Web服务安全 [英] Webservice security
问题描述
我是Web服务安全方面的新手,我正在努力尝试.
有一个Web服务应该带来加密的数据,客户端需要对其进行解密.以下是Web服务用于加密数据的类.
Web服务端的数据基本上是一个数据集,该数据集将转换为xml并作为字符串传递给类,以获取加密的字符串,该字符串将传递给客户端
Imports Microsoft.VisualBasic Imports System Imports System.Text Imports System.IO Imports System.Security.Cryptography Public Class EnCryptHelper Private m_oProvider As TripleDESCryptoServiceProvider = Nothing Public Sub New() m_oProvider = New TripleDESCryptoServiceProvider If IsNothing(m_oProvider) = True Then Exit Sub End If m_oProvider.Key = New Byte() {111, 222, 86, 85, 171, 41, 165, 135, 218, 183, 42, 192, 113, 111, 138, 14} m_oProvider.IV = New Byte() {162, 213, 14, 41, 232, 181, 71, 212} End Sub '''''' <summary> '''''' '''''' </summary> '''''' <param name="sStringToEncrypt"></param> '''''' <returns></returns> '''''' <remarks></remarks> Public Function EncryptString(ByVal sStringToEncrypt As String) As String Dim oWriter As StreamWriter = Nothing Dim oEncryptedStream As CryptoStream = Nothing Dim oDataStream As MemoryStream = Nothing Dim oEncryptedData() As Byte = Nothing Dim oEncryptor As ICryptoTransform = Nothing Dim sString As String = String.Empty Try If sStringToEncrypt = String.Empty Then Exit Function Else oEncryptor = m_oProvider.CreateEncryptor() If IsNothing(oEncryptor) = True Then Exit Function End If Try oDataStream = New MemoryStream If IsNothing(oDataStream) = True Then Exit Function End If Try ''Create the encrypted stream oEncryptedStream = New CryptoStream(oDataStream, oEncryptor, CryptoStreamMode.Write) If IsNothing(oEncryptedStream) = True Then Exit Function End If Try ''Write the string to memory via the encryption algorithm oWriter = New StreamWriter(oEncryptedStream) If IsNothing(oWriter) = True Then Exit Function End If ''Write the string to the memory stream oWriter.Write(sStringToEncrypt) ''End the writing oWriter.Flush() oEncryptedStream.FlushFinalBlock() ''Position back at start oDataStream.Position = 0 ''Create area for data ReDim oEncryptedData(CInt(oDataStream.Length)) ''Read data from memory oDataStream.Read(oEncryptedData, 0, CInt(oDataStream.Length)) ''Convert to String sString = Convert.ToBase64String(oEncryptedData, 0, oEncryptedData.Length) Finally oWriter.Close() End Try Finally oEncryptedStream.Close() End Try Finally oDataStream.Close() End Try End If Catch ex As Exception Finally EncryptString = sString End Try End Function End Class
Web应用程序客户端获取加密的数据,并使用以下类将其解密.
客户端收到加密的字符串,将其解密以获取xml字符串,然后从中获取数据集
导入Microsoft.VisualBasic
进口制度
导入System.Text
导入System.IO
导入System.Security.Cryptography
公共类DeCryptHelper
私有m_oProvider为TripleDESCryptoServiceProvider = Nothing
公开子New()
m_oProvider =新的TripleDESCryptoServiceProvider
如果IsNothing(m_oProvider)= True,则
退出子
万一
m_oProvider.Key =新的Byte(){111,222,86,85,171,41,165,135,218,183,42,192,113,111,138,14}
m_oProvider.IV =新的Byte(){162,213,14,41,232,181,71,212}
结束子
'''< 摘要 >
'''
'''< /summary >
'''< param 名称 =" > /param < 返回 > < /返回 >
'''< 备注 > < /备注 >
公共函数DecryptString(ByVal sStringToDecrypt As String)As String
Dim retStr作为String = String.Empty
Dim oEncryptedData()字节=无
昏暗的oDataStream作为MemoryStream = Nothing
昏暗的oEncryptedStream作为CryptoStream = Nothing
Dim strLen As Integer = -1
尝试
如果sStringToDecrypt = String.Empty,则
退出功能
别的
'获取字节数据
oEncryptedData = Convert.FromBase64String(sStringToDecrypt)
尝试
oDataStream =新的MemoryStream
尝试
'创建解密器和流
昏暗的解密器作为ICryptoTransform
解密器= m_oProvider.CreateDecryptor()
oEncryptedStream =新的CryptoStream(oDataStream,解密器,CryptoStreamMode.Write)
'将解密后的数据写入内存流
oEncryptedStream.Write(oEncryptedData,0,oEncryptedData.Length-1)
oEncryptedStream.FlushFinalBlock()
'位置重新开始
oDataStream.Position = 0
'确定解密字符串的长度
strLen = CInt(oDataStream.Length)
'创建数据区域
ReDim oEncryptedData(strLen-1)
'将解密的数据读取到byte()
oDataStream.Read(oEncryptedData,0,strLen)
'从byte()构造字符串
昏暗的整数
对于i = 0到strLen-1
retStr + = Chr(oEncryptedData(i))
下一个
'返回结果
返回retStr
最后
oEncryptedStream.Close()
结束尝试
最后
oDataStream.Close()
结束尝试
万一
异常捕获
最后
DecryptString = retStr
结束尝试
结束功能
结束班级
我在这里有两个问题:
1.这两个类别足以进行加密和解密吗?或对此有更好建议的人.
2.如您所见,Web服务端和客户端这两个类都使用相同的键(字节字符串),这些键在其自己的类中进行了硬编码.但是说我将我的Web服务应用程序卖给了两家公司.两家公司将使用相同的密钥.是否有更好的方法在Web服务及其客户端之间共享密钥?是否可以将其保留在web.config中以使其动态.
任何提示都将真正帮助您.
谢谢
Vijay
0)您可以将Web服务放在安全的服务器上.
1)您可以编写一个使密钥随机化的类.这样,每一方都只需要类,这样他们就可以a)创建密钥,或b)解码密钥.然后,将数据打包到一个对象中,该对象包含对密钥进行解码所需的数据以及加密后的数据.我实际上已经编写了代码来执行此操作,虽然并不困难,但可能会有些乏味.
也许我应该写一篇有关它的文章.那太好了.
我不确定为什么要这样做,因为key是byte []格式所必需的.
另外,如果我们将解密密钥所必需的数据与加密数据一起包装到对象中,那么如果黑客可以访问此对象并且他可以使用该数据解密然后解密加密数据,该怎么办.如何使此对象本身安全?
谢谢
Vijay
我写了这篇文章,展示了一种创建随机密钥的方法.文章在这里:
创建并共享(使用客户端应用)随机加密密钥 [
The web application client get ths encrypted data and decrypts it using the following class.
The client recieves encrypted string, which is decrypted to get the xml string and then dataset is recived from it
Imports Microsoft.VisualBasic Imports System Imports System.Text Imports System.IO Imports System.Security.Cryptography Public Class DeCryptHelper Private m_oProvider As TripleDESCryptoServiceProvider = Nothing Public Sub New() m_oProvider = New TripleDESCryptoServiceProvider If IsNothing(m_oProvider) = True Then Exit Sub End If m_oProvider.Key = New Byte() {111, 222, 86, 85, 171, 41, 165, 135, 218, 183, 42, 192, 113, 111, 138, 14} m_oProvider.IV = New Byte() {162, 213, 14, 41, 232, 181, 71, 212} End Sub ''' <summary> ''' ''' </summary> ''' <param name="sStringToDecrypt"></param> ''' <returns></returns> ''' <remarks></remarks> Public Function DecryptString(ByVal sStringToDecrypt As String) As String Dim retStr As String = String.Empty Dim oEncryptedData() As Byte = Nothing Dim oDataStream As MemoryStream = Nothing Dim oEncryptedStream As CryptoStream = Nothing Dim strLen As Integer = -1 Try If sStringToDecrypt = String.Empty Then Exit Function Else 'Get the byte data oEncryptedData = Convert.FromBase64String(sStringToDecrypt) Try oDataStream = New MemoryStream Try 'Create decryptor and stream Dim decryptor As ICryptoTransform decryptor = m_oProvider.CreateDecryptor() oEncryptedStream = New CryptoStream(oDataStream, decryptor, CryptoStreamMode.Write) 'Write the decrypted data to the memory stream oEncryptedStream.Write(oEncryptedData, 0, oEncryptedData.Length - 1) oEncryptedStream.FlushFinalBlock() 'Position back at start oDataStream.Position = 0 'Determine length of decrypted string strLen = CInt(oDataStream.Length) 'Create area for data ReDim oEncryptedData(strLen - 1) 'Read decrypted data to byte() oDataStream.Read(oEncryptedData, 0, strLen) 'Construct string from byte() Dim i As Integer For i = 0 To strLen - 1 retStr += Chr(oEncryptedData(i)) Next 'Return result Return retStr Finally oEncryptedStream.Close() End Try Finally oDataStream.Close() End Try End If Catch ex As Exception Finally DecryptString = retStr End Try End Function End Class
I have two questions here:
1. Are these two classes sufficient for encryption and decryption? or anyone has better suggestion for this purpose.
2. As you can see, the webservice side and client side both the classes use the same key (byte string) which is hard coded in their own classes. But say I sell my webservice application to 2 companies. Both the companies will be using the same key. Is there better way to share a key between webservice and its client? Is it possible to keep it in web.config to make it dynamic.
Any tips will really help.
Thanks
Vijay解决方案0) You could just put the web service on a secure server.
1) You could write a class that randomizes the key. That way, each side would only need the class so that they can a) create a key, or b) decode the key. Then, package the data into an object that contains the data necessary to decode the key along with the encrypted data. I''ve actually written code to do this, and while not difficult, it can be a bit tedious.
Maybe I should write an article about it.
If you can give me code example to randmoze the key. that would be great.
I am not sure hwo to do that as the key is required in byte[] format.
Also If we package the object with data necessary to decode the key along with encrypted data, what if a hacker gets access to this object and he can use the the data to decode and then decrypt the encrypted data. How to make this object itself secure?
Thanks
Vijay
I wrote this article that shows one method for creating a random key. The article is here:
Create and Share (with a client app) a Random Encryption Key[^]
It''s up to you to fill in whatever blanks might exist in your own implementation.
这篇关于Web服务安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!