为什么我的“随机"MachineKey 的验证密钥和解密密钥都以相同的字节开头? [英] Why do my "random" MachineKey's Validation Key and Decryption Key both start with the same bytes?
问题描述
我有一个使用 .NET 4.5.2 的 MVC 应用程序.在这个应用程序中,我将 MachineKey 设置如下:
I have an MVC app using .NET 4.5.2. In this app, I set the MachineKey as follows:
<代码><的machineKey compatibilityMode = Framework45" 的validationKey = 25E5749C117E4072E721DA0B8A88B052AAA821CA1D1638C10F0DBF528C19D296134A996B5FA934E1032C9BA9FBDC45EF8806153D683EF4F6C833E7BF6639C513" decryptionKey = DC7ACBAD80BC8EDBD1429F102CEC1C210604DA6C3E6421A4" 验证= SHA1" 解密= AES"/>
然后我运行我的 GetMachineKey 代码(它依赖于 ReflectionMagic 以保留反射代码访问内部属性时很简单):
I then run my GetMachineKey code (which has a dependency on ReflectionMagic to keep the reflection code simple when accessing Internal properties):
public static Tuple<string, string> GetKeys()
{
var mksType = typeof(MachineKeySection);
var getAppConfigMethod = mksType.GetMethod("GetApplicationConfig", BindingFlags.NonPublic | BindingFlags.Static);
var boxedMachineKeySection = getAppConfigMethod.Invoke(null, null);
var machineKeySection = boxedMachineKeySection as MachineKeySection;
var dynKeySection = machineKeySection.AsDynamic();
var encryptionKeyBytes = (byte[])dynKeySection.DecryptionKeyInternal;
var encryptionKeyString = string.Concat(encryptionKeyBytes.Select(b => b.ToString("X2")));
var validationKeyBytes = (byte[])dynKeySection.ValidationKeyInternal;
var validationKeyString = string.Concat(validationKeyBytes.Select(b => b.ToString("X2")));
return new Tuple<string, string>(encryptionKeyString, validationKeyString);
}
运行该代码后,我成功检索了我的验证密钥和解密密钥.伟大的!完美的!在那种情况下正是我想要的!
Upon running that code, I successfully retrieve both my ValidationKey and my DecryptionKey. Great! Perfect! Exactly what I want in that scenario!
接下来,我将我的 MachineKey 设置为:
Next, I set my MachineKey as such:
<machineKey compatibilityMode="Framework45" validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" decryption="AES" />
现在,当我运行代码时,再次检索我的密钥,我注意到每次生成新密钥时,验证密钥中的前四个八位字节与解密密钥中的相同.我现在已经在 12 个不同的服务器上部署了这个应用程序,并且模式是相同的(不是所有服务器上的字节都相同,但前四个八位字节总是在同一服务器的两个键上匹配).例如,在一个实例中,我的密钥都以这样的方式开头:
Now when I run my code, again I retrieve my keys, I notice that every time I have a new key generated, the first four octets are identical in both the Validation Key as is in the Decryption Key. I have deployed this application on 12 different servers now and the pattern is the same (not the same bytes on all servers but the first four octets always match on both keys for the same server). For example, in one instance, my keys both begin like this:
验证密钥: B298BA4E463CB2934329...
Validation Key: B298BA4E463CB2934329...
解密密钥: B298BA4E0505BF0A9424...
Decryption Key: B298BA4E0505BF0A9424...
为什么随机"键在开头都有相同的字节?或者,我是否正确阅读了这些密钥?
P.S. 我知道这些密钥很难拿到,而且出于安全原因非常重要,我通常不应该这样做.我正在尝试创建一个技术培训演示/演示,讨论负载平衡并展示为什么正确管理您的 MachineKeys 很重要.我永远不会用生产代码做这样的事情,但是当通过负载平衡器看到方程式的变量为了演示目的而改变时,很高兴看到这些东西.所以请不要教我我不应该这样做.是的,我知道.
P.S. I know these keys are meant to be hard to get to and are very important for security reasons and I shouldn't usually be doing this. I am attempting to create a tech training demo/presentation talking about load-balancing and showing why managing your MachineKeys correctly is important. I would never do something like this with production code but it's nice to see these things when going through load-balancers to see the variables of the equation being changed for presentation purposes. So please do not lecture me about how I shouldn't do this. Yes, I know.
P.P.S. 如果你看到这篇文章,你可能不应该使用我的代码.这是个坏主意!
P.P.S. If you come across this post, you probably shouldn't use my code. It's a bad idea!
推荐答案
来自 文档:
IsolateApps 修饰符指定 ASP.NET 使用每个应用程序的应用程序 ID 为每个应用程序生成唯一的加密密钥"
"The IsolateApps modifier specifies that ASP.NET generates a unique encrypted key for each application using the application ID of each application"
因此,看起来 IsolateApps 是一种保护措施,可防止提供相同机器密钥配置文件的不同应用使用相同的密钥.
Thus, it looks like IsolateApps is a safeguard to prevent identical keys being used by different apps that are sourcing the same machinekey config file.
实际上,前四个字节与您的 appName 的哈希码相关 (因为您指定的是 IsolateApps) 而其余的来自 RandomNumberGenerator.GetBytes.请参阅此处和此处.
In practice, the first four bytes are related to the hashcode of your appName (since you are specifying IsolateApps) while the rest are coming from RandomNumberGenerator.GetBytes. See here and here in the code.
根据代码的建议,如果您有,IsolateByAppId",接下来的 4 个字节将相同.
As suggested by the code, if you had ",IsolateByAppId", the next 4 bytes would be the same.
如果您删除这些隔离"标志,您可能会得到所有随机字节.
If you remove these "Isolate" flags, you'll probably get all random bytes.
这篇关于为什么我的“随机"MachineKey 的验证密钥和解密密钥都以相同的字节开头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
