Change Microsoft Config File Encryption Method From TripleDES_问答_开发者

Change Microsoft Config File Encryption Method From TripleDES

开发者 https://www.devze.com 2023-02-06 12:28 出处：网络

When encrypting (\"protecting\") Microsoft config sections, you get something that looks like the XML below.It follows (at least partially) the W3 spec for XML Encryption.

When encrypting ("protecting") Microsoft config sections, you get something that looks like the XML below. It follows (at least partially) the W3 spec for XML Encryption.

However, in the XML below you'll see that the EncryptionMethod under the EncryptedData section is "tripledes-cbc". We would like to be able to change that to a more-secure alternative, specifically AES, which is specified in the aforementioned W3 spec as well.

In many calls with Microsoft's support engineers, they are nowhere near understanding the question, much less answering it. Is there a way to change this encryption method?

I forgot to mention earlier that we are currently set to RsaProtectedConfigurationProv开发者_如何学编程ider, but only the key appears to be encrypted with RSA, whereas the data is encrypted with 3DES.

<MiscCryptoData configProtectionProvider="someConfigProtectionProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <KeyName>Rsa Key</KeyName>
        </KeyInfo>
        <CipherData>
          <CipherValue>asf78ag78asg\...cryptoyadayada...asdf8r=</CipherValue>
        </CipherData>
      </EncryptedKey>
    </KeyInfo>
    <CipherData>
      <CipherValue>zxcv6asdf35...largercryptoyadayada...u7i8o9p=</CipherValue>
    </CipherData>
  </EncryptedData>
</MiscCryptoData>

I've just checked RsaProtectedConfigurationProvider with the Reflector and as I found out there is nothing you can do to change tripledes-cbc to anything else.

So you have to write your own ProtectedConfigurationProvider if you want to use AES encryption. You may want to use the Reflector to give you a good start.

You probably want to build a custom ProtectedConfigurationProvider. See Implementing a Protected Configuration Provider and How to: Build and Run the Protected Configuration Provider Example.