Web service encryption

zhaozj2021-02-16  102

(Reproduced)

Because the web service is transmitted by the SOAP protocol, the encryption of Web Service is encrypted to the SOAP message, and this can be achieved through SOAP protocol. Data is transmitted on the network, and important points are to ensure its correctness and integrity, and to prevent unintentional or malicious modifications, stealing. What is the encryption mode provided in the web service? How to achieve it?

Encryption will prevent data from being viewed or modified and securely providing secure communication channels on the original inaccessible channel. For example, the data can be encrypted using an encryption algorithm, and the data is transmitted in the encrypted state, and then the data is decrypted by a predetermined receiver. If the third party intercepts encrypted data, it will be difficult to decrypt the data.

In a typical occasion using encrypted, both parties (Xiaohong and Xiaoming) communicate on insecure channels. Xiaohong and Xiao Ming want to make sure that people who may be listening cannot understand the communication between them. Moreover, because Xiaohong and Xiaoming are far apart, Xiaohong must ensure that the information she received from the small mandarin is not modified by anyone during transmission. In addition, she must determine that the information is indeed a small mild, not someone imitated Xiao Ming.

Encryption is used to achieve the following:

Confidentiality: Prevent the user's identity or data from being read. Data Integrity: Prevent data from being changed. Authentication: Make sure the data is from a specific party.

In order to achieve these purposes, small red and smaller use algorithms and contemporary combinations (referred to as encryption) to create an encryption scheme. The following table lists the encryption primitives and their usage.

The encryption primitive uses private key encryption (symmetric encryption) to perform conversion to data, so that the third party cannot read the data. This type of encryption uses a single shared secret key to encrypt and decrypt data. Public key encryption (asymmetric encryption) performs conversion of data to make the third party cannot read the data. Such encryption uses public key / private key pairs to encrypt and decrypt data. Encryption Signatures Make sure the data is sent from the specific party by creating a specific one-unique digital signature. This process also uses a hash function. The encrypted hash maps data from any length to a fixed length byte sequence. Hash is the only thing in statistics; different double-byte sequences will not haveh as the same value.

Private key encryption

The private key encryption algorithm uses a single private key to encrypt and decrypt data. Since any one of the keys can be used to decrypt data, it must be obtained by protecting the key to unauthorized agents. The private key encryption is also called symmetrical encryption because the same key is used for encryption and for decryption. The private key encryption algorithm is very fast (compared to the public key algorithm) and is particularly suitable for encrypting the large data stream.

Typically, the private key algorithm (called block password) is used to encrypt a data block at a time. Block passwords (such as RC2, DES, Trippledes, and Rijndael) converted to an output block of an N-byte into an output block of the encrypted by encryption. If you want to encrypt or decrypt byte sequences, you must perform it blockbly. Since N is small (for RC2, DES and TrIPLEDES, N = 8 bytes; n = 16 [default]; n = 24; for rijndael, n = 32), therefore must be larger than n-bytes of value once Encrypt a block.

The block password class provided in the base library uses a chain mode called a password block chain (CBC), which performs encryption conversion using a key and a initialization vector (IV). For a given private key K, the simple block password without the initialization vector will encrypt the same binus input block as the same ciphertext block. If there is a repetitive block in the clear text, there will be repeated blocks in the secretory stream. If unauthorized users know all information about the structure of the mutant, you can use this information to decrypt known secret blocks and may get your key. To overcome this problem, you can mix the information in the previous block into the process of encrypted the next block. Thus, the output of the two identical expressions will be different. Since the technology uses the previous block encrypted the next block, an IV is used to encrypt the first block of the data. With this system, unauthorized users may know that the public message header that will not be able to reverse the key. One way to jeopardize data encrypted with this type of password is to perform exhaustive search for each possible key. Depending on the size of the key used to perform encrypted, even if the fastest computer performs such search, it is extremely time consuming, so it is difficult to implement. The size of the larger key will make the decryption more difficult. Although in theory, encryption will not enable the opponent to retrieve encrypted data, it does greatly increase this cost. If a thorough search is performed to retrieve only a few days, it takes three months that takes three months, then the method of exhaustive search is un practical.

The disadvantage of private key encryption is that it assumes that both sides have obtained the key and IV, and the values ​​of the keys and IV are communicated to each other. Also, the key must be confidentially confidentially unauthorized. Due to these problems, private key encryption is usually used with public key encryption to secretly communicate the values ​​of the key and IV.

Assume that Xiaohong and Xiao Ming are the two sides of communication on unsafe channels, they may use private key encryption as follows. Xiaohong and Xiao Ming agree to use a specific algorithm with a specific key and IV (such as rijndael). Xiaohong writes a message and creates a network stream to send it on it. Next, she uses this key and IV encryption of this text and sends it through the Internet. She did not send the key and IV to Xiao Ming. Xiao Ming received the encrypted text and decrypt it using a pre-agreed key and IV. If the transmission is intercepted, the intercept will not be able to restore the original message because the interceptor does not know the key or IV. In this scenario, the key must be confidential, but IV does not need to be confidential. In the actual solution, the private (symmetric) key is passed to the other party using a small red or smaller to generate a private key and encrypt the private (asymmetric). For more information, see "Public Key Encryption".

The .NET framework provides classes that implement the private key encryption algorithm:

DescryptoServiceProvider Rc2cryptoserviceProvider RijndaelManageProviderProvider

Public key encryption

Public key encryption uses a private key that must be confidentially confidentially confidential with unauthorized users and a public key that can be disclosed to anyone. The public key and private key are related to mathematics; data encrypted with public key can only be decrypted with private key, and data with private key signatures can only be verified by public key authentication. The public key can be used by anyone; the key is used to encrypt data to be sent to the private key holder. Two keys are unique for communication sessions. The public key encryption algorithm is also referred to as an asymmetric algorithm, which is required to use a key encrypted data to decrypt data with another key.

The public key encryption algorithm uses a fixed buffer size, while the private key encryption algorithm uses a variable length buffer. The public key algorithm cannot be streamed together like a private key algorithm, because a small amount of data can be encrypted. Therefore, the asymmetric operation does not use the same stream mode as symmetric operation.

Using public key encryption, both sides (small red and small) may use public key encryption in the following way. First, Xiaohong generates a public key / private key pair. If Xiaoming wants to send a encrypted message to Xiaohong, he will ask her to ask her. Small red sends her public key to Xiao Ming through an insecure network, and Xiao Ming then encrypts the message. (If Xiaoming receives a small red key in an unsafe channel such as public network, Xiao Ming must verify the correct copy of his public key with Xiaohong.) Xiao Ming sends an encrypted message to small red, and small Red uses her private key to decrypt this message. However, during transmission of small-red public keys, unauthorized agents may intercept the key. Moreover, the same agent may intercept encrypted message. However, the agent cannot decrypt the message with a public key. This message can only decrypt with a small red private key, and the private key is not transmitted. Xiaohong does not use her private key encrypted to Xiaoming's reply, because anyone with the public key can decrypt the message. If Xiaohong wants to send a message back to Xiao Ming, she will easily want his public key and use the public key to encrypt her. Then, Xiao Ming uses the private key associated with him to decrypt the message.

In actual solutions, small red and smashing uses public key (asymmetric) encryption to transfer private (symmetric) keys, and encrypts their remaining sessions.

The public key is encrypted with a larger key space (or the possible value range of the key), so it is not very easy to accept the impact of the exhaustive attack on each possible key. It is easy to distribute because it does not have to protect the key. The public key algorithm can be used to create a digital signature to verify the identity of the data sender. However, the public key algorithm is very slow (compared to the private key algorithm), and is not designed to encrypt a lot of data. The public key algorithm is only useful to transmit very small amounts of data. Typically, public key is encrypted for encrypting the key and IV to be used by the private key algorithm. After the transfer key and IV, the private key encryption will be used for the rest of the session.

The .NET framework provides classes that implement public key encryption algorithms:

DSACryptoServiceProvider RsacryptoServiceProvider

digital signature

The public key algorithm can also be used to constitute a digital signature. Digital Signature Verify the sender's identity (if you trust the sender's public key) and protect the integrity of the data. The recipient of the small red data can be used to verify whether it is a small red by comparing the digital signature with a small red data and a small red public key.

In order to digital signing the message using public key encryption, Xiao Hong first applies the hash algorithm to the message to create a message summary. This message summary is a compact and unique representation of the data. Then, Xiaohong encrypts the message overrice with her private key to create her personal signature. When receiving the message and signature, Xiao Ming uses a small red public key to decrypt the signature to restore the message summary and use the same hash algorithm as the small red to have this message. If a small calculated message summary is completely consistent with the message abstract received from the small red, Xiao Ming can determine the holder from the private key, and the data is not modified. If Xiaoming believes that Xiaohong is the holder of the private key, he knows that the news comes from Xiaohong.

Note that since the public key of the sender is well known, it is usually included in the digital signature format, so anyone can verify the signature. This method does not contribute to the confidentiality of the message; if you make the message, you must also encrypt the message.

The .NET framework provides the following categories that implement digital signature algorithms:

DSACryptoServiceProvider RsacryptoServiceProvider

Hash value

The hash algorithm maps any length of the binary value to a smaller binary value of the fixed length, which is called a hash value. The hash value is a single data unique and extremely compact value representation. If you have a clear text and even if you only change the letter in this paragraph, the subsequent hash will produce different values. It is impossible to find two different inputs that have a hash of the same value.

Message Authentication Code (MAC) hash function is usually used with digital signatures to sign data, and the message detection code (MDC) hash function is used for data integrity. Xiaohong and Xiao Ming may use hash functions in the following manner to ensure data integrity. If Xiaohong writes a message to Xiaoming and creates the hash, Xiao Ming can have a later have been hasced to compare his hash with the original hash. If the two hash values ​​are the same, the message is not changed; however, if the value is different, the message has been changed after the small red writes it. In order to make this system run, Xiaohong must keep the original hash value of all people outside.

The .NET framework provides the following categories that implement digital signature algorithms:

HMACSHA1 MACTRIPLEDES MD5CryptoServiceProvider Sha1Managed Sha256Managed Sha384Managed Sha512Managed

Random number

Random number generation is an integral part of many encryption operations. For example, the encryption key needs to be as random as much as possible to make them difficult to be copied. The encrypted random number generator must generate an output that cannot be estimated (less than P <.05) is calculated; that is, any method of estimating the next output bit must not have a higher success ratio than random guessment. The class in the .NET framework generates a encryption key using a random number generator.

RNGCRYPTOSERVICEPROVIDER is an implementation of a random number generator algorithm.

The encryption model of the Web Service is:

Object inheritance

The .NET Frame Security System implements derived class inheritance of scalable mode. The hierarchical structure is as follows:

Algorithm type classes such as Symmetricalgorithm or Hashalgorithm. This level is abstract. The algorithm class inherits from an algorithm type class, such as RC2 or SHA1. This level is abstract. The implementation of the algorithm is inherited from algorithm, such as RC2CryptoserviceProvider or Sha1Managed. This level is fully implemented.

Derived class using this mode is easy to add new algorithms or new implementations of existing algorithms. For example, if you want to create a new public key algorithm, you can inherit from ASYMMETRICALGORITHM. To create a new implementation of a particular algorithm, you can create non-abstract distributions of this algorithm.

Stream design

The public language running library uses the symmetric algorithm and hash algorithm for the intended design. The core of the design is Cryptostream, which is class from the Stream class. Stream-based encryption objects all support a single standard interface for handling the data transfer portion of the object, and a CRYPTOSTREAM. Since all objects are generated on a standard interface, multiple objects (such as a hash object are followed by an encryption object), and multiple operations can be performed on the data without providing any intermediate storage. You can also use a smaller object to generate an object. For example, a combination of an encryption algorithm and a hash algorithm can be regarded as a single stream object (even if the object may be generated from a set of stream objects).

Encryption configuration

Using encryption configurations can parse the specific implementation of the algorithm into an algorithm name, so that the .NET framework encryption class is scalable. You can add your own hardware or software algorithm and map the implementation to the algorithm name you selected. If the algorithm is not specified in the configuration file, use the default settings.

In the SOAP protocol, you can specify in the configuration file, encrypted data to be transmitted during transmission, decrypt SOAP messages in the receiving end, and details of the SOAP protocol expansion.

IP: 202.114.105.17

Gateway: 202.114.105.254

DNS: 202.114.96.1 202.114.96.2

Host: Home

转载请注明原文地址:https://www.9cbs.com/read-14335.html

New Post(0)