在具有用户存储的网络场环境中使用 DPAPI / ProtectedData

发布于 2024-07-06 12:07:57 字数 578 浏览 9 评论 0原文

我想知道是否有人在网络场环境中成功地将 DPAPI 与用户存储一起使用?

由于我们的应用程序是最近从 1.1 转换为 2.0 ASP.NET 应用程序,因此我们使用直接调用 CryptUnprotect 方法的自定义包装器。 但这应该与 2.0 框架中可用的 ProtectedData 方法相同。

因为我们在网络场环境中运行,所以我们不能保证进行加密的机器将是解密它的机器。 (也是因为机器故障不应该破坏我们的加密数据)。

因此,我们拥有的是一个服务组件,它在每个 Web 盒子上的特定用户帐户下的服务中运行。 根据建议,该用户已设置为具有漫游配置文件。

我们遇到的问题是,在一台计算机上加密的信息无法在另一台计算机上解密,这会失败并出现 win32 错误:

“密钥在指定状态下无效”。

我怀疑这是因为我犯了一个错误,让加密服务以用户身份在多台计算机上运行,​​从而使用户同时登录多台计算机。

如果这是问题所在,那么其他人如何在网络场环境中将 DPAPI 与用户存储一起使用?

I was wondering if anyone had successfully used DPAPI with a user store in a web farm enviroment?

Because our application is a recently converted from 1.1 to 2.0 ASP.NET app, we're using a custom wrapper which directly calls the CryptUnprotect methods. But this should be the same as the ProtectedData method available in the 2.0 framework.

Because we are operating in a web farm environment, we can't guarantee that the machine that did the encryption is going to be the one decrypting it. (Also because machine failures shouldn't destroy our encrypted data).

So what we have is a serviced component that runs in a service under a particular user account on each one of our web boxes. This user is a set up to have a roaming profile, as per the recomendation.

The problem we have is that info encrypted on one machine can not be decrypted on another, this fails with the win32 error:

'Key not valid for use in specified state'.

I suspect that this is because I've made a mistake by having the encryption service running as the user on multiple machines, hence keeping the user logged in on more than one machine at the same time.

If this is the problem, how are other using DPAPI with the User Store in a web farm environment?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

梦里泪两行 2024-07-13 12:07:57

在网络场环境中,您不应使用 DPAPI 直接加密/解密您的数据,而是使用它来加密稍后用于解密受保护数据的密钥

作为部署过程的一部分,您将把密钥“安装”到每台服务器上。 安装脚本需要在 AppPool 的身份下运行,并且可以将加密密钥存储在 app.config 文件或注册表中。

加密数据本身可以存储在中央存储库/数据库中,以便场中的所有服务器都可以访问它。 要解密数据,Web 应用程序将从安装位置检索加密密钥,使用 DPAPI 对其进行解密,然后使用结果解密来自中央存储库的数据。

缺点是,在初始安装过程中,明文密钥可能会在本地磁盘上存在很短一段时间,并且可能会暴露给操作人员。 如果您担心的话,您可以添加额外的加密层,例如使用 web.config machineKey。

In a web farm environment, rather than using DPAPI to encrypt/decrypt your data directly, you would instead use it to encrypt the key that you later use to decrypt your protected data.

You would "install" the key onto each server as part of the deployment process. The installation script would need to run under the AppPool's identity, and could store the encrypted key either in an app.config file or in the registry.

The encrypted data itself could be stored in a central repository / database, so that it can be accessed by all servers in the farm. To decrypt the data, the web app would retrieve the encrypted key from where it was installed, use DPAPI to decrypt it, then use the result to decrypt data that comes from the central repository.

The downside is that the cleartext key might exist on the local disk for a short time during the initial install process, where it might be exposed to operations staff. You could add an extra layer of encryption, such as with the web.config machineKey, if that's a concern.

爱,才寂寞 2024-07-13 12:07:57

微软的海报是错误的。
http://support.microsoft.com/default.aspx ?scid=kb;en-us;309408#6

"为了使 DPAPI 在使用漫游配置文件时正常工作,域用户必须仅登录到域中的一台计算机。如果用户想要登录如果用户同时登录到域中的另一台计算机,则用户必须先注销第一台计算机,然后才能登录到第二台计算机。如果用户同时登录到多台计算机,则 DPAPI 可能不会。能够正确解密现有的加密数据。”

DPAPI 似乎无法在场设置中工作。 我认为这是 Microsoft 的一个相当大的疏忽,使得 DPAPI 对于大多数企业应用程序几乎毫无用处。

The Microsoft poster is wrong.
http://support.microsoft.com/default.aspx?scid=kb;en-us;309408#6

"For DPAPI to work correctly when it uses roaming profiles, the domain user must only be logged on to a single computer in the domain. If the user wants to log on to a different computer that is in the domain, the user must log off the first computer before the user logs on to the second computer. If the user is logged on to multiple computers at the same time, it is likely that DPAPI will not be able to decrypt existing encrypted data correctly."

It appears that DPAPI will not work in a farm setting. I think this is a rather large oversight on Microsoft's part and makes DPAPI almost useless for most enterprise applications.

冬天旳寂寞 2024-07-13 12:07:57

我刚看到这个。 有一种方法可以实现此目的,那就是确保场中的计算机位于域中,并使用域帐户来加密和解密数据(即,在域帐户下运行应用程序)

。按照您希望的本地帐户方式使用 DPAPI,因为密钥材料不在服务器之间交换。

希望有帮助!

I just saw this. There is a way you can make this work, and that is to make sure the machines in the farm are in a domain, and use a domain account to encrypt and decrypt the data (ie; run the application under the domain account)

You cannot use DPAPI in the manner you want with local accounts because the key material is not exchanged between servers.

hope that helps!

谈场末日恋爱 2024-07-13 12:07:57

十二年后。 。 。 您可以尝试使用CNG DPAPI,这意味着在负载平衡或非负载平衡的云环境中工作。 从该链接(如果它被删除):

微软推出数据保护应用程序编程
Windows 2000 中的接口(DPAPI)。该 API 由两个函数组成,
CryptProtectData 和 CryptUnprotectData。 DPAPI 是 CryptoAPI 的一部分
适用于对使用知之甚少的开发人员
密码学。 这两个函数可以用来加密和解密
单个计算机上的静态数据。

然而,云计算通常要求在一个计算机上对内容进行加密
计算机可以在另一台计算机上解密。 因此,从 Windows 8 开始,
微软扩展了使用相对简单的 API 的想法
涵盖云场景。 这个新的 API 称为 DPAPI-NG,可实现
您安全地共享秘密(密钥、密码、密钥材料)以及
通过将消息保护到一组可用于
经过正确的身份验证后,在不同的计算机上取消对它们的保护
授权。

在 .NET Core 中,这看起来像

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .ProtectKeysWithDpapiNG();
}

Twelve years later . . . you can try using CNG DPAPI, which was meant to work in cloud environments that may or may not be load-balanced. From that link (in case it gets taken down):

Microsoft introduced the data protection application programming
interface (DPAPI) in Windows 2000. The API consists of two functions,
CryptProtectData and CryptUnprotectData. DPAPI is part of CryptoAPI
and was intended for developers who knew very little about using
cryptography. The two functions could be used to encrypt and decrypt
static data on a single computer.

Cloud computing, however, often requires that content encrypted on one
computer be decrypted on another. Therefore, beginning with Windows 8,
Microsoft extended the idea of using a relatively straightforward API
to encompass cloud scenarios. This new API, called DPAPI-NG, enables
you to securely share secrets (keys, passwords, key material) and
messages by protecting them to a set of principals that can be used to
unprotect them on different computers after proper authentication and
authorization.

In .NET Core this looks like

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .ProtectKeysWithDpapiNG();
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文