如何获得对Asp.Net Core加密密钥的访问? [英] How to gain access to Asp.Net Core encryption keys?

问题描述

通话提供的Cookie:

A cookie provided by call:

await HttpContext.Authentication.SignInAsync("MyCookieMiddlewareInstance", principal);

以加密状态存储.如何获得加密密钥?

is stored in encrypted state. How to get encryption key?

重要:这个问题来自我的罗恩C 和他的出色回答.

IMPORTANT: this question has grown from my original question about cookie decryption. Thanks to Ron C and his great answer.

推荐答案

获得对键的访问权限
默认情况下，.net核心框架会竭尽全力保持密钥的私密性，并帮助开发人员避免处理密钥的任何需求.这很好，因为开发人员很难保证密钥的安全性.

Gaining Access to the Keys
By default the .net core framework goes to great lengths to keep the keys private and to help the developer to avoid any need for handling the keys. This is good as it's quite difficult for developers to keep keys safe.

也就是说，通过更改配置，您可以轻松访问密钥.

That said, with a change of configuration you can easily gain access to the keys.

将以下代码行添加到Startup.cs文件的ConfigureServices方法中.如果您使用use session，请将其添加到AddSession行的下面:

Add the following line of code to the ConfigureServices method of the Startup.cs file. If you use use session, add it below the line for AddSession:

 services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(keyDirPath));

，然后将keyDirPath设置为您希望将密钥存储在其中的目录的操作系统绝对路径.该目录不需要已经存在，因为系统会即时创建它.就我而言，我将目录设置为名为Keys的文件夹.这是运行一次代码后目录的样子，其中包含一个密钥文件:

and set keyDirPath to the operating system absolute path of the directory that you'd like the keys stored in. The directory does not need to already exist as the system will create it on the fly. In my case I set directory to a folder named Keys. Here's what the directory looked like after running the code once, it contains one key file:

该密钥文件的内容未加密，如下所示:

The contents of that key file are unencrypted and look like this:

<?xml version="1.0" encoding="utf-8"?>
  <key id="677f1115-644a-4b11-b045-0c3c51675ef1" version="1">
    <creationDate>2017-03-17T12:21:10.8909291Z</creationDate>
    <activationDate>2017-03-17T12:21:10.8419262Z</activationDate>
    <expirationDate>2017-06-15T12:21:10.8419262Z</expirationDate>
    <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=1.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
      <descriptor>
        <encryption algorithm="AES_256_CBC" />
        <validation algorithm="HMACSHA256" />
        <masterKey p4:requiresEncryption="true" xmlns:p4="http://schemas.asp.net/2015/03/dataProtection">
          <!-- Warning: the key below is in an unencrypted form. -->
          <value>BMJ6EY5MbcR0vaXhCbHggQcVsuYc6MnMtQpQm0qL647UBVx0YDbZufqQ+2/XuahFfIY2fJ6BIlOl+LYODnLbrA==</value>
        </masterKey>
      </descriptor>
    </descriptor>
  </key>

警告:您永远不要将密钥处于完全不受保护的状态下放置在名为keys的文件夹中.这样做不是安全最佳实践.但是，如果您想了解安全系统，那么这是一个有用的练习.

WARNING: You should never leave your keys laying around in a totally unprotected state in a folder named keys. Doing so is not a security best practice. But if you are trying to learn about the security system, it's a useful exercise.

您可以在此处了解有关数据保护服务的更多信息:

You can learn more about the Data protection services here: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

这篇关于如何获得对Asp.Net Core加密密钥的访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！