asp.net加密字符串
I'm sure this is not a silver bullet for many developers out there, but I've found it really useful and I think it's a good idea to share it with the whole EE community.
我确信这对于许多开发人员来说不是灵丹妙药,但是我发现它确实有用,我认为与整个EE社区共享它是一个好主意。
Surely you all know that usually connection strings are stated on Web.config files in .NET web applications.
当然,你们都知道,连接字符串通常是在.NET Web应用程序的Web.config文件中声明的。
This is not exactly a security issue, not exactly because those files are not reachable from outside the webserver, so your database user and password aren't there to be exploited by any wit user.
这不完全是安全问题,也不完全是因为无法从Web服务器外部访问这些文件,因此您的数据库用户和密码不会被任何机智的用户利用。
However, many developers (among whose I am) state that Web.config is potentially vulnerable to an internal intrusion, as anyone with access to the server filesystem would be able to retrieve that sensible info. As most of security issues at company levels came from an "enemy within" our task as security concerned developers is to, at least, difficult this task to a potential breacher.
但是,许多开发人员(其中包括我)声称Web.config可能容易受到内部入侵的影响,因为任何有权访问服务器文件系统的人都可以检索该明智的信息。 由于公司级别的大多数安全问题都来自“内部敌人”,因此作为安全相关开发人员,我们的任务至少是使潜在的入侵者难以完成此任务。
The easiest way to do this is to encrypt connectionStrings section on Web.config files, wich is also ideal as .NET Framework will decrypt them automatically when accessing it without you having to code any complex "on the fly" decrypt method.
最简单的方法是对Web.config文件中的connectionStrings部分进行加密,这也是理想的选择,因为.NET Framework将在访问它时自动对其进行解密,而无需编写任何复杂的“即时”解密方法。
I used to do this using aspnet_regiis command, wich have some options to easily encrypt sections on the configuration files.
我曾经使用aspnet_regiis命令来执行此操作,它有一些选项可以轻松地加密配置文件中的部分。
However this was far to be optimal, as on my usual work environment, where projects suffer constant variations even after going live and new builds are often uploaded to the server, I find myself forgetting usually to reencrypt Web.config after an update.
但是,这绝不是最佳选择,因为在我通常的工作环境中,即使上线后项目也会遭受不断的变化,而且新版本通常会上载到服务器,我发现自己通常忘记在更新后重新加密Web.config。
This was a pain, as I actually was concerned and prone to tight security on our developments, but it was just dependant to my memory (wich is not exactly in good shape :( ).
这是一种痛苦,因为我实际上很担心并且容易对我们的开发进行严格的安全保护,但这仅取决于我的记忆(这并不是完全正确的状态:()。
So I was googling for a way to automatize the process, and I was surprised about how many different options there were to programatically encrypt sections on the Web.config while none of them (at least none I've found) explained how to automatize the process to avoid publishing an update with an unencrypted Web.config.
因此,我一直在寻找一种使流程自动化的方法,而让我感到惊讶的是,有多少种不同的选项可以通过编程方式对Web.config上的节进行加密,而没有一个(至少我没有找到)说明了如何自动化该过程。避免使用未加密的Web.config发布更新的过程。
So I decided to try something: Many tutorials and code snippets showed how to create a simple view to encrypt/decrypt sections on the code, but I wanted to execute that code each time I upload a new build, not just on user interaction. Then... why not calling a method to encrypt the sensible data on Application_OnStart?
因此,我决定尝试一下:许多教程和代码片段展示了如何创建一个简单的视图来对代码中的各个部分进行加密/解密,但是我想每次上载新版本时都执行该代码,而不仅是基于用户交互。 然后...为什么不调用Application_OnStart上的加密敏感数据的方法?
This method (located as you surely know on Global.asax file) is executed each time your whole app restarts, and this includes each time you upload a recompiled new build.
每次重新启动整个应用程序时都会执行此方法(您在Global.asax文件中确定地定位),包括每次上载重新编译的新版本时都将执行此方法。
So I take one of the multiple examples on the web that liked me more than others and simplified it at maximum to create a static class with a method to encrypt the connectionStrings section of Web.config:
因此,我在网上采取了多个示例之一,这些示例比其他示例更喜欢我,并最大程度地简化了该示例,以创建一个静态类,并使用一种用于加密Web.config的connectionStrings部分的方法:
using System;
using System.Configuration;
using System.Web.Configuration;
public static class StringConnEncryption {
public static void Encrypt() {
//Encryption provider
string strProvider = "RSAProtectedConfigurationProvider";
Configuration oConfiguration = null;
ConnectionStringsSection oSection = null;
try {
oConfiguration = WebConfigurationManager.OpenWebConfiguration("~");
if (oConfiguration != null) {
bool bChanged = false;
oSection = oConfiguration.GetSection("connectionStrings") as ConnectionStringsSection;
if (oSection != null) {
if (!oSection.ElementInformation.IsLocked && !oSection.SectionInformation.IsLocked) {
if (!oSection.SectionInformation.IsProtected) {
bChanged = true;
oSection.SectionInformation.ProtectSection(strProvider);
}
}
}
if (bChanged) {
oSection.SectionInformation.ForceSave = true;
oConfiguration.Save();
}
}
} catch (Exception ex) {
throw (ex);
}
}
}
You just need to call this method on your Application_OnStart() method:
您只需要在Application_OnStart()方法上调用此方法:
StringConnEncryption.Encrypt();
You can check the original code I used for the class at this article of Dariush Tasdighi
您可以在Dariush Tasdighi的本文中查看我用于该班级的原始代码
This way your Web.config will get encrypted on the first access to the site each time you rebuild your app. You still need to access the site to fire the code, but surely after an update you check that everything it's ok, and this will be enough to fire the encrypting code.
这样,您每次重新构建应用程序时,Web.config都会在首次访问该站点时得到加密。 您仍然需要访问该站点以触发代码,但是一定要在更新后检查一切正常,这足以触发加密代码。
Also, you don't need to fear that on iis restart the code fires again an re-encrypt your Web.config, as the class check if the section is already encrypted before procceeding.
另外,您不必担心在iis重新启动时代码会再次触发,从而重新加密Web.config,因为在进行操作之前,类会检查该部分是否已加密。
Note that you can easily extend the class to encrypt other sections on Web.config and to add a decryption system (check Dariush's article).
请注意,您可以轻松扩展该类以对Web.config上的其他部分进行加密并添加解密系统(请参阅Dariush的文章)。
I hope this simple idea helps you.
我希望这个简单的想法能对您有所帮助。
asp.net加密字符串
扫一扫
101
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
