protectedData API的问题
[英]Issues with protectedData API
问题描述
I have following code and application works successfully sometimes but for certain users its not able to decrypt the password. 
我有以下代码,有时应用程序可以成功运行,但对于某些用户而言,它无法解密密码。 It happens when mostly on server and multi user environment, works great on dev machine. 当主要在服务器和多用户环境上运行时,会发生这种情况。
public static byte [] Protect( byte [] data )
{
try
{
// Encrypt the data using DataProtectionScope.CurrentUser. The result can be decrypted
// only by the same current user.
return ProtectedData.Protect( data, s_aditionalEntropy, DataProtectionScope.CurrentUser );
}
catch (CryptographicException e)
{
Console.WriteLine("Data was not encrypted. An error occurred.");
Console.WriteLine(e.ToString());
return null;
}
}
public static byte [] Unprotect( byte [] data )
{
try
{
//Decrypt the data using DataProtectionScope.CurrentUser.
return ProtectedData.Unprotect( data, s_aditionalEntropy, DataProtectionScope.CurrentUser );
}
catch (CryptographicException e)
{
Console.WriteLine("Data was not decrypted. An error occurred.");
Console.WriteLine(e.ToString());
return null;
}
}
2 个解决方案
解决方案1
0 2015-09-29 01:35:06
IN a server-side context you have some problems to utilize it. 在服务器端上下文中,您在使用它时会遇到一些问题。 See details: 阅读详情:
CurrentUser Scope : the protected data is associated with CurrentUser, I mean, only the user that encrypted the data may achieve to decrypt it - no one else. CurrentUser范围 :受保护的数据与CurrentUser相关联,我的意思是,只有对数据进行加密的用户才能实现对数据的解密-没有其他人。 You may understand it like a routine to protect PERSONAL DATA. 您可能会像保护个人数据的例程一样理解它。
LocalMachine Scope : as mentioned, it allow DIFFERENT USERS to decrypt data but it MAY RESULT IN A SECURITY ISSUE! LocalMachine范围 :如上所述,它允许不同的用户解密数据,但可能会导致安全问题! Using this scope, even users not in the same group/domain will decrypt the data! 使用此范围,即使不在同一组/域中的用户也可以解密数据! The control is NOT over the encryption routine, but in the User Access to thar server. 控制不是通过加密例程进行的,而是通过thar服务器的用户访问进行的。
If you have a public (or not under a Domain) server and need SOME GUYS to have access to certain kind of data, you may abandon the DataProtectionScope and try a customized procedure, where: 如果您具有公共(或不在域下)服务器,并且需要某些人才能访问某些类型的数据,则可以放弃DataProtectionScope并尝试自定义过程,其中:
1 - You check the user if authorized. 1-您检查用户是否被授权。 2 - You provide the mechanism to encrypt and decrypt the data. 2-您提供了加密和解密数据的机制。 3 - You may assume different keys to different users or groups. 3-您可以为不同的用户或组使用不同的密钥。
To details, please consider to see this link: https://msdn.microsoft.com/en-us/library/system.security.cryptography.dataprotectionscope(v=vs.110).aspx 有关详细信息,请考虑查看此链接: https : //msdn.microsoft.com/zh-cn/library/system.security.cryptography.dataprotectionscope(v=vs.110).aspx
解决方案2
0 已采纳 2015-09-29 01:58:26
DataProtectionScope.LocalMachine: This scope is valid to decrypt any authenticated user in the system. DataProtectionScope.LocalMachine:此范围对解密系统中任何经过身份验证的用户有效。
DataProtectionScope.CurrentUser : This scope is valid for only the user whose identity was used for encrypt only that identity can make it decrypt. DataProtectionScope.CurrentUser:此作用域仅对使用其身份进行加密的用户有效,只有该身份才能对其进行解密。
public static byte [] Protect( byte [] data )
{
try
{
return ProtectedData.Protect( data, s_aditionalEntropy, DataProtectionScope.LocalMachine );
}
catch (CryptographicException e)
{
Console.WriteLine("Data was not encrypted. An error occurred.");
Console.WriteLine(e.ToString());
return null;
}
}
public static byte [] Unprotect( byte [] data )
{
try
{
return ProtectedData.Unprotect( data, s_aditionalEntropy, DataProtectionScope.LocalMachine );
}
catch (CryptographicException e)
{
Console.WriteLine("Data was not decrypted. An error occurred.");
Console.WriteLine(e.ToString());
return null;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.