问题描述
我想使用的加密算法在.NET安全命名空间中可用,但是我想了解如何生成密钥,例如AES算法需要256位,即16个字节的关键,而一些初始化向量,这也是几字节。
I want to use encryption algorithm available in .Net Security namespace, however I am trying to understand how to generate the key, for example AES algorithm needs 256 bits, that 16 bytes key, and some initialization vector, which is also few bytes.
-
我可以使用值的任意组合,在我的密钥和IV?例如在关键的第四和全部为零的有效还是无效?我知道算法做大量的异或的细节,所以零不会有什么好处,但是否有任何限制这些算法?
Can I use any combination of values in my Key and IV? e.g. all zeros in Key and IV are valid or not? I know the detail of algorithm which does lots of xors, so zero wont serve any good, but are there any restrictions by these algorithms?
或我使用一些程序来生成密钥,并永久保存的地方?
Or Do I have to generate the key using some program and save it permanently somewhere?
欲加密后在数据库中存储的数据,如用户名,密码,电话号码等,以及该密钥的安全描述文件数据将提供给仅在连接串中提到的数据库用户,并给管理员。
I want to store data in database after encryption, the secure profile data like username, password, phone number etc, and the key will be available to database user mentioned in connection string only, and to the administrator.
推荐答案
如果您正在使用加密来交换数据,那么你将需要一个密钥交换协议,但你不要做一个自己,而不是使用一个现成的,货架像TLS或SSL。
If you are using encryption to exchange data then you will need a key exchange protocol, but you don't make one yourself instead use one off-the-shelf like TLS or SSL.
如果您使用加密来存储数据,然后生成使用四 CryptGenRandom (或其等值.NET RandomNumberGenerator.GetBytes)并将其保存在文档(以清晰,无需要保护IV)你从来不写下来的关键,关键是由用户提供Usualy您源于一个密码短语使用的,或者其等值的.Net PasswordDeriveKey.CryptDeriveKey.
If you use encryption to store data then you generate the IV using CryptGenRandom (or its .net equivalent RandomNumberGenerator.GetBytes) and save it along the document (in clear, no need to protect the IV). You never write down the key, the key is provided by the user. Usualy you derive the key from a password phrase using CryptDeriveKey, or its .Net equivalent PasswordDeriveKey.CryptDeriveKey.
更新
要存储一个秘密就是只提供给需要使用3个按键用户和管理员的数据库:
To store a secret in the database that is available only to the user and an administrator you need to use 3 keys:
- 在一个与数据(称之为DK键) 加密
- 在一个用户密钥来加密的DK键(称之为UK)
- 在一个管理员密钥来加密的DK键(称之为AK)
在理论上你加密与DK的数据,然后加密与英国DK和保存,加密与AK的DK和保存。这样,用户可以再次使用英国的DK解密,然后解密的数据,并且管理员可以使用的AK的DK解密,然后对数据进行解密。最大的问题是以下事实,该系统总是自动的,因此,系统需要访问管理员的关键,这意味着不是真正的管理员的persnal关键,但取而代之的是一个系统密钥(它不能被用于目的的非不可否认的实例)。
In theory you encrypt the data with DK and then encrypt the DK with UK and save it, and encrypt the DK with AK and save it. This way the user can use again the UK to decrypt the DK and then decrypt the data, and the administrator can use the AK to decrypt the DK and then decrypt the data. The big problem is the fact that the system is always automated, so the system needs access to the administrator's key which means is not truly a persnal key of the administrator, but instead is a system key (it cannot be used for purposes of non-repudiation for instance).
由于抬起头,对使用什么IV是或AES如何从C#和知识如何密码算法的工作将让你在解决这类问题恰好为0(零)的牵引力。这个问题是永远IV和关键要使用的,这个问题始终是重点配置。对于实际的加密操作,只需使用内置的数据库支持,请参阅SQL Server 密码>。我可以很容易得出结论的的只有的工具,你需要的是TDE(透明数据加密),以防止媒体的意外丢失。
As a heads up, knowledge of what IV is or how to use AES from C# and how cryptography algorithm work will get you exactly 0 (zero) traction in solving this kind of problems. The issue is never what IV and key to use, the issue is always key provisioning. For actual crypto operations, just use the built-in support from the database, see Cryptography in SQL Server. I can easily argue that the only facility you need is TDE (Transparent Data Encryption) to protect against accidental loss of media.
这篇关于如何创建加密算法加密密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!