|
|
Posted on 8/15/2023 10:21:16 AM
|
|
|
|
Requirements: During the development process, you may often encounter some encryption and decryption scenarios, for example, email authentication can carry an encrypted string, and when the user clicks the link to jump to the interface, the system can decrypt the string content normally, thereby realizing the email authentication function.
ASP.NET Core offers data protection features:The hyperlink login is visible.
Main Package
The main packages involved in Data Protection are as follows, which are referenced as needed:
- Microsoft.AspNetCore.DataProtection.Abstractions standard. NET CORE abstraction layer component package naming. It includes major interface services such as IDataProtectionProvider and IDataProtector.
- Microsoft.AspNetCore.DataProtection, including core cryptographic operations, key management, configuration, and extensibility.
- Microsoft.AspNetCore.DataProtection.Extensions extension. Provides a factory method for creating instances and a storage extension method for keys. This package is used in non-DI mode.
- Microsoft.AspNetCore.DataProtection.SystemWeb implements <machineKey>compatibility with the encryption and decryption mechanisms in ASP.NET 4.x.
- Microsoft.AspNetCore.Cryptography.KeyDerivation provides an implementation of the PBKDF2 password hashing routine. Use it when you need to use hash encryption.
IDataProtectionProvider vs IDataProtector
IDataProtectionProvider is based on Microsoft's Provider model and is used to provide policies for creating instances. Create an IDataProtector object by calling the IDataProtectionProvider.CreateProtector(purpose) method.
IDataProtector is a service responsible for encryption and decryption, which mainly provides two types of methods: protect and unprotect (each type has many overloading and extension methods). Simple understanding is that protect is used for encryption and unprotect is used for decryption.
The IDataProtectionProvider's Create method parameter is a string that provides isolation functionality. IDataProtectors created with non-passable strings will get different encryption results even if they encrypt the same object. IDataProtector itself is also an implicit IDataProtectionProvider, which also provides the CreateProtector(purpose) method. This means that it can be easily implementedMulti-tenant application mode。
Here are a few things to keep in mind:
IDataProtectionProvider and IDataProtector instancesThread safetyTarget.
The unprotect method is to inform the caller that the decryption failed by throwing an exception. The exception class is CryptographicException.
ASP.NET Core is simple to use data protection
A new interface is added to encrypt and decrypt data, and the code is as follows:
The test is as follows:
IDataProtectionProvider is a singleton pattern with the following code:The hyperlink login is visible.
Key management
If the user profile is available, the key is retained to%LOCALAPPDATA%\ASP.NET\DataProtection-Keysfolder. If the operating system is Windows, the key is encrypted at rest using DPAPI. As shown below:
Key life
By default, the keyThe life cycle is 90 days。 When the key expires, the application automatically generates a new key and sets the new key as the active key. As long as the deactivated keys remain on the system, your application can decrypt any data protected by them. For more information, see Key management.The hyperlink login is visible.
Default algorithm
The default load protection algorithms used are AES-256-CBC (for confidentiality) and HMACSHA256 (for authenticity). The 512-bit master key, which changes every 90 days, is used to derive two subkeys for these algorithms based on each payload.
ASP.NET key storage provider in Core
File System: PersistKeysToFileSystem
Azure Storage: PersistKeysToAzureBlobStorage, which requires reference: Azure.Extensions.AspNetCore.DataProtection.Blobs
Redis storage: PersistKeysToStackExchangeRedis, reference required: Microsoft.AspNetCore.DataProtection.StackExchangeRedis
Reference:The hyperlink login is visible.
Clustered and distributed
If the server key is inconsistent, for example: server A encryption and server B decryption, an exception will be thrown (as shown in the figure below), and the same key needs to be deployed.
Configure the same key as follows:
Once the program is running, it automatically generates a key-*.xml key file under the publish_itsvse folder, keep this file consistent under different servers! As shown below:
ASP.NET Core protection configuration
ASP.NET CORE provides rich API support, password persistence, configuration, and customization functions.
- PersistKeysToAzureBlobStorage、ProtectKeysWithAzureKeyVault。 Azure cloud storage scenario.
- PersistKeysToFileSystem。 Local file system storage scheme that records encryption algorithms, keys, and dependencies.
- ProtectKeysWith*。 Encryption is provided through extensions of this naming method. For example, ProtectKeysWithCertificate
- SetDefaultKeyLifetime。 Set the key lifetime to 90 days by default.
- SetApplicationName。 Set the app name. By default, data protection mechanisms are absolutely isolated from each application. Key sharing between apps can be achieved by setting the same app name.
- DisableAutomaticKeyGeneration。 Prevent the key from being automatically rolled back. Many times we don't really want passwords to change or in a cluster service, we have a dedicated service responsible for key update rollback, and other payloads just need to get it from a shared place.
- UseCryptographicAlgorithms。 Use custom encryption and decryption algorithms
Reference:The hyperlink login is visible.
|
Previous:Use PowerShell to generate the <machineKey> elementNext:Compare Tailscale, ZeroTier, WireGuard, OmniEdge, and Ngrok for geo-networking solutions
|
