是否可以将自定义加密应用于Microsoft Web API?
[英]Is is possible to apply custom encryption to Microsoft Web API?
问题描述
We are using Web API 2.0 to serve clients in a context where SSL can't be used (no public internet access, clients can't be expected to trust a self-signed certificate). 
我们正在使用Web API 2.0在无法使用SSL的情况下为客户端提供服务(没有公共Internet访问,不能期望客户端信任自签名证书)。 To secure content moving between the client and server, we'd like to be able to encrypt it. 为了保护在客户端和服务器之间移动的内容,我们希望能够对其进行加密。 We're OK with un-encrypted HTTP headers (only need to encrypt payload). 可以使用未加密的HTTP标头(只需要加密有效负载)就可以了。 The question is: is there a way to insert a custom handler into both the request and response message pipelines so that we can apply a decryption as a request pre-processing step and an encryption as a response post-processing step? 问题是:是否有一种方法可以在请求和响应消息管道中插入自定义处理程序,以便我们可以将解密作为请求预处理步骤,而将加密用作响应后处理步骤?
We are using the built-in features of Web API to serialize/de-serialize between JSON and model classes, and don't want to have to refactor any of that existing code. 我们正在使用Web API的内置功能在JSON和模型类之间进行序列化/反序列化,并且不需要重构任何现有代码。 So an encryption handler would have to be inserted at the very start/end of the request/response pipeline. 因此,必须在请求/响应管道的最开始/结尾处插入加密处理程序。 Is this possible, and if so, what is the technique to insert custom request/response content pre/post processing? 这可能吗?如果可以,插入自定义请求/响应内容的前/后处理技术是什么?
The network is "public" in that users bring their own devices, but the network is isolated from the public internet. 网络是“公共的”,用户可以携带自己的设备,但是网络与公共互联网是隔离的。 Clients will only use a custom application we are developing to consume our Web API service, so we can address implementation issues of a custom encryption scheme on both client and server side. 客户端将仅使用我们正在开发的自定义应用程序来使用Web API服务,因此我们可以在客户端和服务器端解决自定义加密方案的实现问题。
1 个解决方案
解决方案1
0 2015-01-30 17:02:28
If you control the client application, you can hard-code the SSL certificate that the server is expected to return, which means that it doesn't have to validate through the normal PKI means (sometimes called certificate pinning ). 如果您控制客户端应用程序,则可以对服务器期望返回的SSL证书进行硬编码,这意味着它不必通过常规的PKI方式进行验证(有时称为证书固定 )。 Most other approach will result in you attempting to re-invent SSL, but with some fatal flaw. 大多数其他方法会导致您尝试重新发明SSL,但存在一些致命缺陷。
To be explicit, I think you are seeing a conflict between "a context where SSL can't be used (no public internet access, clients can't be expected to trust a self-signed certificate)" and "Clients will only use a custom application we are developing" where one doesn't necessarily exist. 明确地说,我认为您正在看到“无法使用SSL的上下文(没有公共Internet访问,不能期望客户端信任自签名证书)”与“客户端将仅使用我们正在开发的自定义应用程序”中未必存在。 The user doesn't have to know that the certificate is self-signed, and self-signed does not always imply untrusted. 用户不必知道证书是自签名的,并且自签名并不总是意味着不受信任。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.