Store IV and Key for Rijndael

2019-09-01 11:06发布

站内问答 / C#
1563 4 6

I need to store username and password in an app.config. I want to encrypt these values using Rijndael algorithm. Where do I store the key and IV for decrypting the un and pw? I need to deploy the application to different servers with different users.

4条回答
Root(大扎)
2楼-- · 2019-09-01 11:43

How about using machine key encryption to do it? There is (as far as I know) no easy way of doing this, but you can hack your way into the framework using reflection. The machine key is either not or only partially stored on a machine. If you configure ASP.NET to 'Generate a unique key for each application', the application's path is used to derive the key.

The code would be something like this:

private static MethodInfo _cookieEncryptMethod;
private static MethodInfo _cookieDecryptMethod;

public static string MachineKeyEncrypt(string data)
{
    if (_cookieEncryptMethod == null)
    {
        _cookieEncryptMethod = Type.GetType("System.Web.Security.CookieProtectionHelper").GetMethod("Encode", BindingFlags.Static | BindingFlags.NonPublic | BindingFlags.InvokeMethod);
    }

    var dataBytes = Encoding.UTF8.GetBytes(data);

    return (string) _cookieEncryptMethod.Invoke(null, new object[] { CookieProtection.All, dataBytes, dataBytes.Length });
}

public static string MachineKeyDecrypt(string source)
{
    if (_cookieDecryptMethod == null)
    {
        _cookieDecryptMethod = Type.GetType("System.Web.Security.CookieProtectionHelper").GetMethod("Decode", BindingFlags.Static | BindingFlags.NonPublic | BindingFlags.InvokeMethod);
    }

    var data = (byte[]) _cookieDecryptMethod.Invoke(null, new object[] { CookieProtection.All, source });

    return Encoding.UTF8.GetString(data);
}
查看更多
0人赞 添加讨论(0) 举报
3楼-- · 2019-09-01 11:50

Encrypting the web.config or app.config file is usually done with RSA or DPAPI encryption.

I'm not sure if it would suit you in your case, it's only effective if the users of the applications are restricted and not administrators.

http://msdn.microsoft.com/en-us/library/ff647398.aspx

查看更多
0人赞 添加讨论(0) 举报
走好不送
4楼-- · 2019-09-01 11:52

Ideally on a text file in a location not accessible via web, only via the local filesystem with tight permissions.

If you need to distribute the app, you could use the following structure

  • C:\MyApp for the key and other private information
  • C:\MyApp\www for the virtual directory

This will prevent prying eyes (or webserver bugs) to access the data. Only physical access to the machine will potentially reveal it, and that usually can be better controlled.

查看更多
0人赞 添加讨论(0) 举报
劫难
5楼-- · 2019-09-01 11:55

Definitely don't store in the assembly - a relatively simple look at the IL would probably give up the secret. Even obsfuciating it, would provide little extra security.

Easiest would be to use the OS \ file-system security locally on the different servers to control read access to the key file.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)