适用于客户端的App.config的WCF加密解决方案? [英] WCF Encryption solution for App.config viewable to a client?
问题描述
我有一个桌面应用程序,其中包含一个App.config(发行时为program.exe.config),其中包含清晰可见的元素,这些元素定义了我的WCF端点和WCF实现。
I have a desktop application which contains an App.config (program.exe.config at release) with clearly visible elements which define my WCF endpoints and WCF implementation.
我最好将其隐藏在用户的视线中,从简单的黑客,查看和更改中隐藏起来。
I would ideally like to hide this from the users eyes, from simple hacking, view and change.
我应该:-
- 以编程方式在代码中创建并存储WCF端点和绑定配置。或;
- 在App.config上实施一些保护方案(如果是,什么,怎么做,如何),从公众的角度有效地混淆/加密这些元素,但从我的代码中是可以理解的?
我已经利用.NET Reactor进行模糊处理并保护我的程序免受反射技术的侵害。
I already utilise .NET Reactor to obfuscate and protect my program from reflection techniques.
更新09年5月13日3:32 GMT + 10
好吧,我设法对system.serviceModel进行了加密,但是当应用程序启动时由于抛出异常而被证明不可用(System.TypeInitializationException:
<system.serviceModel>
<!-- [bindings] -->
<bindings configProtectionProvider="DPAPIProtection">
<EncryptedData>
<CipherData>
<CipherValue>AQAAANCMnd8BFdERjHoAwE/Cl+...
理念。我要么放弃这个主意,要么将我的端点设置为加密后的代码。
是否还有其他人担心它们的端点地址在config中清晰可见?
推荐答案
保护它免受更改会更容易保护它免受查看。
Protecting it from change is easier that protecting it from view.
如果您只是担心更改/黑客,您可以使用公共密钥在包含不可更改的WCF设置的XML元素上计算数字签名。如果客户有任何更改,信号将不匹配。
If it is simply change/hacking you are worried about, you can just compute a digital signature on the XML elements that comprise your unchangeable WCF settings, using your public key. If the customer changes anything, the sig won't match.
实际上,我不知道有什么好方法可以保护它,因为坚定的人将能够找出您在WCF中所做的事情(如先前的海报所指出的那样。您可以增加难度,但这不会阻止某人查看或学习该信息。
I don't know a good way to protect it from view, really, because a determined person is going to be able to find out what you are doing in WCF (as the previous poster pointed out). You could make it more difficult, but that wouldn't be preventing someone from viewing or learning the information.
更新:
您需要使用自己的RSA私钥进行签名。也许您已经有了RSA密钥对。如果没有,您可能会一次生成一个密钥对来进行签名。
You need to use your own RSA private key for signing. Maybe you have an RSA keypair already. If not, you might generate a keypair, once, to do the signing. Like this.
int keySize = 1024; // you choose
byte[] key = Keys.GenerateKeyPair(keySize);
RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider();
rsaKey.ImportCspBlob(key);
一旦有了,就可以导出并保存。供您自己使用,签名时需要私钥。为了进行验证,应用程序将使用公共密钥。这就是您获得它们的方式。
Once you have that, you can export and save it. For your own use, signing, you want the private key. For verification, apps will use the public key. This is how you get them.
string PublicKeyXml = rsaKey.ToXmlString(false);
string PrivateKeyXml = rsaKey.ToXmlString(true);
存储这些。如果您想使用相同的私钥再次签名,请使用FromXmlString()方法并传递PrivateKeyXml获取RSA CSP。如果要验证,请使用FromXmlString()传递PublicKeyXml。
Store these. If you ever want to sign something again using the same private key, get the RSA CSP with the FromXmlString() method, passing the PrivateKeyXml. If you want to verify, use FromXmlString() passing the PublicKeyXml.
一旦您拥有要签名的密钥和XML,就可以进行签名。仅在打包和部署期间,当您创建并完成配置时,才会发生这种情况。
Once you have the key and the XML to be signed, you can do the signing. This happens just during packaging and deployment, when you create and finalize the configuration.
// Sign an XML file.
// This document cannot be verified unless the verifying
// code has the key with which it was signed.
public static void SignXml(System.Xml.XmlDocument Doc, RSA Key)
{
// Check arguments.
if (Doc == null)
throw new ArgumentException("Doc");
if (Key == null)
throw new ArgumentException("Key");
// Create a SignedXml object.
System.Security.Cryptography.Xml.SignedXml signedXml = new SignedXml(Doc);
// Add the key to the SignedXml document.
signedXml.SigningKey = Key;
// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped transformation to the reference.
var env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
// Add the reference to the SignedXml object.
signedXml.AddReference(reference);
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = signedXml.GetXml();
// Append the element to the XML document.
Doc.DocumentElement.AppendChild(Doc.ImportNode(xmlDigitalSignature, true));
}
然后,将签名的XML嵌入到app.config中或作为字符串嵌入到应用或其他任何内容。当应用运行时,您可以在运行时使用公钥blob验证签名。
Then, embed the signed XML into app.config or as a string in the app, or whatever. When the app runs, you verify the signature at runtime, using the public key blob.
// Verify the signature of the signed XML.
RSACryptoServiceProvider rsaCsp = new RSACryptoServiceProvider();
rsaCsp.FromXmlString(PublicKeyXml);
bool isValid = VerifyXml(xmlDoc, rsaCsp);
以下是进行签名验证的代码:
Here's some code that does signature verification:
// Verify the signature of an XML file against an asymmetric
// algorithm and return the result.
public Boolean VerifyXml(XmlDocument Doc, RSA Key)
{
// Check arguments.
if (Doc == null)
throw new ArgumentException("Doc");
if (Key == null)
throw new ArgumentException("Key");
// Create a new SignedXml object and pass it
// the XML document class.
System.Security.Cryptography.Xml.SignedXml signedXml = new SignedXml(Doc);
// Find the "Signature" node and create a new XmlNodeList object.
XmlNodeList nodeList = Doc.GetElementsByTagName("Signature");
// Throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// Though it is possible to have multiple signatures on
// an XML document, this app only supports one signature for
// the entire XML document. Throw an exception
// if more than one signature was found.
if (nodeList.Count >= 2)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// Load the first <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(Key);
}
要测试您的签名和验证是否确实有效,请修改签名或已签名的xml内容。您应该看到验证失败。在验证失败的情况下,您的应用可能会抛出或退出,或发生任何其他情况。
To test that your signature and verification actually does work, modify either the signature or the xml content that has been signed. You should see the verification fail. In the case of failed verification, your app might throw, or exit, or whatever.
这篇关于适用于客户端的App.config的WCF加密解决方案?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
