如何为加密算法创建加密密钥? [英] How to create Encryption Key for Encryption Algorithms?
问题描述
-
我可以在Key和IV中使用任何值的组合吗?例如Key和IV中的全部零是否有效?我知道算法的细节很多,所以零不会提供任何好处,但是这些算法有什么限制吗?
-
或者我有使用某些程序生成密钥并将其永久保存在某个地方?
我想在加密后将数据存储在数据库中,安全配置文件数据(如用户名,密码,电话号码等)和密钥将可用于仅在连接字符串中提及的数据库用户和管理员。
如果您正在使用加密来交换数据,那么您将需要一个密钥交换协议,但您不要自己使用,而是使用现成的TLS或SSL。
如果使用加密存储数据,则使用 CryptGenRandom (或其.net等价物 RandomNumberGenerator.GetBytes )并保存在文档中(清楚,不需要保护IV)。你永远不会忘记密钥,密钥由用户提供。通过使用 CryptDeriveKey 或其.Net等效版本 PasswordDeriveKey.CryptDeriveKey
更新
将数据存储在数据库中只有用户和管理员才可以使用3个键:
- 一个用于加密数据(称为DK密钥)
- 一个用户密钥加密DK密钥(称为英国)
- 一个管理员密钥加密DK密钥(称为AK)理论上,你用DK加密数据,然后用英文加密DK并保存,并用AK加密DK并保存它。这样,用户可以再次使用英国解密DK,然后解密数据,管理员可以使用AK对DK进行解密,然后解密数据。最大的问题是系统始终是自动化的,所以系统需要访问管理员的密钥,这意味着不是真正的管理员的密钥,而是系统密钥(它不能用于非法的目的)作为一个头脑,知道什么IV是或如何使用AES从C#以及加密算法如何工作将使你准确的0(零)牵引力解决这种问题。问题从来不是IV和密钥使用,问题始终是密钥配置。对于实际的加密操作,只需使用数据库中的内置支持,请参阅密码学SQL Server 。我可以很容易地认为,您所需要的只有的工具是TDE(透明数据加密),以防止意外丢失媒体。
I want to use encryption algorithm available in .Net Security namespace, however I am trying to understand how to generate the key, for example AES algorithm needs 256 bits, that 16 bytes key, and some initialization vector, which is also few bytes.
Can I use any combination of values in my Key and IV? e.g. all zeros in Key and IV are valid or not? I know the detail of algorithm which does lots of xors, so zero wont serve any good, but are there any restrictions by these algorithms?
Or Do I have to generate the key using some program and save it permanently somewhere?
I want to store data in database after encryption, the secure profile data like username, password, phone number etc, and the key will be available to database user mentioned in connection string only, and to the administrator.
解决方案If you are using encryption to exchange data then you will need a key exchange protocol, but you don't make one yourself instead use one off-the-shelf like TLS or SSL.
If you use encryption to store data then you generate the IV using CryptGenRandom (or its .net equivalent RandomNumberGenerator.GetBytes) and save it along the document (in clear, no need to protect the IV). You never write down the key, the key is provided by the user. Usualy you derive the key from a password phrase using CryptDeriveKey, or its .Net equivalent PasswordDeriveKey.CryptDeriveKey.
Update
To store a secret in the database that is available only to the user and an administrator you need to use 3 keys:
- one to encrypt the data with (call it the DK key)
- one user key to encrypt the DK key (call it UK)
- one administrator key to encrypt the DK key (call it AK)
In theory you encrypt the data with DK and then encrypt the DK with UK and save it, and encrypt the DK with AK and save it. This way the user can use again the UK to decrypt the DK and then decrypt the data, and the administrator can use the AK to decrypt the DK and then decrypt the data. The big problem is the fact that the system is always automated, so the system needs access to the administrator's key which means is not truly a persnal key of the administrator, but instead is a system key (it cannot be used for purposes of non-repudiation for instance).
As a heads up, knowledge of what IV is or how to use AES from C# and how cryptography algorithm work will get you exactly 0 (zero) traction in solving this kind of problems. The issue is never what IV and key to use, the issue is always key provisioning. For actual crypto operations, just use the built-in support from the database, see Cryptography in SQL Server. I can easily argue that the only facility you need is TDE (Transparent Data Encryption) to protect against accidental loss of media.
这篇关于如何为加密算法创建加密密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!