堆栈内存溢出
  简体   繁体   English

使用.net中的app公钥/私钥加密

[英]Encrypting with app public/private key in .net

 原文  2010-02-03 22:41:28       c#/ .net/ security/ encryption/ backup

问题描述

-new- I found another use. - 我 - 我发现了另一种用途。 Theres some data submitted to me via HTTPS POST data and i'd like to store it in my db (Such as mother maiden name that customer support may need to read later instead of spelling incorrectly checking if the hash matches). 有些数据是通过HTTPS POST数据提交给我的,我想将它存储在我的数据库中(例如客户支持可能需要稍后阅读的母系名称,而不是拼写错误地检查哈希是否匹配)。 I only need that section encrypted and not the entire DB and using a separate DB may not be worth it. 我只需要加密的部分而不是整个数据库,并且使用单独的数据库可能不值得。 Question: How might i use a premade public key to encrypt a symmetrical key + text using .NET? 问题:如何使用预制公钥使用.NET加密对称密钥+文本? (the rest is for context, i just want an answer plz) (其余的是上下文,我只想要一个答案plz)

-edit- I have done symmetrical encryption before. -edit-之前我做过对称加密。 How do i encrypt the symmetrical key with the public key? 如何使用公钥加密对称密钥? a nice bonus is if you can tell me how to generate the public/private key in a separate app so i can create them and store only the public key in my a app. 一个很好的奖励是,如果你可以告诉我如何在一个单独的应用程序中生成公钥/私钥,这样我就可以创建它们并只在我的应用程序中存储公钥。

I am considering having cheaper less stressed site grab backups automatically from a more busy site. 我正在考虑从更繁忙的网站自动减少压力较小的网站抓取备份。 Transferring the data is not a problem since i can use https but i dont completely trust that my cheaper site is as secure or wont have people looking around at my files. 传输数据不是问题,因为我可以使用https但我不完全相信我的便宜的网站是安全的或不会有人环顾我的文件。 I mostly want to protect email address and PM if i have them on the site. 我主要想保护电子邮件地址和PM,如果我在网站上有它们。

So i am wondering how i can have a public or private key in my app which encrypts the data so only i (or whoever i give the key(s) too) can decrypt the backup. 所以我想知道如何在我的应用程序中使用公钥或私钥来加密数据,这样只有我(或者我提供密钥的任何人)才能解密备份。 How do i do this in .NET. 我如何在.NET中执行此操作。 logging in and transferring i can write in a few minutes but how do i encrypt the stream as i write it? 登录和传输我可以在几分钟内写,但我如何加密流我写它?

-edit- it just hit me. - 编辑 - 它只是打我。 The user/pass wouldnt be a secret. 用户/通行证不是秘密。 So i would have to encrypt my backups before the transfer. 所以我必须在传输之前加密我的备份。 How do i encrypt a symmetric key with a public key using .NET. 如何使用.NET使用公钥加密对称密钥。 Then decrypt it on my side. 然后在我身边解密它。 Encryption the file with a symmetric key i know how to do. 使用对称密钥加密文件我知道该怎么做。

3 个解决方案

解决方案1
 14  2010-02-03 22:55:35

First off: defense in depth. 首先:深度防守。 If you have concerns about the security of the backup site secure the backup site . 如果您担心备份站点的安全性,请保护备份站点 Mitigating attacks through encryption is a good idea, but it should not be the only idea. 通过加密缓解攻击是一个好主意,但它不应该是唯一的想法。

Second, why are you thinking about using public/private key crypto? 其次,为什么要考虑使用公钥/私钥加密? Normally you'd only use public/private key crypto when attempting to communicate a message from a sender to a recipient. 通常,在尝试将消息从发件人传递给收件人时,您只使用公钥/私钥加密。 What value does public key crypto add to your scenario? 公钥加密对您的方案有什么价值?

To encrypt the stream in C#, this page might help: 要在C#中加密流,此页面可能会有所帮助:

http://support.microsoft.com/kb/307010 http://support.microsoft.com/kb/307010

UPDATE: 更新:

Absolutely, YES, you have to encrypt the files before they get to the site which you are assuming is compromised . 当然,是的,您必须在文件到达您认为已被盗用的网站之前对其进行加密。

You believe that the site might be insecure. 您认为该网站可能不安全。 The assumption you should be making is that the site is your enemy and is trying to hurt you . 你应该做的假设是该网站是你的敌人,并试图伤害你 Start thinking like your attacker thinks. 像攻击者想的那样开始思考。 What would your enemy do? 你的敌人会做什么? If I were your enemy and you handed me a bunch of files to store on your behalf, I might: 如果我是你的敌人,你递给我一堆文件代表你存储,我可能会:

  • delete your files 删除你的文件
  • corrupt your files 破坏你的文件
  • read your files 读你的文件
  • log every byte that comes in or goes out for analysis later 记录进入或出去进行分析的每个字节
  • replace your files with hostile files -- in particular, all executable code, scripts, and so on, that you store on this site, you should assume are full of viruses targetted specifically at attacking you 用您存储在本网站上的恶意文件(特别是所有可执行代码,脚本等)替换您的文件,您应该假设其中充满了专门针对您攻击的病毒
  • do stuff to get you in trouble -- forge messages that look like they come from you, and so on 做些让你陷入困境的东西 - 伪造看起来像是来自你的消息,等等

Assume that the insecure backup site operators are trying to do all of those things to you. 假设不安全的备份站点操作员正在尝试对您执行所有这些操作。 Crypto is a mitigation for some of those attacks, but not all of them. 加密是对某些攻击的缓解,但不是全部。

No offense, but it is very clear that you do not know enough about crypto to solve this problem with any reasonable chance of getting it secure against real attackers. 没有冒犯,但很明显,你不知道加密来解决这个问题,有任何合理的机会让它对抗真正的攻击者。 That's nothing to be ashamed of; 这没什么好羞耻的; I don't have this knowledge either . 我也没有这方面的知识 Rather, I have sufficient knowledge to know that this problem is beyond me. 相反, 我有足够的知识知道这个问题超出了我的范围。 There's nothing wrong with trying to learn more about crypto; 尝试更多地了解加密是没有错的; I strongly encourage that. 我强烈鼓励。 But if you have a real threat here, and you're trying to mitigate it with professional-strength crypto tools, do not roll your own solution . 但是如果你有一个真正的威胁,并且你正试图用专业级的加密工具来缓解它, 那么就不要推出自己的解决方案了 Go hire an expert consultant in this field who can advise you on what the right thing to do is given the realistic threats that you face. 聘请这个领域的专家顾问,他可以告诉你正确的事情是什么,给你面临的现实威胁。

解决方案2
 1  2010-02-03 22:55:51

You encrypt with a symmetric key, then encrypt the symmetric key with a public key, then drop the symmetric key. 使用对称密钥加密,然后使用公钥加密对称密钥,然后删除对称密钥。 Only the owner of the corresponding private key (you) can later decrypt the symmetric key, and hence the document. 只有相应私钥(您)的所有者才能解密对称密钥,从而解密文档。 There is no secret stored in the app. 应用程序中没有存储任何秘密。 The good news is that ther just about a tonne of out of the box products (pgp) and protocols (s-mime) to solve this. 好消息是,只有大约一吨的开箱即用产品(pgp)和协议(s-mime)才能解决这个问题。

解决方案3
 1  2010-02-11 08:59:56

You can use an symmetric key algorithm (AES, DES, Triple-DES) to perform an encryption on your code, and store it a hex in your database (in a nvarchar field). 您可以使用对称密钥算法(AES,DES,Triple-DES)对代码执行加密,并将其以十六进制形式存储在数据库中(在nvarchar字段中)。 Since, you done need to transfer that in encrypted form to someone else, you wont need to use any assymetric algorithm (like RSA, ElGamal etc.) If you something like RSA, you would also have to consider signing with data using something like PGP. 因为,你需要以加密的形式将其转移给其他人,你不需要使用任何不对称算法(如RSA,ElGamal等)。如果像RSA这样的东西,你还必须考虑使用类似PGP的数据进行数据签名。

But, irrespective of which algorithm you use, you would need to make sure your keys are as secure as possible, ie your symmetric key for AES, and your private key for RSA etc. 但是,无论您使用哪种算法,都需要确保密钥尽可能安全 ,即AES的对称密钥和RSA的私钥等。

This article, provides an tutorial on how to perform Symmetric encryption with/without Salt. 本文提供了有关如何使用/不使用Salt执行对称加密的教程。

http://www.obviex.com/samples/Encryption.aspx http://www.obviex.com/samples/Encryption.aspx

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Perl和.NET RSA一起工作? 从Perl公钥加密.NET? 从Perl加载私钥? - Perl & .NET RSA working together? Encrypting in .NET from Perl public key? Loading private key from Perl? 在 C# 中使用 RSA 公钥和私钥加密数据 - Encrypting Data using RSA Public and Private Key in C# 使用BouncyCastle加密私钥 - Encrypting a private key with BouncyCastle 使用公钥在php中加密后,如何使用私钥在c#中的块中解密数据? - How can I decrypt data in chunks in c# using a private key after encrypting in php using a public key? 加密X509证书公钥 - Encrypting the X509Certificate public Key 密钥库公钥/私钥 - Keystore public/private key 尝试使用 .net 中的 bouncycastle 使用公钥(非私钥)解密字符串 - Trying to decrypt a string with public key(not private) using bouncycastle in .net 在.NET中将RSA公钥/私钥解密实现为Java / Spring - Implement RSA Public / Private key decryption in .NET to Java / Spring 如何使用(.NET / BouncyCastle)检查私钥/公钥对是否匹配? - How to check if private/public key pair match using (.NET / BouncyCastle)? 使用先前生成的带有.net框架的RSA公钥/私钥 - Using a previously generated RSA public/private key with the .net framework
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM