cookie確實在web應用方面為訪問者和編程者都提供了方便,然而從安全方面考慮是有問題的,首先,cookie數據包含在http請求和響應的包頭里透明地傳遞,也就是說聰明的人是能清清楚楚看到這些數據的。其次,cookie數據以cookie文件格式存儲在瀏覽者計算機的cache目錄里,其中就包含有關網頁、密碼和其他用戶行為的信息,那么只要進入硬盤就能打開cookie文件。圖1是一個cookie文件的內容:
如果你未曾留意你的機器里有cookie文件,可以按下列方法查看:打開ie,選擇“工具”菜單里的“internet選項”,然后在彈出的對話框里點擊“設置”按鈕,在設置對話框里點擊“查看”鈕,就會打開一個窗口顯示瀏覽器放在硬盤里的所有緩存數據,其中就有大量的cookie文件。
所以奉勸大家不要將敏感的用戶數據存放在cookie中,要么就通過加密將這些數據保護起來。
在以前的asp版本中沒有加密的功能,現在.net構架在system.security.cryptography命名空間里提供了許多加密類可以利用。
一、.net的密碼系統概要
簡單地說,加密就是將原始字符(字節)串轉變為完全不同的字符串的處理過程,達到原始字符無法破譯的目的。這個處理過程是用另一個字符串(稱為“密鑰”),采取復雜的、混合的算法,“搗進”原始字符串。有時還使用一個稱為“初始向量”的字符串,在密鑰搗進之前先打亂目標字符串,預防目標字符串中較明顯的內容被識破。加密的功效取決于所用密鑰的大小,密鑰越長,保密性越強。典型的密鑰長度有64位、128位、192位、256位和512位。攻擊者唯一的方法是創建一個程序嘗試每一個可能的密鑰組合,但64位密鑰也有72,057,594,037,927,936種組合。
目前有兩種加密方法:對稱加密(或稱私有密鑰)和非對稱加密(或稱公共密鑰)。對稱加密技術的數據交換兩邊(即加密方和解密方)必須使用一個保密的私有密鑰。非對稱加密技術中,解密方向加密方要求一個公共密鑰,加密方在建立一個公共密鑰給解密方后,用公共密鑰創建唯一的私有密鑰。加密方用私有密鑰加密送出的信息,對方用公共密鑰解密。保護http傳輸安全的ssl就是使用非對稱技術。
我們對cookie數據的加密采取對稱加密法。.net構架從基本的symmetricalgorithm類擴展出來四種算法:
·system.security.cryptography.des
·system.security.cryptography.tripledes
·system.security.cryptography.rc2
·system.security.cryptography.rijndael
下面將示范des和tripledes算法。des的密鑰大小限制在64位,但用于cookie的加密是有效的。tripledes完成了三次加密,并有一個較大的密鑰位數,所以它更安全。使用那一種算法不僅要考慮加密強度,還要考慮cookie的大小。因為加密后的cookie數據將變大,并且,密鑰越大,加密后的數據就越大,然而cookie數據的大小限制在4kb,這是一個必須考慮的問題。再者,加密的數據越多或算法越復雜,就會占有更多的服務器資源,進而減慢整個站點的訪問速度。
二、創建一個簡單的加密應用類
.net的所有加密和解密通過cryptostream類別來處理,它衍生自system.io.stream,將字符串作為以資料流為基礎的模型,供加密轉換之用。下面是一個簡單的加密應用類的代碼:
imports system.diagnostics
imports system.security.cryptography
imports system.text
imports system.io
public class cryptoutil
'隨機選8個字節既為密鑰也為初始向量
private shared key_64() as byte = {42, 16, 93, 156, 78, 4, 218, 32}
private shared iv_64() as byte = {55, 103, 246, 79, 36, 99, 167, 3}
'對tripledes,采取24字節或192位的密鑰和初始向量
private shared key_192() as byte = {42, 16, 93, 156, 78, 4, 218, 32, _
15, 167, 44, 80, 26, 250, 155, 112, _
2, 94, 11, 204, 119, 35, 184, 197}
private shared iv_192() as byte = {55, 103, 246, 79, 36, 99, 167, 3, _
42, 5, 62, 83, 184, 7, 209, 13, _
145, 23, 200, 58, 173, 10, 121, 222}
'標準的des加密
public shared function encrypt(byval value as string) as string
if value <> "" then
dim cryptoprovider as descryptoserviceprovider = _
new descryptoserviceprovider()
dim ms as memorystream = new memorystream()
dim cs as cryptostream = _
new cryptostream(ms, cryptoprovider.createencryptor(key_64, iv_64), _
cryptostreammode.write)
dim sw as streamwriter = new streamwriter(cs)
sw.write(value)
sw.flush()
cs.flushfinalblock()
ms.flush()
'再轉換為一個字符串
return convert.tobase64string(ms.getbuffer(), 0, ms.length)
end if
end function
'標準的des解密
public shared function decrypt(byval value as string) as string
if value <> "" then
dim cryptoprovider as descryptoserviceprovider = _
new descryptoserviceprovider()
'從字符串轉換為字節組
dim buffer as byte() = convert.frombase64string(value)
dim ms as memorystream = new memorystream(buffer)
dim cs as cryptostream = _
new cryptostream(ms, cryptoprovider.createdecryptor(key_64, iv_64), _
cryptostreammode.read)
dim sr as streamreader = new streamreader(cs)
return sr.readtoend()
end if
end function
'triple des加密
public shared function encrypttripledes(byval value as string) as string
if value <> "" then
dim cryptoprovider as tripledescryptoserviceprovider = _
new tripledescryptoserviceprovider()
dim ms as memorystream = new memorystream()
dim cs as cryptostream = _
new cryptostream(ms, cryptoprovider.createencryptor(key_192, iv_192), _
cryptostreammode.write)
dim sw as streamwriter = new streamwriter(cs)
sw.write(value)
sw.flush()
cs.flushfinalblock()
ms.flush()
'再轉換為一個字符串
return convert.tobase64string(ms.getbuffer(), 0, ms.length)
end if
end function
'triple des解密
public shared function decrypttripledes(byval value as string) as string
if value <> "" then
dim cryptoprovider as tripledescryptoserviceprovider = _
new tripledescryptoserviceprovider()
'從字符串轉換為字節組
dim buffer as byte() = convert.frombase64string(value)
dim ms as memorystream = new memorystream(buffer)
dim cs as cryptostream = _
new cryptostream(ms, cryptoprovider.createdecryptor(key_192, iv_192), _
cryptostreammode.read)
dim sr as streamreader = new streamreader(cs)
return sr.readtoend()
end if
end function
end class
上面我們將一組字節初始化為密鑰,并且使用的是數字常量,如果你在實際應用中也這樣做,這些字節一定要在0和255之間,這是一個字節允許的范圍值。
三、創建一個cookie的應用類
下面我們就創建一個簡單的類,來設置和獲取cookies。
public class cookieutil
'設置cookie *****************************************************
'settripledesencryptedcookie (只針對密鑰和cookie數據)
public shared sub settripledesencryptedcookie(byval key as string, _
byval value as string)
key = cryptoutil.encrypttripledes(key)
value = cryptoutil.encrypttripledes(value)
setcookie(key, value)
end sub
'settripledesencryptedcookie (增加了cookie數據的有效期參數)
public shared sub settripledesencryptedcookie(byval key as string, _
byval value as string, byval expires as date)
key = cryptoutil.encrypttripledes(key)
value = cryptoutil.encrypttripledes(value)
setcookie(key, value, expires)
end sub
'setencryptedcookie(只針對密鑰和cookie數據)
public shared sub setencryptedcookie(byval key as string, _
byval value as string)
key = cryptoutil.encrypt(key)
value = cryptoutil.encrypt(value)
setcookie(key, value)
end sub
'setencryptedcookie (增加了cookie數據的有效期參數)
public shared sub setencryptedcookie(byval key as string, _
byval value as string, byval expires as date)
key = cryptoutil.encrypt(key)
value = cryptoutil.encrypt(value)
setcookie(key, value, expires)
end sub
'setcookie (只針對密鑰和cookie數據)
public shared sub setcookie(byval key as string, byval value as string)
'編碼部分
key = httpcontext.current.server.urlencode(key)
value = httpcontext.current.server.urlencode(value)
dim cookie as httpcookie
cookie = new httpcookie(key, value)
setcookie(cookie)
end sub
'setcookie(增加了cookie數據的有效期參數)
public shared sub setcookie(byval key as string, _
byval value as string, byval expires as date)
'編碼部分
key = httpcontext.current.server.urlencode(key)
value = httpcontext.current.server.urlencode(value)
dim cookie as httpcookie
cookie = new httpcookie(key, value)
cookie.expires = expires
setcookie(cookie)
end sub
'setcookie (只針對httpcookie)
public shared sub setcookie(byval cookie as httpcookie)
httpcontext.current.response.cookies.set(cookie)
end sub
'獲取cookie *****************************************************
public shared function gettripledesencryptedcookievalue(byval key as string) _
as string
'只對密鑰加密
key = cryptoutil.encrypttripledes(key)
'獲取cookie值
dim value as string
value = getcookievalue(key)
'解密cookie值
value = cryptoutil.decrypttripledes(value)
return value
end function
public shared function getencryptedcookievalue(byval key as string) as string
'只對密鑰加密
key = cryptoutil.encrypt(key)
'獲取cookie值
dim value as string
value = getcookievalue(key)
'解密cookie值
value = cryptoutil.decrypt(value)
return value
end function
public shared function getcookie(byval key as string) as httpcookie
'編碼密鑰
key = httpcontext.current.server.urlencode(key)
return httpcontext.current.request.cookies.get(key)
end function
public shared function getcookievalue(byval key as string) as string
try
'編碼在getcookie里完成
'獲取cookie值
dim value as string
value = getcookie(key).value
'解碼所存儲的值
value = httpcontext.current.server.urldecode(value)
return value
catch
end try
end function
end class
上面的設置功能中,有些功能附加提供了cookie有效期這個參數。不設置該參數,cookie將只為瀏覽器會話才保存在內存中。為了設置永久的cookie,就需要設置有效期參數。
上面我們對密鑰和cookies值進行了編碼與解碼,其原因是cookies與urls有同樣的限制,字符“=”和“;”是保留的,不能使用。這在保存加密后的數據時尤其重要,因為加密算法將添加“=”,按所分配塊的大小來填滿該數據塊。
好了,你會保護cookies數據了吧?
