微软更改配置文件加密方法从TripleDes的 [英] Change Microsoft Config File Encryption Method From TripleDES

问题描述

当加密（保护），微软的配置部分，你得到的东西看起来像下面的XML。它遵循（至少部分地）的W3规范的XML加密。

然而，在XML下面你将看到下的EncryptedData部分EncryptionMethod是TripleDes的-CBC。我们希望能够改变这种状况到一个更安全的替代，特别是AES，这是规定在上述W3规范为好。

在与微软的支持工程师很多电话，他们都远不及理解的问题，更不用说回答它。有没有办法来改变这种加密方法？

我忘了前面提到，我们目前设定为RsaProtectedConfigurationProvider，但只有关键似乎与RSA加密，而数据进行加密，3DES。

 ＆LT; MiscCryptoData configProtectionProvider =someConfigProtectionProvider＆GT;
  ＆LT;的EncryptedData类型=htt​​p://www.w3.org/2001/04/xmlenc#Element的xmlns =htt​​p://www.w3.org/2001/04/xmlenc#＆GT;
    ＆LT; EncryptionMethod算法=htt​​p://www.w3.org/2001/04/xmlenc#tripledes-cbc/＆GT;
    ＆LT;密钥信息的xmlns =htt​​p://www.w3.org/2000/09/xmldsig#＆GT;
      ＆LT; EncryptedKey的xmlns =htt​​p://www.w3.org/2001/04/xmlenc#＆GT;
        ＆LT; EncryptionMethod算法=htt​​p://www.w3.org/2001/04/xmlenc#rsa-1_5/＆GT;
        ＆LT;密钥信息的xmlns =htt​​p://www.w3.org/2000/09/xmldsig#＆GT;
          ＆LT; KeyName是＆GT; RSA密钥＆LT; / KeyName是＆GT;
        ＆LT; /密钥信息＆GT;
        ＆LT;的CipherData＆GT;
          ＆LT; CipherValue＆GT; asf78ag78asg \ ... cryptoyadayada ... asdf8r =＆LT; / CipherValue＆GT;
        ＆LT; /的CipherData＆GT;
      ＆LT; / EncryptedKey＆GT;
    ＆LT; /密钥信息＆GT;
    ＆LT;的CipherData＆GT;
      ＆LT; CipherValue＆GT; zxcv6asdf35 ... largercryptoyadayada ... u7i8o9p =＆LT; / CipherValue＆GT;
    ＆LT; /的CipherData＆GT;
  ＆LT; /的EncryptedData＆GT;
＆LT; / MiscCryptoData＆GT;
 

解决方案

我刚刚检查<一href="http://msdn.microsoft.com/en-us/library/system.configuration.rsaprotectedconfigurationprovider.aspx"相对=nofollow> RsaProtectedConfigurationProvider 与反射，当我发现那里是你能做些什么来改变什么 TripleDes的-CBC 来别的了。

所以，你必须写自己的，如果你想使用AES加密 ProtectedConfigurationProvider 。您可能需要使用反射来给你一个良好的开端。

When encrypting ("protecting") Microsoft config sections, you get something that looks like the XML below. It follows (at least partially) the W3 spec for XML Encryption.

However, in the XML below you'll see that the EncryptionMethod under the EncryptedData section is "tripledes-cbc". We would like to be able to change that to a more-secure alternative, specifically AES, which is specified in the aforementioned W3 spec as well.

In many calls with Microsoft's support engineers, they are nowhere near understanding the question, much less answering it. Is there a way to change this encryption method?

I forgot to mention earlier that we are currently set to RsaProtectedConfigurationProvider, but only the key appears to be encrypted with RSA, whereas the data is encrypted with 3DES.

<MiscCryptoData configProtectionProvider="someConfigProtectionProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <KeyName>Rsa Key</KeyName>
        </KeyInfo>
        <CipherData>
          <CipherValue>asf78ag78asg\...cryptoyadayada...asdf8r=</CipherValue>
        </CipherData>
      </EncryptedKey>
    </KeyInfo>
    <CipherData>
      <CipherValue>zxcv6asdf35...largercryptoyadayada...u7i8o9p=</CipherValue>
    </CipherData>
  </EncryptedData>
</MiscCryptoData>

解决方案

I've just checked RsaProtectedConfigurationProvider with the Reflector and as I found out there is nothing you can do to change tripledes-cbc to anything else.

So you have to write your own ProtectedConfigurationProvider if you want to use AES encryption. You may want to use the Reflector to give you a good start.

这篇关于微软更改配置文件加密方法从TripleDes的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！