经典 ASP 与 ASP.NET 加密选项

发布于 2024-09-06 02:55:25 字数 1395 浏览 1 评论 0原文

我正在开发一个网站，其中新页面是 ASP.NET，旧页面是经典 ASP。作为 Windows 环境中的开发新手，我一直在研究最新的技术，即 .NET，当出现有关 COM 对象的遗留问题时，我就像头灯下的鹿一样。

网站上的安全性令人厌恶，但我已经根据 https://web.archive.org/web/20211020203213/https://www.4guysfromrolla.com/articles/021506-1.aspx 基于DPAPI机器模式。我知道这种方法不是最安全的，但总比没有好，这就是 ASP.NET 页面的方法。现在，我想知道如何对经典 ASP 页面使用的连接字符串进行类似的加密。

一个复杂的因素是该网站托管在我没有管理员权限甚至命令行访问权限的地方，只有 FTP。此外，我想避免管理密钥。

我的研究发现：

DPAPI 与 COM 互操作。似乎这应该已经可用，但我能找到讨论此问题的唯一东西是 CyptoUtility （请参阅 http://msdn.microsoft.com/en-us/magazine/cc163884.aspx) 未安装在托管服务器上。
还有很多其他第三方 COM 对象，例如来自 Dalun Software 的 Crypto http://www.dalun.com< /a>，但这些也不在托管服务器上，在我看来，它们要求您进行某种密钥管理。
托管服务器上有 CAPICOM，但 M$ 已弃用它，并且许多人报告它不是最容易使用的。我不清楚是否可以像使用 ASP.NET 的 DPAPI 那样避免使用 CAPICOM 进行密钥管理。如果有人碰巧知道，请告诉我。
我可以在 ASP.NET 中编写一个 Web 服务，并让经典的 ASP 页面使用它来获取解密的连接字符串，然后将它们存储在应用程序变量中。我不需要使用 SSL，因为我可以使用 localhost，并且不会通过互联网发送任何内容。在最简单的形式中，我可以基于简单的 XML 流实现某人所谓的穷人版本，但是，我确实希望避免任何开发，因为我发现很难相信经典 ASP 没有像下面这样的简单解决方案我可以在ASP.NET

也许我缺少一些选项...请求建议...

原文

I'm working on a web site where the new pages are ASP.NET and the legacy pages are Classic ASP. Being new to development in the Windows env, I've been studying the latest technology, i.e. .NET and I become like a deer in headlights when ever legacy issues come up regarding COM objects.

Security on the website is an abomination, but I've easily encrypted the connectionStrings in the web.config file per https://web.archive.org/web/20211020203213/https://www.4guysfromrolla.com/articles/021506-1.aspx based on DPAPI machine mode. I understand this approach is not the most secure, but it's better than nothing which is what it was for the ASP.NET pages. Now, I question how to do similar encryption for the connection strings used by the Classic ASP pages.

A complicating factor is that the web sited is hosted where I do not have admin permissions or even command line access, just FTP. Moreover I want to avoid managing the key.

My research has found:

DPAPI with COM interop. Seems like this should already be available, but the only thing I could find discussing this is CyptoUtility (see http://msdn.microsoft.com/en-us/magazine/cc163884.aspx) which is not installed on the hosting server.
There are plenty of other third party COM objects, e.g. Crypto from Dalun Software http://www.dalun.com, but these aren't on the hosted server either, and they look to me to require you to do some kind of key management.
There is CAPICOM on the hosted server, but M$ has deprecated it and many report it is not the easiest to use. It is not clear to me whether I can avoid key management with CAPICOM similar to using DPAPI for ASP.NET. If anyone happens to know, please clue me in.
I could write an web service in ASP.NET and have the classic ASP pages use it to get the decrypted connection strings and then store those in an application variable. I would not need to use SSL since I could use localhost and nothing would be sent over the internet. In the simpliest form I could implement what someone termed a poor man's version based on a simple XML stream, however, I really was looking to avoid any development since I find it hard to believe there is not a simple solution for Classic ASP like there is for ASP.NET.

Maybe I'm missing some options... Recommendations are requested...

分享到QQ

分享到微博