我一直在开发一个由angularjs客户端使用的ASP.NET WEB API RESTFUL服务。 现在,我让它变得安全,我决定实施RSA加密来实现它。因此,在服务器端,我使用RSACryptoServiceProvider方法,公钥和私钥都存储在文件中。这已经足够了,但是,在客户端的第一次调用中,它会发送一串用户名和密码进行身份验证并获取令牌,因此我必须对该呼叫进行加密。
有人知道有关如何在JS中实现类似于我在C#中使用的内容的任何教程或手册吗?
以下是WEB API中的加密代码:
using System;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;
using System.IO;
namespace MvcPrueba.Models
{
public class Cryptography
{
#region Types
#region Enum
#endregion
#region Class
#endregion
#endregion
#region Variables
#endregion
#region Properties
#endregion
#region Constructors/Destructors
#region Constructors
protected Cryptography()
{
}
#region Instantiate
#endregion
#endregion
#region Destructors
public void Dispose()
{
throw new NotImplementedException();
}
#endregion
#endregion
#region Class Logic
// Generate a new key pair
public static void GenerateKeys(string publicKeyFileName, string privateKeyFileName)
{
// Variables
CspParameters cspParams = null;
RSACryptoServiceProvider rsaProvider = null;
StreamWriter publicKeyFile = null;
StreamWriter privateKeyFile = null;
string publicKey = "";
string privateKey = "";
try
{
// Create a new key pair on target CSP
cspParams = new CspParameters();
cspParams.ProviderType = 1; // PROV_RSA_FULL
//cspParams.ProviderName; // CSP name
cspParams.Flags = CspProviderFlags.UseArchivableKey;
cspParams.KeyNumber = (int)KeyNumber.Exchange;
rsaProvider = new RSACryptoServiceProvider(cspParams);
// Export public key
publicKey = rsaProvider.ToXmlString(false);
// Write public key to file
publicKeyFile = File.CreateText(publicKeyFileName);
publicKeyFile.Write(publicKey);
// Export private/public key pair
privateKey = rsaProvider.ToXmlString(true);
// Write private/public key pair to file
privateKeyFile = File.CreateText(privateKeyFileName);
privateKeyFile.Write(privateKey);
}
catch (Exception ex)
{
// Any errors? Show them
Console.WriteLine("Exception generating a new key pair! More info:");
Console.WriteLine(ex.Message);
}
finally
{
// Do some clean up if needed
if (publicKeyFile != null)
{
publicKeyFile.Close();
}
if (privateKeyFile != null)
{
privateKeyFile.Close();
}
}
} // Keys
// Encrypt a file
public static void Encrypt(string publicKeyFileName, string plainFileName, string encryptedFileName)
{
// Variables
CspParameters cspParams = null;
RSACryptoServiceProvider rsaProvider = null;
StreamReader publicKeyFile = null;
StreamReader plainFile = null;
FileStream encryptedFile = null;
string publicKeyText = "";
string plainText = "";
byte[] plainBytes = null;
byte[] encryptedBytes = null;
try
{
// Select target CSP
cspParams = new CspParameters();
cspParams.ProviderType = 1; // PROV_RSA_FULL
//cspParams.ProviderName; // CSP name
rsaProvider = new RSACryptoServiceProvider(cspParams);
// Read public key from file
publicKeyFile = File.OpenText(publicKeyFileName);
publicKeyText = publicKeyFile.ReadToEnd();
// Import public key
rsaProvider.FromXmlString(publicKeyText);
// Read plain text from file
plainFile = File.OpenText(plainFileName);
plainText = plainFile.ReadToEnd();
// Encrypt plain text
plainBytes = Encoding.Unicode.GetBytes(plainText);
encryptedBytes = rsaProvider.Encrypt(plainBytes, false);
// Write encrypted text to file
encryptedFile = File.Create(encryptedFileName);
encryptedFile.Write(encryptedBytes, 0, encryptedBytes.Length);
}
catch (Exception ex)
{
// Any errors? Show them
Console.WriteLine("Exception encrypting file! More info:");
Console.WriteLine(ex.Message);
}
finally
{
// Do some clean up if needed
if (publicKeyFile != null)
{
publicKeyFile.Close();
}
if (plainFile != null)
{
plainFile.Close();
}
if (encryptedFile != null)
{
encryptedFile.Close();
}
}
} // Encrypt
// Decrypt a file
public static void Decrypt(string privateKeyFileName, string encryptedFileName, string plainFileName)
{
// Variables
CspParameters cspParams = null;
RSACryptoServiceProvider rsaProvider = null;
StreamReader privateKeyFile = null;
FileStream encryptedFile = null;
StreamWriter plainFile = null;
string privateKeyText = "";
string plainText = "";
byte[] encryptedBytes = null;
byte[] plainBytes = null;
try
{
// Select target CSP
cspParams = new CspParameters();
cspParams.ProviderType = 1; // PROV_RSA_FULL
//cspParams.ProviderName; // CSP name
rsaProvider = new RSACryptoServiceProvider(cspParams);
// Read private/public key pair from file
privateKeyFile = File.OpenText(privateKeyFileName);
privateKeyText = privateKeyFile.ReadToEnd();
// Import private/public key pair
rsaProvider.FromXmlString(privateKeyText);
// Read encrypted text from file
encryptedFile = File.OpenRead(encryptedFileName);
encryptedBytes = new byte[encryptedFile.Length];
encryptedFile.Read(encryptedBytes, 0, (int)encryptedFile.Length);
// Decrypt text
plainBytes = rsaProvider.Decrypt(encryptedBytes, false);
// Write decrypted text to file
plainFile = File.CreateText(plainFileName);
plainText = Encoding.Unicode.GetString(plainBytes);
plainFile.Write(plainText);
}
catch (Exception ex)
{
// Any errors? Show them
Console.WriteLine("Exception decrypting file! More info:");
Console.WriteLine(ex.Message);
}
finally
{
// Do some clean up if needed
if (privateKeyFile != null)
{
privateKeyFile.Close();
}
if (encryptedFile != null)
{
encryptedFile.Close();
}
if (plainFile != null)
{
plainFile.Close();
}
}
} // Decrypt
#endregion
}
}
提前致谢。
答案 0 :(得分:1)
@ m.dorian - 这是一个非常糟糕的主意!如果您重视安全性和最佳做法,请不要尝试以任何方式实现此目的。我建议你仔细阅读这个主题。此外,您应该始终哈希用户的密码而不加密它们。密码应该是单向散列等等。
如果您不了解数据安全的具体细节,我建议您退后一步,或者与知道自己正在做什么的人交谈,或者自己教育。特别是在过去几年报告的所有数据妥协之后。可以找到Troy Hunt的有用帖子here,这应该只是一个开始!
答案 1 :(得分:0)
新的API Web Cryptography API目前处于草稿状态,但according to MDN可以在几乎所有主要浏览器的最新版本中使用它。
但是,我不确定你要实现的目标是什么?您说您希望对用户名和密码进行客户端加密,但为什么不使用TLS加密所有流量?或者您使用的是用户名&生成用于加密和解密数据客户端的私钥的密码,因此您只需将公钥存储在服务器上?
另请注意,您将加密密钥存储在文件中。你存放它们有多安全?当有人窃取钥匙时,所有数据都是公开的。