RSACryptoServiceProvider和Web.config加密 [英] RSACryptoServiceProvider and Web.config encryption

问题描述

我是密码学的新手。我想加密连接字符串部分和web.config中的其他部分。我知道可以使用RSACryptoServiceProvider来完成。
但是我不确定默认的RSACryptoServiceProvider使用的密钥和密钥大小。
根据我们组织的安全政策，密钥大小应为196位，并且我们必须与用于加密的安全团队共享密钥。

I am new to cryptography. I want to encrypt the connection string section and some other section in the web.config. I know this can be accomplished using RSACryptoServiceProvider. But I am not sure about the Key which is being used by the default RSACryptoServiceProvider and the key size. As per our organization security policy the key size should be 196 bit and we have to share the Key with security team which is used for encryption.

使用默认加密什么是asp.net内部用于加密/解密的密钥以及密钥大小？

When we use the default encryption what will be key used internally by asp.net for encryption/decryption and the key size?

按顺序使用可以共享的自定义密钥与安全团队一起，是否需要通过继承RSACryptoServiceProvider来创建自定义类？

In-order to use a custom key which can be shared with security team do we need to create a custom class by inhering RSACryptoServiceProvider?

此外，RSA密钥容器有点令人困惑。它是钥匙的容器还是钥匙本身

Also RSA Key Container is bit confusing. Is it a container for the Key or the Key itself

请告知。

推荐答案

从aspnet_regiis.exe导出的RSA密钥容器文件确实是密钥的容器。它们是XML文件。实际上，由于RSA是公共密钥加密，因此密钥容器同时包含公共密钥和私有密钥（如果同时导出）。

RSA key container files which are exported from aspnet_regiis.exe are indeed containers for the key. They are XML files. Actually, as RSA is public key crypto, the key container holds both the public key and private key (if you export both).

执行web.config或app时通过aspnet_regiis.exe进行.config加密，并且您未指定提供程序，它将使用 defaultProvider的值。请参阅 http://msdn.microsoft.com/ zh-cn / library / zhhddkxy（v = vs.100）.aspx 。加密的输出将列出提供程序名称（以便您知道如何解密它）。似乎默认提供程序的默认名称是 RsaProtectedConfigurationProvider。该加密提供者使用密钥。默认密钥的默认名称为 NetFrameworkConfigurationKey（请参见 http://blogs.msdn.com/b/mosharaf/archive/2005/11/17/protectedconfiguration.aspx ）。

When you perform web.config or app.config encryption via aspnet_regiis.exe, and you do not specify a provider, it will use the value of "defaultProvider". See http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx. The encrypted output will list the provider name (so that you know how to decrypt it). It appears the default name of the default provider is "RsaProtectedConfigurationProvider". That crypto provider uses a key. The default key has a default name of "NetFrameworkConfigurationKey" (see http://blogs.msdn.com/b/mosharaf/archive/2005/11/17/protectedconfiguration.aspx). The key with that name will have a different value on every machine and is generated when .NET is installed.

一个196位的密钥长度听起来像您的安全团队期望的那样，在每个计算机上，具有该名称的密钥将具有不同的值，并且在安装.NET时生成。执行某种对称密钥加密（不是非对称PKC）。例如，人们吹嘘自己的AES密钥长度为256位。用于创建自定义RSA加密提供程序和密钥的.NET 4.0 aspnet_regiis.exe命令使用的密钥大小为2048位（尽管从过去的日子开始，1024并不罕见）。我想象默认的RSA提供程序和默认密钥使用默认值作为密钥长度。但是可以肯定的是，您可能希望导出默认密钥，然后自己检查它。 -pc和-px开关及其相关选项（例如-size）在 http://msdn.microsoft.com/en-us/library/vstudio/k6h9cz8h（v = vs.100）.aspx 。

A key length of 196 bits sounds like your security team expects you to be performing symmetric key encryption (not asymmetric PKC) of some sort. For example, people brag about their AES key lengths being 256 bits. The .NET 4.0 aspnet_regiis.exe command for creating a custom RSA crypto provider and key use a key size of 2048 bits (although 1024 is not uncommon from days of yore). I imagine the default RSA provider and default key use default values for key lengths. But to be sure, you might want to export the default key, and inspect it yourself. The -pc and -px switches and their associated options (like -size) are documented at http://msdn.microsoft.com/en-us/library/vstudio/k6h9cz8h(v=vs.100).aspx.

如果您需要非常明确地描述私钥，那么它在机器重新映像后将是持久的，并且可以被服务器场中的许多节点使用，并且需要由第三方托管安全团队，您可能想花费时间创建RsaProtectedConfigurationProvider类型的非默认加密提供程序（而不是发明自己的CSP类作为RsaProtectedConfigurationProvider的替代方法）。

If you need to be very specific about a private key, which would be durable beyond a machine reimaging, and would be used by many nodes in a server farm, and which needs to be held in escrow by the security team, you probably want to invest the time in creating a non-default crypto provider of the RsaProtectedConfigurationProvider type (not inventing your own CSP class as an alternative to RsaProtectedConfigurationProvider).

最后要注意的一点是，web.config XML加密是在一个多步骤过程中执行的。首先，加密过程生成一个随机对称密钥（比RSA密钥短），该对称密钥将用于加密明文语料库。用对称密钥对明文进行加密（在将语料库标准化为空白之后）。然后，使用RSA公钥对对称密钥（比语料库短）进行加密。如果整个纯文本语料库是使用RSA公钥加密的，则解密将花费很长时间。因此，当您查看经过加密的web.config中的一块加密XML时，您实际上会看到两件事：一个加密密钥部分和一个加密数据部分。要解密密文，ASP.NET需要首先解密加密的对称密钥，然后使用解密的密钥将您实际想要的内容解密为纯文本。

One last thing to note, web.config XML encryption is performed in a multi step process. First, the encryption process generates a random symmetric key (which is short in comparison to an RSA key) which will be used to encrypt a plaintext corpus. The plaintext is encrypted with the symmetric key (after the corpus is normalized for whitespace, etc). Then, the symmetric key (which is short compared to the corpus) is encrypted using an RSA public key. If the whole plaintext corpus was encrypted with an RSA public key, it would take a long time to decrypt. So when you look at a block of encrypted XML in a web.config encrypted you will really see two things: an encrypted key section, and an encrypted data section. To decrypt the ciphertext, ASP.NET needs to first decrypt the encrypted symmetric key, and then use the decrypted key to decrypt the stuff you actually want as plaintext.

解密xml文档的问题<<的两个加密级别的示例/ a>。显而易见的（也许是令人不安的）是，RSA加密提供程序在CBC模式下将Triple DES用于基于RSA PKC的对称加密算法，您认为该算法确实提供了加密。请参阅此人对尝试将对称算法更改为AES的无奈，例如，从TripleDES更改Microsoft配置文件加密方法。仅在非常理想的情况下才建议在2030年之前使用Triple DES（请参阅 http：//en.wikipedia .org / wiki / Triple_DES＃Security ）由算法的背书人（NIST）提供。 NIST在几年前就开始尝试替代对称算法套件，并选择并认可为AES（ http://en.wikipedia.org/wiki/Advanced_Encryption_Standard ）。因此，要使用AES-192或AES-256，您需要发明自己的CSP类作为RsaProtectedConfigurationProvider的替代，然后使其可用于创建提供程序并从ASP.NET执行加密/解密操作。

There is an example of the two-levels of encryption at "Problem with decrypting xml document". What is apparent (and perhaps troubling), is that the RSA crypto provider uses Triple DES in CBC mode for the symmetric crypto algorithm underlying the RSA PKC which you think is really providing the encryption. See this person's frustration around trying to change the symmetric algorithm to AES, for example, Change Microsoft Config File Encryption Method From TripleDES. Triple DES is only recommended for use until 2030 in very ideal scenarios (see http://en.wikipedia.org/wiki/Triple_DES#Security) by the algorithm's endorsers (NIST). NIST had a bake-off years ago for a replacement symmetric algorithm suite, which they have chosen and endorsed as AES (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard). So to use AES-192 or AES-256, you would need to invent your own CSP class as an alternative to RsaProtectedConfigurationProvider, then make it available for creating providers and performing encrypt/decrypt operations from ASP.NET.

这是另一篇相关的堆栈溢出文章： ASP.NET加密-aspnet_regiis-服务器场。

Here is another stack-overflow article which is relevant: ASP.NET Encryption - aspnet_regiis - Farm.

此处是创建/导出用于在服务器场中散布的RSA加密提供程序和密钥的指南。 ： http://msdn.microsoft.com/ zh-cn / library / 2w117ede（v = vs.100）.aspx

Here is a guide to creating/exporting RSA crypto providers and keys for spreading around in a farm, for example: http://msdn.microsoft.com/en-us/library/2w117ede(v=vs.100).aspx

这篇关于RSACryptoServiceProvider和Web.config加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！