在ASP.Net应用程序安全地存储(加密)数据 [英] Securely storing (encrypting) data in an ASP.Net application
问题描述
我有一个asp.net应用程序,通过使用Web浏览器的人在互联网上访问。它运行在Web服务器上,并会谈后端数据库。
I have an asp.net application, accessed by people over the internet using web browsers. It runs on a web server and it talks to a backend database.
一些用户想使用的应用程序存储一些私人数据。本的要求是:
Some of the users would like to use the application to store some private data. The requirements of this are:
1)只有谁存储的数据,用户应该能够看到它。
1) Only the user who stored the data should be able to see it.
2)的开发/数据库管理员不应该能看到的数据。
2) The developers/dbas should not be able to see the data.
3)如果Web服务器和数据库服务器被攻破了黑客必须不能够对数据进行解密。
3) If the web server and database server were compromised a hacker must not be able to decrypt the data.
所以,很明显,我将不得不这个数据加密。如果我是加密某个地方都会有一个键,大概盐/ IV。现在的问题是我在哪里存储用来执行解密的数据?如果我把它存储在数据库或Web服务器,然后开发人员,数据库管理员或者黑客可以访问它和解密数据。
So, it's obvious I'm going to have to encrypt this data. If I encrypt it there will be a key somewhere and probably a salt/IV. The question is where do I store the data which is used to perform the decryption? If I store it in the database or the web server then a developer, dba or hacker can access it and decrypt the data.
我觉得我的这个理想的解决办法是私钥是客户机上,这样,他们为它负全部责任。但我不知道如何去了解这跟一个asp.net web应用程序。
I think my ideal solution to this would be for the private key to be on the clients machine, that way they are entirely responsible for it. But I'm not sure of how to go about this with an asp.net web application.
我相信我能创造出还存储私钥(PFX)证书。客户公司可以使用组策略来部署证书自己的域名。但它是可能的ASP.Net应用程序可以请求web浏览器私钥发送给它,以便它可以执行解密?解密在客户端上会比创造的JavaScript的东西我不明白这是怎么可能的最好的,但其他的。
I believe I can create a certificate which also stores a private key (PFX). The client companies could use group policy to deploy the certificate to their domain. But it is possible that the ASP.Net application can request the web browser to send the private key to it so that it can perform the decryption? Decrypting on the client would be best but other than creating something in javascript I don't see how this is possible.
任何意见欢迎。
推荐答案
存储在用户心目中的关键。使用你喜欢的任何口令/密码基于密钥派生算法。该标准是 PBKDF2 。算法的最佳选择取决于precisely您的安全要求,并威胁模式是什么。理想情况下,决策和实施中应至少由安全专家审查。
Store the key in the mind of the user. Use any password/passphrase based key derivation algorithm you like. The standard is PBKDF2. The optimum choice of algorithm will depend on precisely what your security requirements and threat mode is. Ideally, that decision and the implementation should at least be reviewed by a security expert.
这篇关于在ASP.Net应用程序安全地存储(加密)数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
