | 支持的 API 级别 |
---|---|
DESMAC | 1-8 |
DESMAC/CFB8 | 1-8 |
DESedeMAC | 1-8 |
DESedeMAC/CFB8 | 1-8 |
DESedeMAC64 | 1-8 |
DESwithISO9797 | 1-8 |
HmacMD5 | 1+ |
HmacSHA1 | 1+ |
HmacSHA224 | 1-8、22+ |
HmacSHA256 | 1+ |
HmacSHA384 | 1+ |
HmacSHA512 | 1+ |
ISO9797ALG3MAC | 1-8 |
PBEwithHmacSHA | 1+ |
PBEwithHmacSHA1 | 1+ |
PBEwithHmacSHA224 | 26+ |
PBEwithHmacSHA256 | 26+ |
PBEwithHmacSHA384 | 26+ |
PBEwithHmacSHA512 | 26+ |
MessageDigest
算法 | 支持的 API 级别 |
---|---|
MD5 | 1+ |
SHA-1 | 1+ |
SHA-224 | 1-8、22+ |
SHA-256 | 1+ |
SHA-384 | 1+ |
SHA-512 | 1+ |
SSLContext
算法 | 支持的 API 级别 |
---|---|
默认 | 10+ |
SSL | 10+ |
SSLv3 | 10-25 |
TLS | 1+ |
TLSv1 | 10+ |
TLSv1.1 | 16+ |
TLSv1.2 | 16+ |
SSLEngine
算法 | 支持的 API 级别 | 默认处于启用状态 |
---|---|---|
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 9-22 | |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | 9-22 | |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_DES_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_RC4_128_MD5 | 9-22 | |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 9-22 | 9-19 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | 9+ | 9-19 |
SSL_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_WITH_NULL_MD5 | 9-22 | |
SSL_RSA_WITH_NULL_SHA | 9-22 | |
SSL_RSA_WITH_RC4_128_MD5 | 9-25 | 9-19 |
SSL_RSA_WITH_RC4_128_SHA | 9-25 | 9-23 |
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 9-22 | 9-22 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 9-22 | 20-22 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DHE_DSS_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 9-25 | 9-25 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 9-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_DSS_WITH_DES_CBC_SHA | 1-8 | |
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_RSA_WITH_DES_CBC_SHA | 1-8 | |
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DH_anon_WITH_DES_CBC_SHA | 1-8 | |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 20-25 | 20-23 |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA | 20-25 | 20-23 |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_RC4_128_SHA | 20-22 | |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_anon_WITH_RC4_128_SHA | 20-22 | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 20+ | 20+ |
TLS_FALLBACK_SCSV | 21+ | |
TLS_NULL_WITH_NULL_NULL | 1-8 | |
TLS_PSK_WITH_3DES_EDE_CBC_SHA | 21-22 | |
TLS_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_RC4_128_SHA | 21-25 | |
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_AES_128_CBC_SHA | 9+ | 9+ |
TLS_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA | 9+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_RSA_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_NULL_MD5 | 1-8 | |
TLS_RSA_WITH_NULL_SHA | 1-8 | |
TLS_RSA_WITH_NULL_SHA256 | 20-22 |
SSLSocket
算法 | 支持的 API 级别 | 默认处于启用状态 |
---|---|---|
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 9-22 | |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | 9-22 | |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_DES_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_RC4_128_MD5 | 9-22 | |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 9-22 | 9-19 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | 9+ | 9-19 |
SSL_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_WITH_NULL_MD5 | 9-22 | |
SSL_RSA_WITH_NULL_SHA | 9-22 | |
SSL_RSA_WITH_RC4_128_MD5 | 9-25 | 9-19 |
SSL_RSA_WITH_RC4_128_SHA | 9-25 | 9-23 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 9-22 | 9-22 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 9-22 | 11-22 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 9-25 | 9-25 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 9-25 | 11-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 20-25 | 20-25 |
TLS_DH_anon_WITH_AES_128_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 11-25 | 11-23 |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA | 11-25 | 11-23 |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_RSA_WITH_RC4_128_SHA | 11-22 | 11-19 |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_anon_WITH_RC4_128_SHA | 11-22 | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 11+ | 11+ |
TLS_FALLBACK_SCSV | 21+ | |
TLS_PSK_WITH_3DES_EDE_CBC_SHA | 21-22 | |
TLS_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_RC4_128_SHA | 21-25 | |
TLS_RSA_WITH_AES_128_CBC_SHA | 9+ | 9+ |
TLS_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA | 9+ | 11+ |
TLS_RSA_WITH_AES_256_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_RSA_WITH_NULL_SHA256 | 20-22 |
SecretKeyFactory
算法 | 支持的 API 级别 |
---|---|
AES | 23+ |
DES | 1+ |
DESede | 1+ |
HmacSHA1 | 23+ |
HmacSHA224 | 23+ |
HmacSHA256 | 23+ |
HmacSHA384 | 23+ |
HmacSHA512 | 23+ |
PBEwithHmacSHA1 | 1+ |
PBEwithHmacSHA1AndAES_128 | 26+ |
PBEwithHmacSHA1AndAES_256 | 26+ |
PBEwithHmacSHA224AndAES_128 | 26+ |
PBEwithHmacSHA224AndAES_256 | 26+ |
PBEwithHmacSHA256AndAES_128 | 26+ |
PBEwithHmacSHA256AndAES_256 | 26+ |
PBEwithHmacSHA384AndAES_128 | 26+ |
PBEwithHmacSHA384AndAES_256 | 26+ |
PBEwithHmacSHA512AndAES_128 | 26+ |
PBEwithHmacSHA512AndAES_256 | 26+ |
PBEwithMD5AND128BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5AND192BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5AND256BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5ANDDES | 1+ |
PBEwithMD5ANDRC2 | 1+ |
PBEwithSHA1ANDDES | 1+ |
PBEwithSHA1ANDRC2 | 1+ |
PBEwithSHA256AND128BITAES-CBC-BC | 1+ |
PBEwithSHA256AND192BITAES-CBC-BC | 1+ |
PBEwithSHA256AND256BITAES-CBC-BC | 1+ |
PBEwithSHAAND128BITAES-CBC-BC | 1+ |
PBEwithSHAAND128BITRC2-CBC | 10+ |
PBEwithSHAAND128BITRC4 | 10+ |
PBEwithSHAAND192BITAES-CBC-BC | 1+ |
PBEwithSHAAND2-KEYTRIPLEDES-CBC | 1+ |
PBEwithSHAAND256BITAES-CBC-BC | 1+ |
PBEwithSHAAND3-KEYTRIPLEDES-CBC | 1+ |
PBEwithSHAAND40BITRC2-CBC | 1+ |
PBEwithSHAAND40BITRC4 | 10+ |
PBEwithSHAANDTWOFISH-CBC | 10+ |
PBKDF2withHmacSHA1 | 10+ |
PBKDF2withHmacSHA1And8BIT | 19+ |
PBKDF2withHmacSHA224 | 26+ |
PBKDF2withHmacSHA256 | 26+ |
PBKDF2withHmacSHA384 | 26+ |
PBKDF2withHmacSHA512 | 26+ |
SecureRandom
算法 | 支持的 API 级别 |
---|---|
SHA1PRNG | 1+ |
Signature
算法 | 支持的 API 级别 |
---|---|
DSA | 1+ |
DSAwithSHA1 | 1+ |
DSS | 1-19 |
ECDSA | 11+ |
ECDSAwithSHA1 | 11+ |
MD2withRSA | 1-3 |
MD4withRSA | 1-8 |
MD5withRSA | 1+ |
MD5withRSA/ISO9796-2 | 1-8 |
NONEwithDSA | 1+ |
NONEwithECDSA | 11+ |
NONEwithRSA | 17+ |
RSASSA-PSS | 1-8 |
SHA1withDSA | 1+ |
SHA1withECDSA | 11+ |
SHA1withRSA | 1+ |
SHA1withRSA/ISO9796-2 | 1-8 |
SHA1withRSA/PSS | 23+ |
SHA224withDSA | 20+ |
SHA224withECDSA | 20+ |
SHA224withRSA | 20+ |
SHA224withRSA/PSS | 23+ |
SHA256withDSA | 1+ |
SHA256withECDSA | 11+ |
SHA256withRSA | 1+ |
SHA256withRSA/PSS | 23+ |
SHA384withECDSA | 11+ |
SHA384withRSA | 1+ |
SHA384withRSA/PSS | 23+ |
SHA512withECDSA | 11+ |
SHA512withRSA | 1+ |
SHA512withRSA/PSS | 23+ |
TrustManagerFactory
算法 | 支持的 API 级别 |
---|---|
PKIX | 1+ |