RSA加密问题.net [英] RSA encryption problem .net

问题描述

大家好，

我正在使用.Net RSACryptoProvider加密密码并将其存储
在数据库中.因此，我通过每次导入公共密钥xml文件进行加密来保持公共密钥不变.但是我发现，每次加密的输出都是不同的，即使我保持公钥相同.为什么?

谢谢

Hi all,

I am using .Net RSACryptoProvider to encrypt a password and store it
in a database. So I keep the public key unchanged by importing the public key xml file each time for encryption. But I found that each time the encrpyted output are different even I keep the public key the same. Why ?

Thanks

推荐答案

看不到您的相关代码片段，很难说.

但是，既不需要也不需要存储RSA加密密码.如果这样做，则必须使用已知密钥对每个密码进行加密，必须将其提供给代码，以便在每次需要检查密码时对其进行解密.

而是使用密码的MD5或SHA哈希(最好是SHA，因为MD5被正式归类为无效").由于哈希不可逆，因此您无法从存储的值中找回密码，并且根本不需要密钥即可生成.

要检查密码，请从用户输入的内容中生成哈希值，然后比较两个哈希值.如果它们相同，则密码匹配.

在生成哈希值之前，最好在密码中包含用户名或ID，这样可以防止具有相同密码的两个用户生成相同的哈希值.
为什么我使用RSA加密密码是因为我存储了私钥，而公钥包含在代码中.如果用户忘记了密码，那么他可以将加密后的值发送给我，并且我可以使用私钥进行解密并将其发送回用户.

我现在遇到的问题是，即使使用相同的公共密钥，RSA加密方法也会每次生成不同的加密值."

这不是一个好主意:没有人可以访问密码，甚至您也没有.

如果用户忘记了密码，那么您可以

1)根据他在注册时输入的文字，向他发送提示，就像几个站点一样.
2)将密码重置为随机值，然后通过他的注册地址通过电子邮件发送给他.

如果您按照自己的方式进行操作，那么您将向您不一定知道是原始用户的人发送密码(明确地说).重大安全漏洞！描绘场景:

您注册您的网站.
你去开会.
我使用您的PC从您的网站要求输入密码，声称忘记了密码.
您的网站将其发送给我.
我删除了电子邮件，然后走开了.

现在，我有了您的密码，您不知道发生了什么事.
由于许多人因为忘记了多个密码而对所有事物使用相同的密码，所以我现在也可以访问您的银行...而您仍然不知道密码已经消失了-幸运的我！

没有人，甚至像您这样的受信任的人，也绝对不能访问密码.哈希它们:简单，快速，高效.它在数据库中使用固定空间，因此更加安全.

Without seeing your relevant code fragment, it is difficult to say.

However, it is neither necessary nor desirable to store a RSA encrypted password. If you do, then every password has to be encrypted with a known key, which must be provided to the code in order to decrypt it each time you need to check it.

Instead, use a MD5 or SHA hash of the password (preferably SHA, since MD5 is officially classed as "broken"). Since hashes are not reversible you cannot get back to the password from the stored value and it requires no key at all to generate.

To check the password, generate the hash from what the user input, and compare the two hash values. If they are the same, the passwords match.

It is a good practice to include the Username or ID in with the password before you generate the hash, this prevents two users with the same password from generating identical hash values.
"Why I use RSA encrypted password is that I store the private key and the public key is included in the code. If users forget the password then he can send the encrypted value to me and I can use the private key to decrypt it and send it back to the user.

The problem now I have is that the RSA encryption method generate different encrypted values each time even using the same public key."

Not a good idea: nobody should have access to passwords, not even you.

If the user forgets the password, then you could

1) Send him a hint, as several sites do, based on text he entered when he registered.
2) Reset the password to a random value, and email it to him on his registered address.

If you do it your way, then you are sending a password, in clear, to someone who you do not necessarily know is the original user. Major security breach! Picture the scene:

You sign up for your site.
You go off for a meeting.
I use your PC to request my password from your site, claiming I forgot it.
Your site sends it to me.
I delete the email and walk away.

Now, I have your password, and you don''t know anything has happened.
And since many, many people use the same password for everything because they can''t remember multiple ones, I now have access to your bank as well... And you still don''t know it''s gone - lucky me!

No-one, even trusted people like you, should have access to passwords at all. Hash them: it''s simple, quick, and efficient. It uses a fixed space in the database, and it''s a lot more secure.

public byte[] SHA2Hash(string s)
    {
    SHA512 shaM = new SHA512Managed();
    byte[] bs = Encoding.UTF8.GetBytes(s);
    return shaM.ComputeHash(bs);
    }

您可能会错过非对称(公共密钥)加密的一般理论基础. 如果您确实了解这个主意，就不会问您的问题.

如果这不是真的，请您原谅我.您确实了解得很清楚.

我只是知道介绍它的好方法.
首先，所有内容都基于数学途函数的思想: http://en.wikipedia.org/wiki/单向功能 [^ ].在加密中使用单向函数是基于以下事实:找不到后门方法:http://en.wikipedia.org/wiki/Asymmetric_key_algorithm [ ^ ]. RSA( http://en.wikipedia.org/wiki/RSA [

You might miss the general theoretical bases of the assymmetric (public-key) encryption.
If you did understand the idea, you would not probably ask your Question.

Please forgive me if this is not true and you do understand it well.

I just know a good way to introduce into it.
First of all, everything is based on the idea of mathematical on-way function: http://en.wikipedia.org/wiki/One-way_function[^]. The use of one-way function in ciphering is based on the fact that the backdoor method could not be found: http://en.wikipedia.org/wiki/Backdoor_(computing)[^].

Just a generation of pair of keys is already an example if one-way function: you can quickly generate a key, but not find one key by the other. Please pay attention that for RSA an asymmetric backdoor exists.

See the article on asymmetric key algorithm and public-key cryptography to understand how all this is related to encryption: http://en.wikipedia.org/wiki/Asymmetric_key_algorithm[^]. RSA (http://en.wikipedia.org/wiki/RSA[^]) is just one of the encryption algorithms of that sort.

—SA

这篇关于RSA加密问题.net的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！