Entlib 3.1 Study Notes (3): cryptography Application Block

Entlib 3.1 Study Notes (3): cryptography Application Block

Http://www.microsoft.com/china/MSDN/library/enterprisedevelopment/softwaredev/dnpag2crypto1.mspx? MFR = true
Http://msdn2.microsoft.com/en-us/library/aa480457.aspx

Only symmetric encryption and hash Digest are supported.

1. Solved problems:
Developers often write applications that require encryption and hashing to meet the security requirements of their organizations. Data and configuration information created and maintained by applications must be encrypted. In addition, you also need to hash the passwords used to access application functions or data.

The encryption application block abstracts application code from a specific encryption provider, simplifying the work of developers. You can change the basic application code by changing the configuration. It can also encapsulate the best practices for common encryption-related challenges (such as encryption and retention of encryption keys.

2. Use
(0) Use entlib configuration to configure app. config/Web. config;
Add Microsoft. Practices. enterpriselibrary. Security. cryptography. dll references to the project;
REFERENCE The namespace using Microsoft. Practices. enterpriselibrary. Security. cryptography in the Code;
(1) encrypt (supports dpapi, AES, Des, 3DES, RC2, and custom encryption algorithms)

String plaintext = "Source ";
String symatrix rovider = "symatrix rovider"; // provider name set during configuration of entlib configuretion
String target = cryptographer. encryptsymmetric (symatrix rovider, plaintext );

(2) decrypt

String encrypteddata = "xxx ...... ";
String symatrix rovider = "symatrix rovider"; // provider name set during configuration of entlib configuretion
String plaintext = cryptographer. decryptsymmetric (symatrix rovider, encrypteddata );

(3) Hash (supports all hash algorithms and custom hash algorithms in the system. Security. cryptography namespace)

Private const string hashprovider = "hashprovider ";
Private string plaintext = "password ";
Byte [] valuetohash = encoding. utf8.getbytes (plaintext );
Private byte [] generatedhash = cryptographer. createhash (hashprovider, valuetohash );

(4) check whether the hash matches the text.

Const string hashprovider = "hashprovider ";
Byte [] existinghashvalue;
Byte [] valuetohash = encoding. utf8.getbytes ("password ");
Bool comparisonsucceeded = cryptographer. comparehash (hashprovider, valuetohash, existinghashvalue );

 

3. cryptography Application Block Design:

 

4. Storage of keys when symmetric encryption is used
We know that the same key is used for encryption and decryption in symmetric encryption. If attackers obtain the key, they can decrypt the original data, therefore, the data security after encryption falls into the confidentiality of keys. In use. net System. security. for encryption algorithms such as AES, Des, 3DES, and RC2 In the cryptography namespace, The entlib Configuration tool provides a key file generation Wizard to run the key on the dpapi (Data Protection API, the dpapi encryption key is derived from the user name and password information currently logged on to the computer. It is managed by the operating system. For more information about dpapi, refer to section 6th below for malicious reference) the file key exists after symmetric encryption. key (if the file is deleted, encryption/Decryption will fail. <securitycryptographyconfiguration> in the configuration file defines the absolute path of the key file on the local computer ). We can use the following two methods to protect key security:
(1) Use ACL to only authorize the key file to the appropriate user. (Protect your keys with access control lists (ACL). Only grant the necessary permissions to the identities that require access to the key file .)
(2) do not configure remote debugging on a computer in a low-trust environment. (Do not configure your computer to allow remote debugging when that computer runs in a low-trust environment. An example of such a computer is a web server that allows anonymous access .)

5. Key Distribution:
Different entropy values are not used on computers. Therefore, when we encrypt data on one computer and decrypt the data on another computer, we cannot directly transmit the key. key file, but can only use the entlib Configuration tool:
(1) Export key-> enter password );
(2) The Configuration tool decrypts the key in the key. Key File Using dpapi, organizes the key into a key based on the entered password for encryption, and generates a TXT file;
(3) Transfer the TXT file;
(4) on another computer, when using entlib to create an encrypted provider, select import key from the TXT file and enter the password used for encryption ), entlib decrypts the TXT file, encrypts it with dpapi, and stores it on the local computer.

Key Distribution is too complicated. In actual projects, for example, one server and N clients, each client excludes one key. Who will distribute the key like this! I feel that it is okay to play games, and the applicable value is not high...

6. About dpapiHttp://www.microsoft.com/china/technet/security/guidance/secmod21.mspx ):
(1) Windows and later operating systems provide Win32 Data Protection APIs for data encryption and decryption (dpapi );
(2) dpapi is part of the encryption API (crypto API) and implemented in crypt32.dll. It contains two methods: cryptprotectdata and cryptunprotectdata;
(3) dpapi is particularly useful because it can eliminate key management issues arising from password-using applications. Although encryption ensures data security, you must take additional steps to ensure key security. Dpapi uses the password of the user account associated with the calling code of the dpapi function to derive the encryption key. Therefore, keys are managed by the operating system rather than applications.
(4) dpapi can be used with computer storage or user storage (a user configuration file already loaded is required. Dpapi is used for user storage by default, but you can pass the cryptprotect_local_machine flag to the dpapi function to specify the computer storage.
(5) This user configuration file provides an additional security layer, because it limits which users can access confidential content. Only users who encrypt the data can decrypt the data. However, when ASP. when a web application uses dpapi, You need to perform additional development work to use the user configuration file, because you need to take clear steps to load and uninstall the user configuration file (Asp.. Net does not automatically load user configuration files ).
(6) The computer storage method is easier to develop because it does not need to manage user configuration files. However, unless an additional entropy parameter is used, it is not safe because any user on the computer can decrypt the data. (Entropy is a random value designed to make decryption of confidential content more difficult ). The problem with the append entropy parameter is that it must be securely stored by the application, which brings about another key management problem.

Note: If you use dpapi with computer storage, the encrypted string applies only to a given computer, so you must generate encrypted data on each computer. Do not copy encrypted data from one computer to another in the presence or cluster.

If you use dpapi with user storage, you can use a roaming user configuration file to decrypt data on any computer.

For more support for symmetric encryption and asymmetric encryption, refer to my previous: http://www.cnblogs.com/happyhippy/category/79936.html