将无RSA加密添加到没有证书的WCF服务 [英] Add RSA based encryption to WCF service without certificates
问题描述
我正在寻找一种使用WCF加密客户端和服务器之间的消息的方法。 WCF提供了很多内置的安全机制,以便在客户端和服务器之间启用流量,但似乎没有什么可以满足我的要求。
I am looking for a way to encrypt messages between client and server using the WCF. WCF offers a lot of built in security mechanisms to enrcypt traffic between client and server, but there seems to be nothing fitting my requirements.
我不想使用证书,因为它们太复杂,所以不要建议我使用证书。我不需要保密性,所以我尽量使用普通的RSA去最好。
I don't want to use certificates since they are too complicated, so don't suggest me to to use certificates please. I don't need confidentiality, so I though I'll go best using plain RSA.
我想要真正的安全性,没有硬编码的密钥或一些东西。我正在考虑每次服务器启动时都会生成一个公钥/私钥。两个键只会存储在RAM中。
然后wen一个客户端连接它应该完全像SSL。正如此处所述。
I want real security, no hardcoded key or something. I was thinking about having a public/private keypair generated every time the server starts. Both keys will only be stored in RAM. Then wen a client connects it should do exactly like SSL. Just as described here.
1.exchange some form of a private/public key pair; the server generates a key pair and keeps the private key to itself and shares the public key with the client (e.g. over a WCF message, for instance)
2.使用该密钥对私有/公共密钥对,交换共同的共同秘密,例如一个加密密钥将对称地加密您的邮件(并且由于它是对称的,服务器可以使用相同的密钥来解密邮件)
2.using that private/public key pair, exchange a common shared secret, e.g. an "encryption key" that will symmetrically encrypt your messages (and since it's symmetrical, the server can use the same key to decrypt the messages)
客户端(例如,一个称为行为的WCF扩展)在消息出口之前检查该消息,并使用您的共享密钥进行加密。
3.setup infrastructure on your client (e.g. a WCF extension called a behavior) to inspect the message before it goes out and encrypt it with your shared secret
是否安全,不是吗?
是否有任何现有的解决方案归档我所描述的内容?如果不是,我会自己创建它。我从哪里开始最好?哪种WCF自定义行为是最好的?
编辑:
由于这不安全,我将采取以下方法:
As this is NOT secure, I'll take the following approach:
安装服务器组件时,将生成一个新的X509证书并自动添加到该服务器的证书存储()。生成的证书的公共部分将被动态地包含在客户端设置中。在客户机上运行客户机设置时,证书将被安装到客户端的信任窗口证书库中。
When Installing the server component a new X509 certificate will be generated and automatially added to the cert store (of the server). The public part of this generated certificate will be dynamically included into the client setup. When running the client setup on the client machine the certificate will be installed into the trustet windows certificate store of the client.
因此,在安装产品和所有内容时,无需额外的工作应该是安全的,就像我们想要的那样。
So there's no extra work when installing the product and everything should be secure, just as we want it.
推荐答案
你说你不想使用证书。我不会推送你的证书,但你缺少的一件事就是证书是有目的的。
You've said you don't want to use certificates. I won't push certificate use on you, but one thing you are missing is that certificates serve a purpose.
证明证明你正在谈判的关键SSL连接属于您认为属于您的实体。如果您有某种方式可以确保在没有使用证书的情况下使用原始密钥。
A certificate proves that key you are negotiating an SSL connection with belongs to the entity you think it belongs to. If you have some way of ensuring this is the case without using certificates, by all means, use raw keys.
问题是,在步骤1中:
1.修改某种形式的私钥/公钥对;服务器生成一个密钥对,并将私钥保存在自己身上并与客户端共享公共密钥(例如通过WCF消息)
客户如何知道从服务器收到的公钥未被中间人拦截,并被MITM的密钥取代?
How does the client know that the public key it received from the server wasn't intercepted by a man-in-the-middle and replaced with the MITM's key?
这就是证书存在的原因。如果你不想使用它们,你必须想出另一种解决这个问题的方法。
This is why certificates exist. If you don't want to use them, you have to come up with another way of solving this problem.
你有一个小而着名的客户端?可以在客户端上预先配置服务器的公钥吗?
Do you have a small, well-known set of clients? Is it possible to preconfigure the server's public key on the client?
这篇关于将无RSA加密添加到没有证书的WCF服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
