这是我试图解决的问题。假设我正在发布一些基于 ASP.NET MVC 构建的 Web 软件,并且我只希望最终用户能够向系统添加 X 用户。该软件将托管在他们的服务器上。
我想包含一个加密文件,当用户尝试添加新用户时,它会从文件中读取加密字符串。当网站对其进行解码时,明文将是允许的用户数量。
我这边加密生成这个字符串然后在我的应用程序中将其解码回明文的最佳/最简单方法是什么?显然,我想确保最终用户不能旋转自己的加密字符串并替换我的。我不想担心必须尝试混淆我的源代码,这样他们就无法看到我如何解码字符串。
是否可以使用 rsa 私钥加密,然后使用公钥解密?我在下面的代码中没有运气:
var rsa = new RSACryptoServiceProvider();
var pubicKey = rsa.ToXmlString(false);
var privateKey = rsa.ToXmlString(true);
var test = "this string needs to be encrypted then decrypted";
var rsa2 = new RSACryptoServiceProvider();
rsa2.FromXmlString(privateKey);
var encryptedBytes = rsa2.Encrypt(Encoding.UTF8.GetBytes(test), false);
var encryptedString = Convert.ToBase64String(encryptedBytes);
var rsa3 = new RSACryptoServiceProvider();
rsa3.FromXmlString(pubicKey);
encryptedBytes = Convert.FromBase64String(encryptedString);
var decryptedString = Encoding.UTF8.GetString(rsa3.Decrypt(encryptedBytes, false));
Here is the problem I am trying to solve. Let's say I was releasing some web software built on ASP.NET MVC and I only wanted the end user to be able to add X users to the system. The software would be hosted on their servers.
I want to include an encrypted file that when the user tries to add a new user, it goes out and reads from the file an encrypted string. When the website decodes it, the clear text will be the number of allowed users.
What is the best/simplest way on my end to encrypt to generate this string on my end then decode it back to clear text in my application? Obviously I want to ensure that the end user cannot be spinning up their own encrypted string and just replace mine. I don't want to worry about having to try and obfuscate my source so that they would not be able to see how I decode the string.
Is it possible to encrypt with a private rsa key, then decrypt it with the public one? I haven't had luck with that in the code below:
var rsa = new RSACryptoServiceProvider();
var pubicKey = rsa.ToXmlString(false);
var privateKey = rsa.ToXmlString(true);
var test = "this string needs to be encrypted then decrypted";
var rsa2 = new RSACryptoServiceProvider();
rsa2.FromXmlString(privateKey);
var encryptedBytes = rsa2.Encrypt(Encoding.UTF8.GetBytes(test), false);
var encryptedString = Convert.ToBase64String(encryptedBytes);
var rsa3 = new RSACryptoServiceProvider();
rsa3.FromXmlString(pubicKey);
encryptedBytes = Convert.FromBase64String(encryptedString);
var decryptedString = Encoding.UTF8.GetString(rsa3.Decrypt(encryptedBytes, false));
发布评论
评论(5)
您可以使用签名策略,其中私钥用于生成签名来验证您的消息是否真实。
此示例大部分是从 Microsoft 网站复制的:
这是解释该概念的网页:
You can use a signature strategy, where the private key is used to generate a signature that verifies that your message is authentic.
This example was largely copied from Microsoft's site:
And here is web page that explains the concept:
我认为您正在寻找的是数字签名。内容是否加密并不重要,因为用户拥有(公共)密钥来解密它。重要的是内容的来源是否是您。
由于您有一个配置文件,我认为它是 XML,因此您正在寻找 XMLDSIG 。
您可以使用 SignedXml 类。然后您需要做的就是在加载配置文件时验证签名。此方法允许您轻松使用您可能拥有的任何 X509 证书。您甚至可以将公钥嵌入到签名文件中,因此用户不需要安装您的证书(公钥)。
I think what you are looking for is digital signature. It doesn't matter if the content is encrypted or not, since the user has the (public) key to decrypt it. All that matters is if the content's source is you.
Since you have a config file I reckon it is XML, so you are looking for XMLDSIG.
You can easily achieve this using the SignedXml class in .Net. Then all you need to do is verify the signature when loading the config file. This method allows you to eaisly use any X509 certificates you may have. You can even embed the public key in the signed file, so the user does not need to install your cert (public key).
你的想法是正确的,但我想知道不可预见的后果。
您声明他们将在其服务器上运行软件,因此这意味着他们正在为自己托管服务。但您还提到此服务必须连接到互联网才能通过服务器验证来添加用户。当互联网出现故障或者他们想要一个安全的系统并且防火墙阻止对服务器的互联网访问时会发生什么?他们会完全失去运作能力吗?
只是给你一个问题要问自己:p
Your idea is correct, but I wonder about unforeseen consequences.
You state they will be running software on their servers, so this means they are hosting a service for themselves. But you also mention this service has to connect out tot he internet to add a user by validating with your server. What happens when the internet goes down or they want to have a secure system and a firewall blocks internet access to the servers? Will they completely lose their ability to function?
Just giving you a question to ask yourself :p
您不使用公钥来“解密”文件。您只能使用私钥解密该文件。
在您的情况下,您可以存储用户数量以及使用私钥创建的数据的签名。
在客户端服务器上,您使用公钥来验证签名是否与文件中的数据(用户数量)匹配。
但是,高级用户可能会用自己的公钥替换您的公钥并自己对文件进行签名。
You don't use a public key to 'decrypt' the file. you can only decrypt the file with the private key.
In your case you could store the number of users as well a signature of the data which you create with your private key.
On the clients sever, you use your public key to verify the signature matches the data in the file (number of users)
However, it is possible that an advanced user could swap out your public key with their own and sign the file themselves.
正如您在问题中的评论所述,您的方法是使用客户的密钥和您自己的密钥。这是行不通的,因为 RSA 中使用的质数只能与相应的私钥/公钥一起使用。
您需要做的事情是使用您的两个密钥而不使用客户端的任何内容,或者使用客户端的两个密钥而不使用您的任何内容。例如,
希望这有帮助!
As stated in your comment in the question, your approach is using a key from a client and a key from yourself. This will not work, as the prime numbers used in RSA are meant for use with only the corresponding private/public key.
What you need to do use your two keys and nothing from the client or the client's two keys and nothing of yours. For example,
Hope this helps!