asp.net-mvc – ASP.Net MVC和WebAPI加密

步骤1：创建不带参数的MVC控制器操作方法：

[HttpPost]        public ActionResult Activate()        { ... }

步骤2：在控制器中,只需使用HttpRequest.InputStream来获取客户端发送的字节数.

var stream = this.HttpContext.Request.InputStream;

步骤3：创建CryptoStream以反序列化.

我已经在这里创建了加密和解密示例. sharedSecret是一个足够长度(512字节)随机字节的byte [] – 这是你保护的！

public CryptoStream CreateEncryptionStream(Stream writeStream)
{            
    TripleDESCryptoServiceProvider cryptoProvider = new TripleDESCryptoServiceProvider();               
    PasswordDeriveBytes derivedBytes = new PasswordDeriveBytes(this._sharedSecret,null);                
    CryptoStream cryptoStream = new CryptoStream(writeStream,cryptoProvider.CreateEncryptor(derivedBytes.GetBytes(16),derivedBytes.GetBytes(16)),CryptoStreamMode.Write);            
    return cryptoStream;        
}        

public CryptoStream CreateDecryptionStream(Stream readStream)        
{            
    TripleDESCryptoServiceProvider cryptoProvider = new TripleDESCryptoServiceProvider();            
    PasswordDeriveBytes derivedBytes = new PasswordDeriveBytes(this._sharedSecret,null);                
    CryptoStream cryptoStream = new CryptoStream(readStream,cryptoProvider.CreateDecryptor(derivedBytes.GetBytes(16),CryptoStreamMode.Read);            
    return cryptoStream;        
}

第4步：使用您的CryptoStream另一个流阅读器进行解密.

我使用XmlReader,以便我所有现有的序列化代码都可以清除(在读取/写入服务器上的磁盘或数据库时)或加密(发送时).

using (var reader = XmlReader.Create(decryptionStream,settings))                { ... }

第5步：在控制器中制定安全响应.

这与步骤1-4相反,以加密您的响应对象.然后,您只需将加密的响应写入内存流并将其作为文件结果返回.下面,我已经展示了如何为我的许可响应对象执行此操作.

var responseBytes = GetLicenseResponseBytes(licenseResponse);
return File(responseBytes,"application/octet-stream");

private byte[] GetLicenseResponseBytes(LicenseResponse licenseResponse)        
{            
    if (licenseResponse != null)            
    {                
        using (MemoryStream memoryStream = new MemoryStream())                
        {                    
            this._licenseResponseSerializer.Write(memoryStream,licenseResponse);

            return memoryStream.ToArray();                
        }            
    }           
    return null;        
}

第6步：实施客户端请求响应.

您可以使用HttpWebRequest或WebClient类来制定请求.以下是我使用的代码中的几个示例.

byte[] postBytes = GetLicenseRequestBytes(licenseRequest);
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(licenseServerUrl);
request.Method = "POST";
request.ContentType = "application/octet-stream";
request.Proxy = WebRequest.DefaultWebProxy;
using (Stream requestStream = request.GetRequestStream())
{                
    requestStream.Write(postBytes,postBytes.Length);
}            
return request;

private LicenseResponse ProcessHttpResponse(HttpWebResponse response)
{
    if ((response.StatusCode == HttpStatusCode.OK) && response.ContentType.Contains("application/octet-stream"))
    {
        var stream = response.GetResponseStream();
        if (stream != null)
        {
            var licenseResponse = this._licenseResponseSerializer.Read(stream);
            return licenseResponse;
        }
    }
    return new LicenseResponse(LicensingResult.Error);
}

摘要和提示

>使用客户端和服务器上的请求/响应中的流来传递二进制八位字节流数据>使用CryptoStream和加密算法(考虑使用最强的加密功能)和一个好的私钥来在序列化/反序列化时加密数据.>确保检查大小并将所有传入数据格式化到客户端和服务器(避免缓冲区溢出并尽早抛出异常)>如果可能,使用模糊处理保护客户端上的私钥(请查看DeepSea obfustactor)