ASP.NET web.config加密安全性 [英] ASP.NET web.config encryption security
问题描述
我打算加密属于将在服务器场中运行的应用程序的Web配置文件的连接字符串.我知道aspnet_regiis命令行工具使用它来加密部分.但是我有一些疑问,我希望你们能解决.
I'm planning to encrypt the connection strings of a web configuration file belonging to an application which will be run in a server farm. I am aware of the aspnet_regiis command line tool to encrypt the sections using it. But I have some doubts, which I expect you guys can solve.
我的问题是,如果我对连接字符串进行加密并且web.config文件被某些黑客窃取,他是否能够使用-pe开关使用相同的命令行对其进行解密?如下所示.
My question is that if I encrypt the connectionstrings and the web.config file is stolen by some hacker, will he be able to decrypt it using the same command line with -pe switch? The same is shown below.
- 我的服务器,我的Web.Config,未加密(我创建了纯Web配置)
- 我的服务器,我的Web.config,已加密(我已加密的Web配置)
- 某人的服务器,我的web.config,已加密(某人偷了我的网络配置)
- My Servers, My Web.Config, Not Encrypted (I created pure web config)
- My Servers, My Web.config, Encrypted (I encrypted web config)
- Someone's server, My web.config, Encrypted (Someone stole my web config)
他是否可以使用相同的命令行进行解密
Is he able to decrypt using the same commandline like
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"
推荐答案
Jon Galloway在他的博客上提供了一种有趣的方法来处理这种情况: http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
Jon Galloway has an interesting method of handling this situation on his blog: http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
该帖子所指的是app.config,但同样适用于web.config.
The post is referring to an app.config, but the same should apply to a web.config as well.
我想我在完全意识到您的要求之前已经回答了.如果所引用的博客没有帮助,我深表歉意.
I guess that I answered before fully realizing what you were asking. My apologies if the referenced blog is of no assistance.
对于实际问题,答案可能是.如果黑客有权访问加密密钥信息,则可以解密您的web.config.根据MSDN( http://msdn.microsoft.com/zh-CN/library/zhhddkxy(v = vs.100).aspx ):
In response to the actual question, the answer is maybe. The hacker would be able to decrypt your web.config if he had access to the encryption key information. According to MSDN (http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx):
要解密和加密Web.config文件的一部分,ASP.NET进程必须具有读取适当的加密密钥信息的权限.
To decrypt and encrypt a section of the Web.config file, the ASP.NET process must have permission to read the appropriate encryption key information.
这篇关于ASP.NET web.config加密安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
