使用加密保护配置提供配置信息 [英] Encrypting configuration information using protected configuration provider
问题描述
在使用受保护的配置提供加密的应用程序配置文件中的配置信息, 什么使用加密?
When using a protected configuration provider to encrypt configuration information in a app config file, what encryption is used?
什么和算法FFT密钥用于加密和解密信息?
What alogorithm and key is used to encrypt and decrypt the information?
更新
好吧,我读过通过撒尼Huttunen的提供的链接,并阅读这些的这里和这里。
Ok, i've read the links provided by Sani Huttunen and read these here and here.
所以RSAProtectedConfigurationProvider使用的TripleDES和RSA加密和
DpapiProtectedConfigurationProvider使用TripleDes的。
So the RSAProtectedConfigurationProvider uses TripleDes and RSA encryption and
DpapiProtectedConfigurationProvider uses TripleDES.
RsaProtectedConfigurationProvider使用计算机帐户或用户帐户, DpapiProtectedConfigurationProvider使用用户的登录密码的密钥进行加密和解密。
RsaProtectedConfigurationProvider uses the machine account or the user account and DpapiProtectedConfigurationProvider uses the user's logon password as the key for encryption and decryption.
我认为这会工作得很好了asp.net web应用程序。但对于Windows应用程序?
I see this would work fine for a asp.net web app. But what about windows applications?
我是带领相信我所有的连接字符串应保存在app.config文件,然后使用受保护的配置提供加密。
I was lead to believe that all my connection strings should be saved in the app.config file and then encrypted using a protected configuration provider.
但是,如果你部署你的WinForms应用程序到另一台计算机将无法ConnectionString中解密becuse的关键是基于开发者的登录密码,并保存在未部署的应用程序中的密钥文件。或者如果密钥文件部署的应用程序则任何人都可以解密app.config文件。
But if you deploy your winforms app to another machine it would not be able to decrypt the connectionstring becuse the key was based on the developer's logon password and saved in a keyfile not deployed with the application. or if the keyfile is deployed with the application then anyone can decrypt the app.config file.
这是正确的?那么什么是使用这种方法了吧?
Is this correct? So what's the point in using this method?
有什么方法保护信息在一个app.config文件部署的Windows应用程序?
推荐答案
有什么问题是你的winform应用程序试图解决?
What problem is your winform app trying to solve?
您有两个相互冲突的问题。你需要一个应用程序分发到人谁是不可信的。而你需要在SQL Server的信任连接。
You have two conflicting problems. You need to distribute an app to someone who is untrusted. And you need a trusted connection to the sql server.
即使你加密的连接字符串,如果您有解密它在某种程度上保存在同一台机器上的按键,那么您的用户可以反编译你的应用程序,并制定出它是什么。
Even if you encrypt the connection string, if you have the key to decrypt it stored somehow on the same machine, then your user can decompile your app and work out what it is.
即使读取连接才把它仍然容易受到SQL注入式攻击。
Even if the connection is read only then it is still vulnerable to SQL injection attacks.
这可能是一个更好的解决方案是有一些REST的API。这将使你的用户一个明确的事情,他们可以做的API。然后,您可以管理用户,并允许他们这样做(即可以更新自己的详细信息,但不是别人,但仍然可以读取每个人的公共统计)的东西。
What may be a better solution is to have some restful api. That would give your user a well defined api of things they can do. You can then manage users and the things they are allowed to do (i.e., can update their details but not someone else, but still can read everyone's public stats).
看一看 HTTP://wcf.$c$cplex。 COM / WIKIPAGE?标题= WCF%20HTTP 一个简单的方法来创建一个安全的API。
Have a look at http://wcf.codeplex.com/wikipage?title=WCF%20HTTP for an easy way to create a safe api.
(如果你给一些更多的细节,我可以修改我的使用,可能会更好地为您需要的解决方案的答复。)
(If you give some more details, I can modify my answer with a solution that may work better for your needs.)
这篇关于使用加密保护配置提供配置信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
