vue使用rsa非对称加密_使用RSA非对称加密构建安全的数据传输服务（运行中）

vue使用rsa非对称加密

背景 (Background)

Security has been a primary concern in business and government for hundreds of years ago. Government regulation is explicitly mentioned how to handle Customer data. And it is essential to protect your business continuity from vulnerability exploit.

在数百年前，安全一直是企业和政府关注的主要问题。 明确提到了政府法规如何处理客户数据。 而且，保护您的业务连续性不受漏洞利用至关重要。

目的 (Objective)

Send data securely to other parties via an HTTP request. Other parties mean a partner entity which doing a communication to us. Secure parameters are:

通过HTTP请求将数据安全地发送给其他方。 其他各方是指与我们进行沟通的合作伙伴实体。 安全参数为：

• Data cannot be read by an unauthorized party
  未经授权的一方无法读取数据
• The data source can be verified from the right party
  数据源可以从正确的一方进行验证

组件 (Components)

The service is able to send and receive data. Users will use the service to send data to any party using the same service. Prerequisite information for this setup is each party should have Public Key for each partner.

该服务能够发送和接收数据。 用户将使用该服务将数据发送给使用同一服务的任何一方。 此设置的先决条件信息是各方对每个合作伙伴都应具有公钥。

The diagram below shows how Alice transfers data to Bob using a secure service. The service which Alice use needs Bob’s public key to send a message to Bob and Alice’s private key to sign the message. On the other side, Bob running a service that has his private key to read the message from Alice and Alice’s private key to verify her signature.

下图显示了Alice如何使用安全服务将数据传输到Bob。 爱丽丝使用的服务需要鲍勃的公钥将消息发送到鲍勃，爱丽丝的私钥对消息进行签名。 另一方面，鲍勃运行的服务具有其私钥，该私钥用于从爱丽丝读取消息，而爱丽丝的私钥用于验证她的签名。

Top-view secure data transfer service

顶视图安全数据传输服务

Once top-view is understood, we need to see components inside the service. Keep in note that a single service can communicate with many services as long as it has the partner’s public key.

了解了顶视图之后，我们需要查看服务中的组件。 请注意，只要一个服务具有伙伴的公钥，它就可以与许多服务进行通信。

Here is the minimum requirement to build the service.

这是构建服务的最低要求。

1. The private key reader
   私钥读取器
2. The public key reader
   公钥阅读器
3. Message encryptor
   消息加密器
4. Signature writer
   签名作家
5. Message decipher
   讯息解密
6. Signature verifier
   签名验证者
7. HTTP listener
   HTTP侦听器
8. HTTP post
   HTTP发布

The diagram below shows the interaction between components.

下图显示了组件之间的交互。

What's Inside the Service

服务内容

码 (Code)

The code below is the implementation of the requirement above in Go. The service will be able to communicate with any service even with different code language as long as follow the same requirement.

以下代码是Go中上述要求的实现。 只要遵循相同的要求，该服务就可以与任何服务通信，即使使用不同的代码语言也是如此。

Private key reader

私钥阅读器

The function will read the private key file in naming format:[name]-private.pem

该函数将以命名格式读取私钥文件： [name] -private.pem

There are many tools to generate RSA pair keys. It’s recommended to use a 2048bit size.

有许多工具可以生成RSA对密钥。 建议使用2048位大小。

公钥阅读器 (Public key reader)

The function will read the public key given by the partner in the naming format: [name]-public.pem

该函数将读取伙伴以以下格式提供的公钥： [名称] -public.pem

The input parameter is an array of string in the sense of the service will communicate with many parties.

从服务的意义上说，输入参数是一个字符串数组，它将与许多各方进行通信。

The output is a map-of-object type with the key is partner name and value is the public key. The map-of-object will be utilized when encrypting data.

输出为对象映射类型，其键为伙伴名称，值为公钥。 加密数据时将使用对象图。

消息加密器 (Message encryptor)

The input of the function is the message. Original data before encryption called plaintext and data after encryption called ciphertext.

该功能的输入是消息。 加密之前的原始数据称为明文，加密之后的数据称为密文。

The function uses the minimum required encryption which is plaintext and public key.

该功能使用最低要求的加密方式，即纯文本和公钥。

The output is written in base64 string to make it readable to a human.

输出以base64字符串编写，以使其对人类可读。

签名作家 (Signature writer)

The function will use ciphertext from the previous function. Using the private key of Alice (the sender) the output will be a unique signature that can’t be replicated by other parties.

该功能将使用上一个功能的密文。 使用Alice(发送者)的私钥，输出将是唯一的签名，其他方无法复制。

签名验证者 (Signature verifier)

When receiving a message from other parties, the signature verifier function shall be executed first.

当接收到来自其他方的消息时，签名验证程序功能应首先执行。

The function will calculate the ciphertext and signature using the partner’s public key. The output is an error object if the signature is not verified.

该函数将使用伙伴的公共密钥来计算密文和签名。 如果未验证签名，则输出为错误对象。

解码 (Decipher)

If the signature is verified, the next thing to do is decipher the ciphertext into plaintext. Only the right private key able to read the message.

如果签名经过验证，则下一步是将密文解密为纯文本。 只有正确的私钥才能读取消息。

This is the last step of the flow. We can write out the plaintext in the form of a text display or any kind presentation form.

这是流程的最后一步。 我们可以以文本显示或任何形式的表示形式写出纯文本。

HTTP发布 (HTTP post)

Now, we need to put all the functions together.

现在，我们需要将所有功能放在一起。

The input is a gin object which comes from gin — a very popular HTTP routing.

输入是来自gin的gin对象-一种非常流行的HTTP路由。

We will use this function on HTTP routing when the user calls the service to transfer the data. The parameter required is

当用户调用服务来传输数据时，我们将在HTTP路由上使用此功能。 所需参数为

• receiver: partner name, this required to get the right public key
  接收方：合作伙伴名称，此名称是获取正确的公共密钥所必需的
• host: this is the partner service host address that will be hit after encrypt and sign the message
  主机：这是在对消息进行加密和签名后将被击中的伙伴服务主机地址
• message: the original information to be sent
  消息：要发送的原始信息

The function will first encrypt the message, sign the ciphertext and transfer the ciphertext to the partner service. The response to the user is HTTP Status to tell the partner service is reachable or not and ciphertext for that sent.

该功能将首先对消息进行加密，对密文进行签名，然后将密文传输到合作伙伴服务。 对用户的响应是“ HTTP状态”(HTTP Status)以通知伙伴服务是否可访问以及所发送的密文。

This is the complete flow to send data securely to other parties.

这是将数据安全地发送给其他方的完整流程。

HTTP接收器 (HTTP receiver)

This function is executed when the service receives data from other services. Put all the necessary functions to make the data available to the user. First, it matches the public key and the sender. Then verify the signature based on the public key. If the signature is not verified, it tells the user there is a message that not verified. If the signature is verified, the function will decrypt the message into plaintext and print the plaintext for the user.

当服务从其他服务接收数据时，将执行此功能。 放置所有必需的功能以使数据对用户可用。 首先，它匹配公钥和发送者。 然后根据公钥验证签名。 如果签名未通过验证，则会告诉用户有未验证的消息。 如果签名经过验证，该功能会将消息解密为纯文本并为用户打印纯文本。

服务主要 (Service Main)

To make all function executable, we need to build the main function with HTTP routing.

为了使所有功能可执行，我们需要使用HTTP路由构建主要功能。

During the service initiation, it will read the flag to allow one service to be deployed by every party. The service required 3 flag

在服务启动期间，它将读取该标志以允许每一方部署一项服务。 该服务需要3个标志

• name: the service user — service will use the private key that matches the user name
  名称：服务用户-服务将使用与用户名匹配的私钥

• contacts: is the partner's name separated in comma ‘,’ — service will use the partner public key that matches the partner's name

  通讯录：是合作伙伴的名称，中间用逗号' ， '分隔-服务将使用与合作伙伴名称匹配的合作伙伴公钥

• port: is the port that the service will run
  端口：服务将运行的端口

And that will be all, the service is able to do two full flow, sending data and receiving data.

仅此而已，该服务能够执行两个完整的流程，即发送数据和接收数据。

测试中 (Testing)

To test the service, we need to build the Go file. Example to build the service with the name secure-comm is following:

为了测试服务，我们需要构建Go文件。 以下是使用secure-comm名称构建服务的示例：

go build -o secure-comm

Copy the file into two different folders for Alice and Bob. Put Alice’s Private key and Bob’s public key into folder Alice. Put Bob’s private key and Alice’s public key in folder Bob.

将文件复制到Alice和Bob的两个不同文件夹中。 将Alice的私钥和Bob的公钥放入文件夹Alice。 将Bob的私钥和Alice的公钥放在文件夹Bob中。

➜  test git:(master) ✗ tree
.
├── alice
│   ├── alice-private.pem
│   ├── bob-public.pem
│   └── secure-comm
└── bob
    ├── alice-public.pem
    ├── bob-private.pem
    └── secure-comm

Now run this command on folder Alice

现在在文件夹Alice上运行此命令

./secure-comm -name=alice -contacts=bob -port=8080

The command use Alice for name’s flag, Bob for contacts’s flag and 8080 for the port’s flag. Running in default gin HTTP routing configuration, the output will be like this.

该命令使用Alice作为名称的标志，使用Bob作为联系人的标志，并使用8080作为端口的标志。 在默认的gin HTTP路由配置中运行，输出将如下所示。

Running the service at folder Alice

在文件夹Alice上运行服务

Run the following command in folder Bob.

在文件夹Bob中运行以下命令。

./secure-comm -name=bob -contacts=alice -port=8081

It works similar way like previous command execution for folder Alice except for the different port — which is 8081. It means the service is running in 8081.

它的工作方式与文件夹Alice的先前命令执行类似，只是端口不同(8081)。这表示该服务正在8081中运行。

Now, we need to test the communication. Here is the HTTP call in the CURL command simulating scenario where Alice sends the message to Bob.

现在，我们需要测试通信。 这是CURL命令模拟场景中的HTTP调用，其中Alice将消息发送给Bob。

curl --location --request POST 'http://localhost:8080/send' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'receiver=bob' \
--data-urlencode 'host=http://localhost:8081/receive' \
--data-urlencode 'message=hello Bob, how are you'

The service in folder Alice will response with the following response. This means the data is sent to Bob encrypted.

文件夹Alice中的服务将响应以下响应。 这意味着数据已加密发送到Bob。

{"ciphertext": "i5WGunu3+qMTUTaClS09whPhtxDn3mKMahcMQPo7IHmQEutIeDuGzJkoS7i/kDl85DLv0YgHJtdF6kuR99u9SBL7SMN3PdhqtyPpDyEZal6H8N+4wndB688Cw0SRtOIHJraDFbrBTt2bB13gRQX1l+VNv5MwsDswJ9Gv3UsaKL6Gpi2SatD/BcAsSd7bTeM8cS7ekZ55lV45Ll7je84cKVa7auOvWwuFiY8QdGEJBer0MQ96yB92cPxxvN9/kLfwQ2i0b2d1F1LrWstXDu26wXIiROmAgeQeIahx8+lTFGedLR8y2yY5xvdBAG7caYMgRl1yniSQXVp9we33LOMAuA=="}

When we check on folder Bob service, the service will print out the message from Alice.

当我们检查文件夹Bob服务时，该服务将打印出来自Alice的消息。

Message from Alice to Bob

爱丽丝给鲍勃的信

That’s mean the Bob will be able to read the message from Alice. End-to-end testing is complete.

这意味着鲍勃将能够从爱丽丝那里读取消息。 端到端测试已完成。

Bob actually able to reply by doing an HTTP call to the service in folder Bob at port 8081. Here is the screenshot of a conversation between Alice and Bob using the secure data transfer service.

实际上，Bob可以通过对端口8081处的文件夹Bob中的服务进行HTTP调用来进行回复。这是Alice和Bob之间使用安全数据传输服务的对话的屏幕截图。

Conversation between Alice and Bob

爱丽丝与鲍勃之间的对话

脚注 (Footnote)

The service we build here is aligned with the two security principles — Confidentiality and Integrity. The implementation, of course, can be adjusted to real-life business cases. As long as the flow and component are the same, this service can be built in various other languages. The full code repository is available here

我们在此处构建的服务符合两个安全原则-机密性和完整性。 当然，可以根据实际业务案例调整实施方式。 只要流程和组件相同，就可以使用其他各种语言来构建此服务。 完整的代码存储库可在此处获得

• Github Link

  Github链接

Prerequisites for using this service are having a pair of RSA Keys. Here is how to generate the RSA Keys.

使用此服务的前提条件是必须具有一对RSA密钥。 这是生成RSA密钥的方法。

• RSA Asymmetric Cryptography Generator

  RSA非对称密码生成器

Hopefully, this service will be useful to you. What do you think the next improvement would be?

希望这项服务对您有用。 您认为下一个改进是什么？

翻译自: https://medium.com/swlh/building-a-secure-data-transfer-service-using-rsa-asymmetric-encryption-in-go-3a656c9309c1

vue使用rsa非对称加密