MachineKey.Protect如何工作?

时间:2017-01-02 18:16:56

标签: c# asp.net asp.net-mvc security cryptography

在该方法的官方说明中,Microsoft在以下链接中解释了MachineKey.Protect“通过加密对其进行签名来保护指定的数据”:https://msdn.microsoft.com/en-us/library/system.web.security.machinekey.protect(v=vs.110).aspx

这是什么意思?它如何决定加密,签名或两者兼而有之?

2 个答案:

答案 0 :(得分:1)

MSDN documentation.NET Web Development and Tools Blog都没有确切说明这是如何工作的,但是this article提到MachineKey API执行这两项操作(顺便说一句,这样做更安全)。

我对.NET Reference Source进行了更深入的研究,显然这是真的。看看这段代码:

using (ICryptoTransform encryptor = encryptionAlgorithm.CreateEncryptor()) {
    using (CryptoStream cryptoStream = new CryptoStream(memStream, encryptor, CryptoStreamMode.Write)) {
        cryptoStream.Write(clearData, 0, clearData.Length);
        cryptoStream.FlushFinalBlock();

        // At this point:
        // memStream := IV || Enc(Kenc, IV, clearData)

        // These KeyedHashAlgorithm instances are single-use; we wrap it in a 'using' block.
        using (KeyedHashAlgorithm signingAlgorithm = _cryptoAlgorithmFactory.GetValidationAlgorithm()) {
            // Initialize the algorithm with the specified key
            signingAlgorithm.Key = _validationKey.GetKeyMaterial();

            // Compute the signature
            byte[] signature = signingAlgorithm.ComputeHash(memStream.GetBuffer(), 0, (int)memStream.Length);

            // At this point:
            // memStream := IV || Enc(Kenc, IV, clearData)
            // signature := Sign(Kval, IV || Enc(Kenc, IV, clearData))

            // Append the signature to the encrypted payload
            memStream.Write(signature, 0, signature.Length);

            // At this point:
            // memStream := IV || Enc(Kenc, IV, clearData) || Sign(Kval, IV || Enc(Kenc, IV, clearData))

            // Algorithm complete
            byte[] protectedData = memStream.ToArray();
            return protectedData;
        }
    }
}

这是来自NetFXCryptoService,它是默认的加密提供程序,以防你没有配置DataProtector

答案 1 :(得分:0)

来自同一页的备注部分的第一段

  

此方法取代了Encode方法,该方法要求调用者指定明文数据是应加密,签名还是两者都加密。 Protect方法执行适当的操作并安全地保护数据。

它试图说的是取决于您传递给MERGE INTO (SELECT PRODUCT_DIM_KEY, TERRITORY_DIM_KEY, ACCOUNT_DIM_KEY , CUST_ID , PD_DT, DEXCOM_SKU_CD, ROWID rid FROM FACT_TABLE ) ft1 USING (select ROWID as rid FROM FACT_TABLE ) ft2 ON (ft1.rid = ft2.rid) --join using ROWID WHEN MATCHED THEN UPDATE SET ft1.PRODUCT_DIM_KEY = PRODUCT_DIM_LOOKUP_FUNCTION(ft1.DEXCOM_SKU_CD), --lookup function 1 ft1.TERRITORY_DIM_KEY = TERRITORY_DIM_LOOKUP_FUNCTION(ft1.CUST_ID ), --lookup function 2 ft1.ACCOUNT_DIM_KEY = ACCOUNT_DIM_LOOKUP_FUNCTION(ft1.CUST_ID) --lookup function 3 参数的内容,它将改变操作BEGIN SELECT PRODUCT_DIM_KEY INTO v_dim_id FROM PRODUCT_DIM pr WHERE pr.PRODUCT_SKU = p_product_code AND pr.PRODUCT_DELETED_FLAG = 'N'; 将执行的操作。您需要进一步查看文档,了解哪些操作的目的。哪些字符串的操作取决于您用于网站的Protected Configuration Provider

相关问题
最新问题