从 TripleDES 更改 Microsoft 配置文件加密方法
加密(“保护”)Microsoft 配置部分时,您会得到类似于下面的 XML 的内容。它(至少部分地)遵循 XML 加密的 W3 规范。
但是,在下面的 XML 中,您将看到 EncryptedData 部分下的 EncryptionMethod 是“tripledes-cbc”。我们希望能够将其更改为更安全的替代方案,特别是 AES,这也在上述 W3 规范中指定。
在与微软支持工程师的多次通话中,他们根本无法理解这个问题,更不用说回答它了。有没有办法改变这种加密方法?
我忘了之前提到,我们当前设置为 RsaProtectedConfigurationProvider,但似乎只有密钥是使用 RSA 加密的,而数据是使用 3DES 加密的。
<MiscCryptoData configProtectionProvider="someConfigProtectionProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>asf78ag78asg\...cryptoyadayada...asdf8r=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>zxcv6asdf35...largercryptoyadayada...u7i8o9p=</CipherValue>
</CipherData>
</EncryptedData>
</MiscCryptoData>
When encrypting ("protecting") Microsoft config sections, you get something that looks like the XML below. It follows (at least partially) the W3 spec for XML Encryption.
However, in the XML below you'll see that the EncryptionMethod under the EncryptedData section is "tripledes-cbc". We would like to be able to change that to a more-secure alternative, specifically AES, which is specified in the aforementioned W3 spec as well.
In many calls with Microsoft's support engineers, they are nowhere near understanding the question, much less answering it. Is there a way to change this encryption method?
I forgot to mention earlier that we are currently set to RsaProtectedConfigurationProvider, but only the key appears to be encrypted with RSA, whereas the data is encrypted with 3DES.
<MiscCryptoData configProtectionProvider="someConfigProtectionProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>asf78ag78asg\...cryptoyadayada...asdf8r=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>zxcv6asdf35...largercryptoyadayada...u7i8o9p=</CipherValue>
</CipherData>
</EncryptedData>
</MiscCryptoData>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我刚刚检查了
RsaProtectedConfigurationProvider使用 Reflector,我发现您无法将 Tripledes-cbc 更改为其他任何内容。因此,如果您想使用 AES 加密,则必须编写自己的
ProtectedConfigurationProvider。您可能需要使用 Reflector 来给您一个良好的开端。I've just checked
RsaProtectedConfigurationProviderwith the Reflector and as I found out there is nothing you can do to changetripledes-cbcto anything else.So you have to write your own
ProtectedConfigurationProviderif you want to use AES encryption. You may want to use the Reflector to give you a good start.您可能想要构建自定义 ProtectedConfigurationProvider。请参阅实现受保护的配置提供程序和如何:构建并运行受保护的配置提供程序示例。
You probably want to build a custom ProtectedConfigurationProvider. See Implementing a Protected Configuration Provider and How to: Build and Run the Protected Configuration Provider Example.