Talend ETL工具(Talend ETL tool)

 分享password （一个char[] ）和salt （由SecureRandom选择的一个byte[] -8字节，使一个好的盐 - 不需要保密）与收件人的带外。 然后从这个信息中得出一个好的密钥： 
 
/* Derive the key, given password and salt. */
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
KeySpec spec = new PBEKeySpec(password, salt, 65536, 256);
SecretKey tmp = factory.generateSecret(spec);
SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");
 
 魔术数字（可以定义为常数）65536和256分别是关键派生迭代计数和密钥大小。 
 
 重要的推导函数被迭代以需要大量的计算工作，并且可以防止攻击者快速尝试许多不同的密码。 可以根据可用的计算资源来更改迭代计数。 
 
 密钥大小可以减少到128位，这仍然被认为是“强”加密，但是如果发现AES削弱的攻击，则不会给出很大的安全余地。 
 
 使用适当的块链模式，相同的派生密钥可用于加密许多消息。 在CBC中，对于每个消息生成随机初始化向量（IV），即使纯文本相同，也产生不同的密文。 CBC可能不是您可用的最安全的模式（参见下面的AEAD）; 还有许多具有不同安全属性的其他模式，但它们都使用类似的随机输入。 在任何情况下，每个加密操作的输出是密文和初始化向量： 
 
/* Encrypt the message. */
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, secret);
AlgorithmParameters params = cipher.getParameters();
byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV();
byte[] ciphertext = cipher.doFinal("Hello, World!".getBytes("UTF-8"));
 
 存储ciphertext和iv 。 在解密时， SecretKey以完全相同的方式重新生成，使用具有相同盐和迭代参数的密码。 使用此密钥初始化密码， 并使用消息存储初始化向量： 
 
/* Decrypt the message, given derived key and initialization vector. */
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(iv));
String plaintext = new String(cipher.doFinal(ciphertext), "UTF-8");
System.out.println(plaintext);
 
 
 Java 7包括对AEAD加密模式的API支持，OpenJDK和Oracle发行版中提供的“SunJCE”提供程序以Java 8开始实现。强烈建议其中一种模式代替CBC; 它将保护数据的完整性及其隐私。 
 
 
 带有消息“非法密钥大小或默认参数”的java.security.InvalidKeyException意味着密码强度有限; 无限制的权限策略文件不在正确的位置。 在JDK中，应该放在${jdk}/jre/lib/security 
 
 根据问题描述，看起来策略文件没有正确安装。 系统可以轻松拥有多个Java运行时; 仔细检查以确保使用正确的位置。 

Share the password (a char[]) and salt (a byte[]—8 bytes selected by a SecureRandom makes a good salt—which doesn't need to be kept secret) with the recipient out-of-band. Then to derive a good key from this information:
 
/* Derive the key, given password and salt. */
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
KeySpec spec = new PBEKeySpec(password, salt, 65536, 256);
SecretKey tmp = factory.generateSecret(spec);
SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");
 
The magic numbers (which could be defined as constants somewhere) 65536 and 256 are the key derivation iteration count and the key size, respectively.
 
The key derivation function is iterated to require significant computational effort, and that prevents attackers from quickly trying many different passwords. The iteration count can be changed depending on the computing resources available. 
 
The key size can be reduced to 128 bits, which is still considered "strong" encryption, but it doesn't give much of a safety margin if attacks are discovered that weaken AES.
 
Used with a proper block-chaining mode, the same derived key can be used to encrypt many messages. In Cipher Block Chaining (CBC), a random initialization vector (IV) is generated for each message, yielding different cipher text even if the plain text is identical. CBC may not be the most secure mode available to you (see AEAD below); there are many other modes with different security properties, but they all use a similar random input. In any case, the outputs of each encryption operation are the cipher text and the initialization vector:
 
/* Encrypt the message. */
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, secret);
AlgorithmParameters params = cipher.getParameters();
byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV();
byte[] ciphertext = cipher.doFinal("Hello, World!".getBytes("UTF-8"));
 
Store the ciphertext and the iv. On decryption, the SecretKey is regenerated in exactly the same way, using using the password with the same salt and iteration parameters. Initialize the cipher with this key and the initialization vector stored with the message:
 
/* Decrypt the message, given derived key and initialization vector. */
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(iv));
String plaintext = new String(cipher.doFinal(ciphertext), "UTF-8");
System.out.println(plaintext);
 
 
Java 7 included API support for AEAD cipher modes, and the "SunJCE" provider included with OpenJDK and Oracle distributions implements these beginning with Java 8. One of these modes is strongly recommended in place of CBC; it will protect the integrity of the data as well as their privacy.
 
 
A java.security.InvalidKeyException with the message "Illegal key size or default parameters" means that the cryptography strength is limited; the unlimited strength jurisdiction policy files are not in the correct location. In a JDK, they should be placed under ${jdk}/jre/lib/security 
 
Based on the problem description, it sounds like the policy files are not correctly installed. Systems can easily have multiple Java runtimes; double-check to make sure that the correct location is being used.