从 TripleDES 更改 Microsoft 配置文件加密方法 [英] Change Microsoft Config File Encryption Method From TripleDES

问题描述

在加密(保护")Microsoft 配置部分时，您会得到类似于下面的 XML 的内容.它遵循(至少部分)XML 加密的 W3 规范.

When encrypting ("protecting") Microsoft config sections, you get something that looks like the XML below. It follows (at least partially) the W3 spec for XML Encryption.

但是，在下面的 XML 中，您会看到 EncryptedData 部分下的 EncryptionMethod 是tripledes-cbc".我们希望能够将其更改为更安全的替代方案，特别是 AES，这也在上述 W3 规范中有所规定.

However, in the XML below you'll see that the EncryptionMethod under the EncryptedData section is "tripledes-cbc". We would like to be able to change that to a more-secure alternative, specifically AES, which is specified in the aforementioned W3 spec as well.

在与 Microsoft 支持工程师的多次通话中，他们根本无法理解问题，更不用说回答了.有没有办法改变这种加密方法?

In many calls with Microsoft's support engineers, they are nowhere near understanding the question, much less answering it. Is there a way to change this encryption method?

我之前忘记提到我们当前设置为 RsaProtectedConfigurationProvider，但似乎只有密钥使用 RSA 加密，而数据使用 3DES 加密.

I forgot to mention earlier that we are currently set to RsaProtectedConfigurationProvider, but only the key appears to be encrypted with RSA, whereas the data is encrypted with 3DES.

<MiscCryptoData configProtectionProvider="someConfigProtectionProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <KeyName>Rsa Key</KeyName>
        </KeyInfo>
        <CipherData>
          <CipherValue>asf78ag78asg\...cryptoyadayada...asdf8r=</CipherValue>
        </CipherData>
      </EncryptedKey>
    </KeyInfo>
    <CipherData>
      <CipherValue>zxcv6asdf35...largercryptoyadayada...u7i8o9p=</CipherValue>
    </CipherData>
  </EncryptedData>
</MiscCryptoData>

推荐答案

我刚刚检查了 RsaProtectedConfigurationProvider 使用 Reflector，我发现您无法将 tripledes-cbc 更改为其他任何内容.

I've just checked RsaProtectedConfigurationProvider with the Reflector and as I found out there is nothing you can do to change tripledes-cbc to anything else.

因此，如果您想使用 AES 加密，您必须编写自己的 ProtectedConfigurationProvider.您可能希望使用 Reflector 为您提供一个良好的开端.

So you have to write your own ProtectedConfigurationProvider if you want to use AES encryption. You may want to use the Reflector to give you a good start.

这篇关于从 TripleDES 更改 Microsoft 配置文件加密方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！