在WebApi后端加密Json结果
本文关键字:Json 结果 加密 后端 WebApi | 更新日期: 2023-09-27 18:02:33
我完成了我的web api与数据加密,但现在,我必须加密Json结果。当我把查询字符串在浏览器上,现在我有答案(示例):
[{"SUSPID":"111","IVNOME":"证人","IVMAE":"证人","IVPAI":"证人","IVDATANASC":"02/07/1970"、"IVRG":"0000(奖学金)","ICPF":"Nao Cadastrado"}]
我不能显示这个…我已经给像(加密):[{"SUSPID":"AUAUAUA","IVNOME":"UAUAU","IVMAE":"UAUAU ", ......]
我看到了一些例子,但我没有找到一个是我需要的
我的服务(客户端)的部分代码:var response = await client.GetAsync(urllink);
var JsonResult = response.Content.ReadAsStringAsync().Result;
if (typeof(T) == typeof(string))
return null;
var rootobject = JsonConvert.DeserializeObject<T>(JsonResult);
return rootobject;
在我的控制器(web api后端),我返回这个数据集:
return lretorno.Tables[0].AsEnumerable().Select(row => new Envolvido
{
SUSPID = Convert.ToString(row["SUSPID"]),
IVNOME = Convert.ToString(row["SUSPNOME"]),
IVMAE = Convert.ToString(row["SUSPMAE"]),
IVPAI = Convert.ToString(row["SUSPPAI"]),
IVDATANASC = Convert.ToString(row["SUSPDATANASC"]).Replace(" 00:00:00", ""),
IVRG = Convert.ToString(row["RG"]),
ICPF = Convert.ToString(row["CPF"]),
MANDADO = Convert.ToInt16(row["TEMMANDADO"]),
OCORRENCIA = Convert.ToInt16(row["TEMOCORRENCIA"]),
});
我不明白我必须在哪里加密,我必须在哪里解密代码。
如果你真的必须在https之上做一些额外的加密,例如,如果你想帮助阻止自动中间人攻击,你可以做下面的事情…这就需要中间的人(政府、ISP、电信公司、端点网络管理员)通过弄清楚你是如何传递额外的公钥来进行第二次中间攻击。除此之外,你还可以在JSON加密之前包含"pk"参数。然后当你解密json时,你可以将它与你发送的公钥进行比较,如果它们不匹配,那么肯定有中间人。我使用内置的RSACryptoServiceProvider。
客户端
// Generate private and public keys (use any asymmetric crypto/key size you want)
RSACryptoServiceProvider rsaKeys = new RSACryptoServiceProvider();
var privateXmlKeys = rsaKeys.ToXmlString(true);
var publicXmlKeys = rsaKeys.ToXmlString(false);
// Make the request for the json data from the server, and also pass along the public xml keys encoded as base64
var response = await http.GetAsync(new Uri(String.Format("https://example.com/data?id=777&pk='"{0}'"", Convert.ToBase64String(Encoding.ASCII.GetBytes(publicXmlKeys)))));
var encryptedJsonBytes = await response.Content.ReadAsByteArrayAsync();
// Decrypt the bytes using the private key generated earlier
RSACryptoServiceProvider rsaDecrypt = new RSACryptoServiceProvider();
rsaDecrypt.FromXmlString(privateXmlKeys);
byte[] decryptedBytes = rsaDecrypt.Decrypt(encryptedJsonBytes, false);
// Now change from bytes to string
string jsonString = Encoding.ASCII.GetString(decryptedBytes);
// TODO: For extra validation, parse json, get the public key out that the server
// had used to encrypt, and compare with the "pk" you sent "publicXmlKeys",
// if these values do not match there was an attack.
端
// Assuming you have your JSON string already
string json = "{'"key'":'"secret_value'"}";
// Get the "pk" request parameter from the http request however you need to
string base64PublicKey = request.getParameter("pk");
string publicXmlKey = Encoding.ASCII.GetString(Convert.FromBase64String(base64PublicKey));
// TODO: If you want the extra validation, insert "publicXmlKey" into the json value before
// converting it to bytes
// var jo = parse(json); jo.pk = publicXmlKey; json = jo.ToString();
// Convert the string to bytes
byte[] jsonBytes = Encoding.ASCII.GetBytes(json);
// Encrypt the json using the public key provided by the client
RSACryptoServiceProvider rsaEncrypt = new RSACryptoServiceProvider();
rsaEncrypt.FromXmlString(publicXmlKey);
byte[] encryptedJsonBytes = rsaEncrypt.Encrypt(jsonBytes, false);
// Send the encrypted json back to the client
return encryptedJsonBytes;
如果您需要防止中间人攻击,那么我建议您关闭计算机或通过不同的方法预先共享密钥,而不是通过互联网,电话或邮件,然后不要将其嵌入到您的应用程序中:p查看非记录,端到端加密和Diffie-Hellman密钥交换
基本上,我对这类情况有一些一般的想法。如果你知道中间人攻击,只有在E2E连接你可以依靠encryption算法,因为只有这些端点有私钥和公钥和攻击者不能恶搞,但在这种情况下(如你的案子)攻击者只需有你的公钥,甚至加密块,你想发送给你的网络服务,这是因为你在客户端javascript资源,每个人都可以阅读。所以我能给你的唯一解决方案是把你的网络服务放在HTTPS协议上,它通常处理这些问题,你不需要任何加密。问候。