Silverlight：加密Web服务的用户名和密码 [英] Silverlight: encrypting username and password for web service

问题描述

加密不是我的堡垒。

我正在Silverlight 3中编写一个应用程序，它与Web服务进行通信，以验证用户。网络服务不一定是托管在SSL下。我试图找到一种方法来可靠地加密用户名和密码，然后传递它们，而不依赖于将密钥和盐硬编码到Silverlight程序集中。它不支持RSA（或任何非对称算法），所以我不能使用服务器上的公钥。

I'm writing an application in Silverlight 3 which communicates with a web service to authenticate users. The web service won't necessarily be hosted under SSL. I'm trying to find a way to reversibly encrypt the user name and password before passing them which doesn't rely on the key and salt being hard-coded into the Silverlight assembly. It doesn't support RSA (or any asymmetric algorithm), so I can't use a public key from the server.

有没有任何模式来做这种事情？

Are there any patterns for doing this sort of thing?

推荐答案

RSA真的是最好的方法，但实际上Silverlight 2或3中没有实现库。这是我认为应该添加的东西，尽管在Silverlight 4之前不太可能发生。不幸的是，一个定制的RSA实现可能是真的很痛苦，所以我不太可能预期。

RSA would really be the best way to go here, but indeed there's no implementation in either the Silverlight 2 or 3 libraries. It's something that really should have been added in my opinion, though it's very unlikely to happen until Silverlight 4 now. Unfortunately, a custom RSA implementation is likely to be truly painful, so it's not quite feasible I'd expect.

这是我提出的解决方案...它肯定不是简单的只是从服务器发送公钥，但它应该安全地执行这个工作。

Here is my proposed solution... It's certainly not as simple as simply sending the public key from the server, but it should do the job securely still.

1. 使用 Diffie-Hellman密钥交换算法来一致用于稍后加密的密钥。这是为了在一个不安全的渠道上工作，所以这里没有问题。有关C＃实现，请参见此处。


2. 使用Diffie-Hellman交换机建立的密钥进行一些排序对称加密，以通过连接发送用户名/密码。然后，服务器可以使用相同的密钥进行解密，尽管如此，客户端和服务器都知道，这些密钥仍然是任何第三方的未知。在这种情况下，对称加密算法的实力实际上并不重要。 （如果我错了，有人更正我。）一个简单的XOR密码事实上应该做这个工作。您似乎也可以使用 AES 标准，其中包含在 System.Security.Cryptography Silverlight BCL的命名空间中。

1. Use the Diffie-Hellman key exchange algorithm to agree on a key to be used for later encrypted. This was designed to work over an insecure channel, so there are no problems here. See here for a C# implementation.
2. Use some sort symmetric encryption with the key established by the Diffie-Hellman exchange to send the username/password over the connection. The server can then decrypt using the same key, which while known to both the client and server, are nonetheless unknown to any third party. The strength of your symmetric encryption algorithm should not in fact matter in this case. (Someone correct me if I'm wrong.) A simple XOR cipher should do the job in fact. It seems you could also use the AES standard, which is included in the System.Security.Cryptography namespace of the Silverlight BCL.

希望有所帮助。让我知道，如果你不清楚任何一点。

Hope that helps. Let me know if you're not clear on any of the points.

这篇关于Silverlight：加密Web服务的用户名和密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！