密钥容器,足够安全来存储私钥吗?
我正在阅读 .NET 中的关键容器 作为存储用于非对称加密和数字签名的私钥的安全位置。
我的问题是密钥容器的安全性如何? 因为我发现如果我知道密钥容器名称,那么我将能够使用以下方法检索私钥:
// Create the CspParameters object and set the key container
// name used to store the RSA key pair.
CspParameters cp = new CspParameters();
cp.KeyContainerName = ContainerName;
// Create a new instance of RSACryptoServiceProvider that accesses
// the key container MyKeyContainerName.
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cp);
// Display the key information to the console.
Console.WriteLine("Key retrieved from container : \n {0}", rsa.ToXmlString(true));
密钥容器是存储私钥的安全位置吗?
I was reading about Key Containers in .NET as a secure a place to store a private key for asymmetric cryptography and digital signing.
My question is how secure is the Key Container? because I've found out if I know the key container name, then i will be able to retrieve the private key using the following:
// Create the CspParameters object and set the key container
// name used to store the RSA key pair.
CspParameters cp = new CspParameters();
cp.KeyContainerName = ContainerName;
// Create a new instance of RSACryptoServiceProvider that accesses
// the key container MyKeyContainerName.
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cp);
// Display the key information to the console.
Console.WriteLine("Key retrieved from container : \n {0}", rsa.ToXmlString(true));
Are Key Containers a secure place to store private keys ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这实际上取决于您的要求。
RSACryptoServiceProvider 背后的密钥库实际上是 CryptoAPI 密钥库。 这里的密钥存储在受用户凭据(如果使用用户存储)或机器凭据(如果使用机器存储)保护的文件系统上。 这意味着有权访问正确凭据的攻击者将能够提取私钥。
对于所有不将密钥存储在智能卡、硬件安全模块、TPM 芯片等中的加密实现都是如此。
为了防止能力较弱的攻击者,CryptoAPI 以及 RSACryptoServiceProvider 使您可以将密钥设置为非可出口。 这意味着 CryptoAPI/.NET 将拒绝为您执行私钥导出(但知识渊博的攻击者仍然能够解决此问题)。 为此,请使用
CspProviderFlags.UseNonExportableKey生成密钥。您还可以使用
CspProviderFlags.UseUserProtectedKey,每当使用私钥时,它都会要求用户进行确认和可选的附加密码。That really depends on your requirements.
The keystore behind RSACryptoServiceProvider is really the CryptoAPI key store. Keys here are stored on the filesystem protected under the user credentials (if using the user store) or the machine credentials (if using the machine store). This means that an attacker that has access to the proper credentials will be able to extract the private key.
This will be true for all crypto implementations that do not store the key in a smartcard, hardware security module, TPM chip etc.
To protect against a less capable attacker, the CryptoAPI and hence RSACryptoServiceProvider gives you the possibility of setting the key to non-exportable. This means that CryptoAPI/.NET will refuse to perform the private key export for you (but a knowledgeable attacker will still be able to work around this). To do this, generate the key with
CspProviderFlags.UseNonExportableKey.You can also use
CspProviderFlags.UseUserProtectedKeywhich will ask the user for confirmation and an optional additional password whenever the private key is used.