2009年10月27日星期二

ASP.NET Server Side & Client Side資料加密處理

對於ASPX網頁上暫存資料方面,ServerSide最常用多數都是用Session,ClientSide應該都是ViewState吧,前者應該沒有太多保安問題,但後者的ViewState其實要Decode根本不難,所以加密功夫其實很重要的。近期工作上經常要使用 jQuery + Web Service處理資料,有些敏感資料會經JSON傳回Browser,又或者經Hidden Field傳回Server,有些情況是很難避免的 (特別是上司要求...),我看過有些懶人只用Base64轉碼就當是加密其實真的很危險。

.NET Framework其實本身在System.Security.Cryptography NameSpace下已經提供了大量加密方式,在MSDN看過後,取了幾種針對String加密的,做了少少資料搜集有關 3DES / DES / RSAAES (Rijndael) 的比較,其實4種方法同樣都需要一項Key才可以進行正常解密,所以即使知道你網頁中加密後的字串,而不知道你所設定的Key都不可能正常解密的。

論安全性,粗略評估後的排行應該是 AES (Rijndael) > AES > 3DES > RSA / DES。

至於使用方面,Client-Side可以使用以下的Javascript 解密AES:
http://www.movable-type.co.uk/scripts/aes.html

Server-Side方面,其實MSDN上已有很清晰的Sample,以下就是使用AES (Rijndael)方式對String進行encrypt和decrypt的例子。

using System;
using System.Security.Cryptography;
using System.Text;
using System.IO;

class RijndaelSample
{

static void Main()
{
try
{
// Create a new Rijndael object to generate a key
// and initialization vector (IV).
Rijndael RijndaelAlg = Rijndael.Create();

// Create a string to encrypt.
string sData = "Here is some data to encrypt.";
string FileName = "CText.txt";

// Encrypt text to a file using the file name, key, and IV.
EncryptTextToFile(sData, FileName, RijndaelAlg.Key, RijndaelAlg.IV);

// Decrypt the text from a file using the file name, key, and IV.
string Final = DecryptTextFromFile(FileName, RijndaelAlg.Key, RijndaelAlg.IV);

// Display the decrypted string to the console.
Console.WriteLine(Final);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}

Console.ReadLine();
}

public static void EncryptTextToFile(String Data, String FileName, byte[] Key, byte[] IV)
{
try
{
// Create or open the specified file.
FileStream fStream = File.Open(FileName, FileMode.OpenOrCreate);

// Create a new Rijndael object.
Rijndael RijndaelAlg = Rijndael.Create();

// Create a CryptoStream using the FileStream 
// and the passed key and initialization vector (IV).
CryptoStream cStream = new CryptoStream(fStream, RijndaelAlg.CreateEncryptor(Key, IV), CryptoStreamMode.Write);

// Create a StreamWriter using the CryptoStream.
StreamWriter sWriter = new StreamWriter(cStream);

try
{
// Write the data to the stream 
// to encrypt it.
sWriter.WriteLine(Data);
}
catch (Exception e)
{
Console.WriteLine("An error occurred: {0}", e.Message);
}
finally
{
// Close the streams and
// close the file.
sWriter.Close();
cStream.Close();
fStream.Close();
}
}
catch (CryptographicException e)
{
Console.WriteLine("A Cryptographic error occurred: {0}", e.Message);
}
catch (UnauthorizedAccessException e)
{
Console.WriteLine("A file error occurred: {0}", e.Message);
}

}

public static string DecryptTextFromFile(String FileName, byte[] Key, byte[] IV)
{
try
{
// Create or open the specified file. 
FileStream fStream = File.Open(FileName, FileMode.OpenOrCreate);

// Create a new Rijndael object.
Rijndael RijndaelAlg = Rijndael.Create();

// Create a CryptoStream using the FileStream 
// and the passed key and initialization vector (IV).
CryptoStream cStream = new CryptoStream(fStream, RijndaelAlg.CreateDecryptor(Key, IV), CryptoStreamMode.Read);

// Create a StreamReader using the CryptoStream.
StreamReader sReader = new StreamReader(cStream);

string val = null;

try
{
// Read the data from the stream 
// to decrypt it.
val = sReader.ReadLine();


}
catch (Exception e)
{
Console.WriteLine("An error occurred: {0}", e.Message);
}
finally
{
// Close the streams and
// close the file.
sReader.Close();
cStream.Close();
fStream.Close();
}

// Return the string. 
return val;
}
catch (CryptographicException e)
{
Console.WriteLine("A Cryptographic error occurred: {0}", e.Message);
return null;
}
catch (UnauthorizedAccessException e)
{
Console.WriteLine("A file error occurred: {0}", e.Message);
return null;
}
}
}

沒有留言:

發佈留言