将对象序列化为byte [],然后加密byte []
[英]Serialize an Object to a byte[], then encrypting the byte[]
问题描述
I came across a case where I need to encrypt an object in order to send it for delivery over a .NET Remoting connection. 
我遇到一种情况,我需要加密一个对象才能通过.NET Remoting连接发送该对象以进行传递。 I have already implemented string encryption in our code, so I used a similar design for encrypting the object: 我已经在代码中实现了字符串加密,因此我使用了类似的设计来加密对象:
public static byte[] Encrypt(object obj)
{
byte[] bytes = ToByteArray(toEncrypt); // code below
using (SymmetricAlgorithm algo = SymmetricAlgorithm.Create())
{
using (System.IO.MemoryStream ms = new System.IO.MemoryStream())
{
byte[] key = Encoding.ASCII.GetBytes(KEY);
byte[] iv = Encoding.ASCII.GetBytes(IV);
using (CryptoStream cs = new CryptoStream(ms, algo.CreateEncryptor(key, iv), CryptoStreamMode.Write))
{
cs.Write(bytes, 0, bytes.Length);
cs.Close();
return ms.ToArray();
}
}
}
}
private static byte[] ToByteArray(object obj)
{
byte[] bytes = null;
if (obj != null)
{
using (System.IO.MemoryStream ms = new System.IO.MemoryStream())
{
BinaryFormatter bf = new BinaryFormatter();
bf.Serialize(ms, obj);
bytes = ms.ToArray();
}
}
return bytes;
}
Is there anything I need to watch out for by serializing and encrypting the object in this way? 通过这种方式对对象进行序列化和加密,我需要注意什么吗?
2 个解决方案
解决方案1
3 2013-04-19 20:08:14
What exactly is the aim here? 目的到底是什么? If you are only interested in the security of the data over-the-wire, then since you are using .NET remoting which supports transparent encryption, why not use that, rather than go to the trouble of implementing it yourself? 如果您仅对在线数据的安全性感兴趣,那么既然您使用的是支持透明加密的.NET远程处理,为什么不使用它,而不是麻烦自己实现呢?
If you do insist on performing your own encryption, then it's worth noting that you appear to be using a constant IV, which is incorrect. 如果您确实坚持执行自己的加密,那么值得注意的是您似乎在使用常数IV,这是不正确的。 The IV should be a random byte array, and different for each encrypted message. IV应该是一个随机字节数组,并且每个加密的消息都应不同。 This is generally prepended to the encrypted message before transmission for use in the decryption process. 通常在传输之前将其添加到加密消息中以供解密过程使用。
As a further note, since your key and IV are both converted from strings using Encoding.ASCII.GetBytes, which is intend for 7 bit ASCII input, you are reducing the effective key space significantly. 进一步说明,由于密钥和IV都是使用Encoding.ASCII.GetBytes从字符串转换而来的,而Encoding.ASCII.GetBytes用于7位ASCII输入,因此您将大大减少有效密钥空间。
解决方案2
1 已采纳 2013-04-19 18:52:46
The only thing I can think of, is that generally after encrypting the data you should write over the plain-text array with NULLs. 我唯一能想到的是,通常在加密数据之后,您应该使用NULL在纯文本数组上写入。 This is so that the plain-text isn't recoverable in memory, and if it is written out to disk in a page file or swap, it won't be recoverable by a malicious program/user. 这样一来,纯文本就无法在内存中恢复,并且如果将其以页面文件或交换方式写出到磁盘中,则恶意程序/用户将无法恢复该纯文本。 If the sensitivity of the data is not a concern though, this may not be necessary, but it is a good habit to get into. 如果不考虑数据的敏感性,则可能没有必要,但这是一个很好的习惯。
EDIT: 编辑:
That being said however, never roll your own if you don't have to (which you rarely ever do). 话虽这么说,但如果没有必要, 切勿自己动手(您很少这样做)。 Chances are very good you'll screw it up and make it vulnerable to attack unless you really know what you're doing. 除非您真的知道自己在做什么,否则很有可能将其弄糟并使其容易受到攻击。 If you don't understand or don't like the built-in APIs, the gents over at Bouncy Castle have done outstanding work at creating libraries for you to use, and in many different languages. 如果您不理解或不喜欢内置的API, Bouncy Castle的工作人员在创建供您使用的库以及多种语言方面都做得非常出色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.