简体繁体 English

要加密的请求中的C＃Web服务密码

[英]C# web service password in the request to be encrypted

原文 2012-03-05 14:36:29 3 3 c#/ web-services/ security

I am working on the web service. 我正在开发Web服务。 A user is going to be able to create a user account using a form on different asp.net project. 用户将能够使用不同asp.net项目上的表单创建用户帐户。 So when the user enters the password information I need to store that encrpted in a database. 因此，当用户输入密码信息时，我需要存储加密到数据库中的信息。 But now when the user sends the user credentials through for a web services then I need to the user to send that password encrpted for security purposes. 但是现在当用户通过Web服务发送用户凭据时，我需要用户发送该密码以用于安全目的。

Now how can we both have the same ecrption procedure so that I will be able to validate the request. 现在我们如何才能拥有相同的ecrption程序，以便我能够验证请求。

3 个解决方案

What you want is to use HTTPS connection to transfer the password from the user to the server safely. 您想要的是使用HTTPS连接将密码从用户安全地传输到服务器。 Here is the explanation on how to set up the development environment with IIS for HTTPS - scottgu link . 以下是有关如何使用IIS为HTTPS设置开发环境的说明 - scottgu链接。

HTTPS protocol will handle the encryption and decryption and you just deal with the plain-text password on the server-side. HTTPS协议将处理加密和解密，您只需处理服务器端的纯文本密码。

After that, on the server side, you compute the hash of the password and compare it to the hash stored in the database. 之后，在服务器端，您计算密码的哈希值并将其与存储在数据库中的哈希值进行比较。 Standard ASP.NET SQL membership provider can be used for this. 可以使用标准的ASP.NET SQL成员资格提供程序。

There is a good explanation from Jeff Atwood on the problems behind storing and hashing passwords - coding horror link . Jeff Atwood对存储和散列密码背后的问题有一个很好的解释 - 编码恐怖链接。

You can encrypt the info you need using System.Security.Cryptography; 您可以使用System.Security.Cryptography;加密所需的信息System.Security.Cryptography;

have a look at the below: 看看下面的内容：

http://jakkaj.wordpress.com/2007/10/27/encrypting-and-securing-web-service-traffic-without-ssl/ http://jakkaj.wordpress.com/2007/10/27/encrypting-and-securing-web-service-traffic-without-ssl/

Bear in mind that anything you do to provide "encryption" that isn't using SSL/TLS is likely to be vulnerable 请记住，您提供的任何不使用SSL / TLS的“加密”都可能容易受到攻击

If the user's browser in any way knows how to encrypt your password then you kind of lose the point and a smart hacker could extract that encryption. 如果用户的浏览器以任何方式知道如何加密您的密码，那么您就会失去意义，聪明的黑客可以提取该加密。

Using SSL to pass information directly to your application is essentially doing what you're asking and is the accepted secure way to receive the password. 使用SSL将信息直接传递到您的应用程序基本上是在做您所要求的，并且是接受密码的可接受的安全方式。 You will just have to check against your encrypted version in the database. 您只需要检查数据库中的加密版本。

Your app receives the password raw (browser and server have taken care of encrypt/decrypt), then your app encrypts it and looks in the database for a match. 您的应用程序接收到原始密码（浏览器和服务器已负责加密/解密），然后您的应用程序对其进行加密并在数据库中查找匹配项。

The other way this is done with web services is using a single login step that returns an expiring token which is used for further communication. 使用Web服务完成此操作的另一种方法是使用单个登录步骤，该步骤返回用于进一步通信的过期令牌。 OAuth is the most popular so do some googling on that. OAuth是最受欢迎的，所以做一些谷歌搜索。