來自 亞特蘭提斯 著
對於ASPX網頁上暫存資料方面,ServerSide最常用多數都是用Session,ClientSide應該都是ViewState吧,前者應該沒有太多保安問題,但後者的ViewState其實要Decode根本不難,所以加密功夫其實很重要的。近期工作上經常要使用 jQuery + Web Service處理資料,有些敏感資料會經JSON傳回Browser,又或者經Hidden Field傳回Server,有些情況是很難避免的 (特別是上司要求…),我看過有些懶人只用Base64轉碼就當是加密其實真的很危險。
.NET Framework其實本身在System.Security.Cryptography NameSpace下已經提供了大量加密方式,在MSDN看過後,取了幾種針對String加密的,做了少少資料搜集有關 3DES / DES / RSA 和 AES (Rijndael) 的比較,其實4種方法同樣都需要一項Key才可以進行正常解密,所以即使知道你網頁中加密後的字串,而不知道你所設定的Key都不可能正常解密的。
論安全性,粗略評估後的排行應該是 AES (Rijndael) > AES > 3DES > RSA / DES。
至於使用方面,Client-Side可以使用以下的Javascript 解密AES:
http://www.movable-type.co.uk/scripts/aes.html
Server-Side方面,其實MSDN上已有很清晰的Sample,以下就是使用AES (Rijndael)方式對String進行encrypt和decrypt的例子。
using System;
using System.Security.Cryptography;
using System.Text;
using System.IO;
class RijndaelSample
{
static void Main()
{
try
{
// Create a new Rijndael object to generate a key
// and initialization vector (IV).
Rijndael RijndaelAlg = Rijndael.Create();
// Create a string to encrypt.
string sData = "Here is some data to encrypt.";
string FileName = "CText.txt";
// Encrypt text to a file using the file name, key, and IV.
EncryptTextToFile(sData, FileName, RijndaelAlg.Key, RijndaelAlg.IV);
// Decrypt the text from a file using the file name, key, and IV.
string Final = DecryptTextFromFile(FileName, RijndaelAlg.Key, RijndaelAlg.IV);
// Display the decrypted string to the console.
Console.WriteLine(Final);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
Console.ReadLine();
}
public static void EncryptTextToFile(String Data, String FileName, byte[] Key, byte[] IV)
{
try
{
// Create or open the specified file.
FileStream fStream = File.Open(FileName, FileMode.OpenOrCreate);
// Create a new Rijndael object.
Rijndael RijndaelAlg = Rijndael.Create();
// Create a CryptoStream using the FileStream
// and the passed key and initialization vector (IV).
CryptoStream cStream = new CryptoStream(fStream, RijndaelAlg.CreateEncryptor(Key, IV), CryptoStreamMode.Write);
// Create a StreamWriter using the CryptoStream.
StreamWriter sWriter = new StreamWriter(cStream);
try
{
// Write the data to the stream
// to encrypt it.
sWriter.WriteLine(Data);
}
catch (Exception e)
{
Console.WriteLine("An error occurred: {0}", e.Message);
}
finally
{
// Close the streams and
// close the file.
sWriter.Close();
cStream.Close();
fStream.Close();
}
}
catch (CryptographicException e)
{
Console.WriteLine("A Cryptographic error occurred: {0}", e.Message);
}
catch (UnauthorizedAccessException e)
{
Console.WriteLine("A file error occurred: {0}", e.Message);
}
}
public static string DecryptTextFromFile(String FileName, byte[] Key, byte[] IV)
{
try
{
// Create or open the specified file.
FileStream fStream = File.Open(FileName, FileMode.OpenOrCreate);
// Create a new Rijndael object.
Rijndael RijndaelAlg = Rijndael.Create();
// Create a CryptoStream using the FileStream
// and the passed key and initialization vector (IV).
CryptoStream cStream = new CryptoStream(fStream, RijndaelAlg.CreateDecryptor(Key, IV), CryptoStreamMode.Read);
// Create a StreamReader using the CryptoStream.
StreamReader sReader = new StreamReader(cStream);
string val = null;
try
{
// Read the data from the stream
// to decrypt it.
val = sReader.ReadLine();
}
catch (Exception e)
{
Console.WriteLine("An error occurred: {0}", e.Message);
}
finally
{
// Close the streams and
// close the file.
sReader.Close();
cStream.Close();
fStream.Close();
}
// Return the string.
return val;
}
catch (CryptographicException e)
{
Console.WriteLine("A Cryptographic error occurred: {0}", e.Message);
return null;
}
catch (UnauthorizedAccessException e)
{
Console.WriteLine("A file error occurred: {0}", e.Message);
return null;
}
}
}
沒有留言:
發佈留言