经典 ASP 与 ASP.NET 加密选项
我正在开发一个网站,其中新页面是 ASP.NET,旧页面是经典 ASP。作为 Windows 环境中的开发新手,我一直在研究最新的技术,即 .NET,当出现有关 COM 对象的遗留问题时,我就像头灯下的鹿一样。
一个复杂的因素是该网站托管在我没有管理员权限甚至命令行访问权限的地方,只有 FTP。此外,我想避免管理密钥。
我的研究发现:
DPAPI 与 COM 互操作。似乎这应该已经可用,但我能找到讨论此问题的唯一东西是 CyptoUtility (请参阅 http://msdn.microsoft.com/en-us/magazine/cc163884.aspx) 未安装在托管服务器上。
还有很多其他第三方 COM 对象,例如来自 Dalun Software 的 Crypto http://www.dalun.com< /a>,但这些也不在托管服务器上,在我看来,它们要求您进行某种密钥管理。
托管服务器上有 CAPICOM,但 M$ 已弃用它,并且许多人报告它不是最容易使用的。我不清楚是否可以像使用 ASP.NET 的 DPAPI 那样避免使用 CAPICOM 进行密钥管理。如果有人碰巧知道,请告诉我。
我可以在 ASP.NET 中编写一个 Web 服务,并让经典的 ASP 页面使用它来获取解密的连接字符串,然后将它们存储在应用程序变量中。我不需要使用 SSL,因为我可以使用 localhost,并且不会通过互联网发送任何内容。在最简单的形式中,我可以基于简单的 XML 流实现某人所谓的穷人版本,但是,我确实希望避免任何开发,因为我发现很难相信经典 ASP 没有像下面这样的简单解决方案 我可以在ASP.NET
也许我缺少一些选项...请求建议...
I'm working on a web site where the new pages are ASP.NET and the legacy pages are Classic ASP. Being new to development in the Windows env, I've been studying the latest technology, i.e. .NET and I become like a deer in headlights when ever legacy issues come up regarding COM objects.
Security on the website is an abomination, but I've easily encrypted the connectionStrings in the web.config file per https://web.archive.org/web/20211020203213/https://www.4guysfromrolla.com/articles/021506-1.aspx based on DPAPI machine mode. I understand this approach is not the most secure, but it's better than nothing which is what it was for the ASP.NET pages. Now, I question how to do similar encryption for the connection strings used by the Classic ASP pages.
A complicating factor is that the web sited is hosted where I do not have admin permissions or even command line access, just FTP. Moreover I want to avoid managing the key.
My research has found:
DPAPI with COM interop. Seems like this should already be available, but the only thing I could find discussing this is CyptoUtility (see http://msdn.microsoft.com/en-us/magazine/cc163884.aspx) which is not installed on the hosting server.
There are plenty of other third party COM objects, e.g. Crypto from Dalun Software http://www.dalun.com, but these aren't on the hosted server either, and they look to me to require you to do some kind of key management.
There is CAPICOM on the hosted server, but M$ has deprecated it and many report it is not the easiest to use. It is not clear to me whether I can avoid key management with CAPICOM similar to using DPAPI for ASP.NET. If anyone happens to know, please clue me in.
I could write an web service in ASP.NET and have the classic ASP pages use it to get the decrypted connection strings and then store those in an application variable. I would not need to use SSL since I could use localhost and nothing would be sent over the internet. In the simpliest form I could implement what someone termed a poor man's version based on a simple XML stream, however, I really was looking to avoid any development since I find it hard to believe there is not a simple solution for Classic ASP like there is for ASP.NET.
Maybe I'm missing some options... Recommendations are requested...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
下面的链接有两个经典的asp文件,可以用来生成字符串的MD5签名,可以用来加密连接字符串。您可能希望将加密的连接字符串存储在 global.asa 文件中以提高安全性。
http://www.freevbcode.com/ShowCode.asp?ID=2366
The following link has two classic asp files that can be used to generate MD5 signatures of a string, which can be used to encrypt a connection string. You might want to store the encrypted connection string in the global.asa file for added security.
http://www.freevbcode.com/ShowCode.asp?ID=2366