RsaProtectedConfigurationProvider 实现与 RSACryptoServiceProvider c# [英] RsaProtectedConfigurationProvider implementation vs RSACryptoServiceProvider c#
问题描述
如果 RSACryptoServiceProvider 无法加密数据大于 KeySize,如何RsaProtectedConfigurationProvider 是在 .Net 框架中实现的吗?
If RSACryptoServiceProvider cannot Encrypt data larger than it's KeySize, how RsaProtectedConfigurationProvider is implemented in the .Net framework?
我正在开发一个实用程序,该实用程序将用于加密/解密某些敏感信息.我的两个加密提供程序选项是 DPAPI 和 RSA,而 DPAPI 不适合网络农场类型的环境,RSA 适合,因为带有 KeyContainer 的导出/导入选项.这是在工作站上运行的独立应用程序.
I am working on a utility that is going to be used to encrypt/decrypt some sensitive information. My two encryption provider options are DPAPI and RSA, while DPAPI not suited for web farm kind of environment, RSA is fits because of the Export/Import options with a KeyContainer. This is a stand alone application running on a workstation.
我知道非对称算法不是为大数据设计的,我只是尝试使用下面的代码加密长度超过 400K 的字符串,效果很好.
As I am aware that Asymmetric algorithms are not designed for large data, I just tried encrypting a string of length over 400K using the code below and it works well.
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection("RSAProtectedConfigurationProvider");
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
}
这无疑意味着除了 aspnet_regiis.exe 中的导出导入密钥选项之外,还有更多事情在幕后发生.
Definitely this implies that more things are happening behind the scenes apart from the export import key options in aspnet_regiis.exe.
我的理解:
我们使用 RsaProtectedConfigurationProvider 加密 myapp.exe.config,提供密钥容器名称 myrsakeycontainer,并导出公共和私有xml 文件的密钥 myrsakeyfile.xml.
we encrypt myapp.exe.config with RsaProtectedConfigurationProvider, provide a key container name myrsakeycontainer, and export the public and private keys to an xml file myrsakeyfile.xml.
如果我们希望 myapp.exe.config 在另一台计算机上解密,我们从 myrsakeyfile.xml 中导入它们的密钥对,并使用一个名为 的容器myrsakeycontainer.
If we want myapp.exe.config to be decrypted in another computer, we import they keypair from myrsakeyfile.xml with a container named myrsakeycontainer.
this works well. I can achieve the same thing in my project via RSACryptoServiceProvider. But I can't handle data that larger than the key size that
new RSACryptoServiceProvider(cspParameters)
generated for me.
- 我希望能够解密大量数据(以防万一)RsaProtectedConfigurationProvider 确实如此.
- 是的,我可以使用 RijndaelManaged(我最喜欢的)实际加密和对称密钥传输(导出/导入)我可以使用 RSACryptoServiceProvider.这让我陷入了如果我想导出/导入对称密钥,我应该先用公钥或RSA加密,再导入到另一个机器,用RSA的私钥解密.这是导出RSA密钥对以及加密的对称密钥.
但是,当我导出使用的 RSA 密钥对时RsaProtectedConfigurationProvider 通过 aspnet_regiis.exe,我相信它只导出 xml 中的公钥/私钥对文件,没有其他信息(如对称密钥信息).
- I want to be able to decrypt huge data (just in case) just the way RsaProtectedConfigurationProvider does.
- Yes I could use a RijndaelManaged (my favorite) for actual encryption and for the symmetric key transport (export/import) I could use the RSACryptoServiceProvider. This leaves me in a situation that If I want to export/import the symmetric key, I should first encrypt it with the public key or RSA, import it to another machine, decrypt with the private key of RSA. Which is export the RSA key pair along with the encrypted symmetric key.
But, when I export RSA key pair used by RsaProtectedConfigurationProvider via aspnet_regiis.exe, I believe that it exports only the public/private key pair in an xml file and no other information (like the symmetric key information).
那么,仅使用 RSA 密钥对,如何RsaProtectedConfigurationProvider 设法破解(巨大 - 超过在我的情况下为 400K 个字符)在另一个上加密的信息计算机?如果它使用对称算法(也许?!)加密信息,对称密钥如何导出/导入到另一个电脑解密?RSA 密钥容器的对称密钥部分是通过 aspnet_regiis.exe 导出的,还是对称密钥是基于算法动态设计的?
So, with just the RSA key pair, how does RsaProtectedConfigurationProvider manage to derypt (huge - over 400K chars in my case) information that was encrypted on another computer? In cases it uses a symmetric algorithm (perhaps?!) to encrypt information, how is that symmetric key exported/imported to another computer for decryption? Is that symmetric key part of the RSA key container exported via aspnet_regiis.exe or is the symmetric key is contrived dynamic based on an algorithm?
我可以逃脱一个 Rijndael,它的密钥是用 RSA 加密的密钥对,我可以导出/导入 RSA 密钥对和另一台计算机的 Rijndael 对称密钥.(我过去做过)
I could get away with a Rijndael, whose key is encrypeted with an RSA key pair and I can export/import both the RSA key pair and the Rijndael symmetric key to another computer. (which I have done in the past)
我很想知道里面用的是什么RsaProtectedConfigurationProvider.
I am interested to know what is used inside RsaProtectedConfigurationProvider.
有什么理论吗?概念?链接?建议?请..
Any theories? concepts? links? recommendations? please..
类似问题 - RSAProtectedConfigurationProvider 使用了哪些算法在 web.config 加密中?
推荐答案
加密的对称密钥与对称密钥具有的加密配置信息一起存储在 XML 中加密.
The encrypted symmetric key is stored in the XML alongside the encrypted configuration information that the symmetric key has encrypted.
如果您使用 Reflector 查看代码,它所做的就是加载 XML 节点并使用 非对称 RSA 私钥解密存储在其中的 对称 密钥XML 节点本身.
If you use Reflector to look at the code, what it does is load the XML node and use the asymmetric RSA private key to decrypt a symmetric key stored within the XML node itself.
实际执行此魔术的函数在这里:
The function that actually does this magic is here:
public virtual SymmetricAlgorithm GetDecryptionKey(EncryptedData encryptedData, string symmetricAlgorithmUri);
public virtual SymmetricAlgorithm GetDecryptionKey(EncryptedData encryptedData, string symmetricAlgorithmUri);
声明类型:System.Security.Cryptography.Xml.EncryptedXml程序集:System.Security,版本=2.0.0.0
Declaring Type: System.Security.Cryptography.Xml.EncryptedXml Assembly: System.Security, Version=2.0.0.0
查看周围代码
this.m_document.SelectNodes("//enc:EncryptedKey", nsmgr);
这篇博文很好地阐述了如何在实际实践中配对非对称算法和对称算法:http://pages.infinit.net/ctech/20031101-0151.html
This blog post has a nice writeup about how you pair Asymmetric and Symmetric algorithms in real-world practice: http://pages.infinit.net/ctech/20031101-0151.html
这篇关于RsaProtectedConfigurationProvider 实现与 RSACryptoServiceProvider c#的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
