Integrity and Authenticity

2019-08-05 06:11发布

问题:

Sorry to keep asking so many questions, but you guys always seem to be so nice and helpful...

I need to do some application that imports data from a file. For instance, user selects one file and the application imports some data to database.

But I've been thinking, and this kind of app leads to a problem of integrity and authenticity of files. If a user changes the file the application is not allowed to use that information. And if one file is not from a source well known, the application can't use that file.

How do I do this kind of thing?

P.S.: I'm using C#.NET

回答1:

Authentication and integrity are provided by digital signatures.

Follow driis' advice if you control the file format.

Alternately, if the file is XML, use an XML Signature.

Using C#/.NET:

  • Sign XML Documents
  • Verify the Digital Signatures of XML Documents


回答2:

If you can control the source file format, you can embed a digital signature. If you base the signature on a hash of the file contents, then you can be sure that the file comes from a trusted source, and that is has not been tampered with.



回答3:

It depends on how strong you want this protection.

For example, you can have an xml file (for human readability) which has a hash node somewhere which contains the hash of the original file (+salt). This can be updated by the program, but the user can have a harder time figuring out what that key means. When the program opens the file, it calculates the hash and checks if it's the same as the one written in the file.

You can even take one step further and use digital signatures, but that's way more complicated.