Thông tin tài liệu
Contents
Overview 1
Lesson: Encryption and Digital Signing
Libraries 2
Lesson: Using CAPICOM 9
Lesson: Using the
System.Security.Cryptography
Namespace to Hash Data 21
Lab 9: Hashing Data 26
Lesson: Using the
System.Security.Cryptography
Namespace to Encrypt and Sign Data 42
Review 62
Module 9: Encrypting,
Hashing, and Signing
Data
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property
2002 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail,
JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and
Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 9: Encrypting, Hashing, and Signing Data iii
Instructor Notes
This module explains to students how to strengthen the security of their Web
applications by incorporating the programmatic use of cryptography.
Depending on the programming platform, students will use one of several
cryptographic libraries to add encryption, hashing, and digital signing
functionality to their Web application. After completing this module, students
will be able to use the CAPICOM cryptographic library and the
System.Security.Cryptography namespace to encrypt, hash, and sign data.
After completing this module, students will be able to:
!
Choose the most appropriate cryptographic library for a given programming
platform.
!
Use CAPICOM to encrypt, decrypt, hash, and sign data in an Active Server
Pages (ASP) Web application.
!
Use the System.Security.Cryptography namespace to hash data in a
Microsoft
®
ASP.NET Web application.
!
Use the System.Security.Cryptography namespace to encrypt and decrypt
data by using both symmetric and asymmetric encryption, and sign data in
an ASP.NET Web application.
To teach this module, you need the following materials:
!
Microsoft PowerPoint
®
file 2300A_09.ppt
!
Hypertext Markup Language (HTML) code file 2300A_09_code.htm
To prepare for this module:
!
Read all of the materials for this module.
!
Complete the practices and lab.
!
Read Chapter 21, “Encrypting Data over the Network,” in ASP.NET
Unleashed by Stephen Walther (2002, Sams Publishing).
!
Read Chapter 7, ”Storing Secrets,” in Writing Secure Code by Michael
Howard and David LeBlanc (2002, Microsoft Press
®
).
!
Read the Microsoft MSDN
®
Magazine article, “Protect Private Data with
the Cryptography Namespaces of the .NET Framework,” which is available
at http://msdn.microsoft.com/msdnmag/issues/02/06/crypto/crypto.asp.
!
Read the MSDN article, “The Cryptography API, or How to Keep a Secret,”
which is available at http://msdn.microsoft.com/library/en-us/dncapi/
html/msdn_cryptapi.asp.
!
Read the MSDN article, “Introducing CAPICOM,” which is available at
http://msdn.microsoft.com/library/en-us/dnsecure/html/intcapicom.asp.
!
Read the TechNet article, “Authentication and Encryption,” which is
available at http://www.microsoft.com/technet/security/network/authen.asp.
Presentation:
75 minutes
Lab:
60 minutes
Required materials
Preparation tasks
iv Module 9: Encrypting, Hashing, and Signing Data
!
Read the TechNet article, “Data integrity with hash functions,” which is
available at http://www.microsoft.com/technet/prodtechnol/winxppro/
proddocs/sag_IPSec_Und6.asp.
!
Read about hashing and encryption algorithms at the SSH Communications
Security Web site at http://www.ssh.fi/tech/crypto/algorithms.html.
The information in this section provides setup instructions that are required to
prepare the instructor computer or classroom configuration for the lab.
!
Prepare for the lab by updating the TailspinToys database (Glasgow
computer only)
On the Glasgow computer, run a Structured Query Language (SQL) script to
change the data type of the Password field in the Users table to be binary:
1. On the Start menu, click Programs, click Microsoft SQL Server, and then
click Query Analyzer.
2. In the Connect to SQL Server dialog box, type (local) in the SQL Server
box, click Start SQL Server if it is stopped, click Windows
Authentication, and then click OK.
3. On File menu, click Open.
4. In the Open Query File dialog box, in the File name box, type
C:\Program Files\Msdntrain\2300\Labfiles\Lab09\database
\update2300DB.sql and then click Open.
5. On the Query menu, click Execute.
6. Close SQL Query Analyzer.
Classroom setup
Module 9: Encrypting, Hashing, and Signing Data v
How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Encryption and Digital Signing Libraries
Although CAPICOM and the System.Security.Cryptography namespace
provide ways to perform some of the same cryptographic tasks, there are
features of each library that are mutually exclusive. For example, you can use
CAPICOM to work with certificates in the different certificate stores, but you
cannot use the System.Security.Cryptography namespace to do this. And you
can implement asymmetric encryption by using the
System.Security.Cryptography namespace, but not by using CAPICOM.
Briefly discuss each of the Windows
®
2000 Cryptographic Service Providers
(CSPs) and mention the algorithms that are supported by each CSP.
Cryptographic algorithms are discussed in more detail in the next topic.
You might mention that it is acceptable to employ a commonly used algorithm
that has a solid reputation. Remember that an attacker can be aware of the
algorithm that is used to encrypt the data, but unless the key is also known, it
will be virtually impossible to decrypt the data.
Recommend to the students that they hire a security professional to ensure the
correct usage of cryptography in their Web applications. Cryptography is a very
complex subject and this module covers only the basics.
Lesson: Using CAPICOM
Of the hashing algorithms that are supported by CAPICOM, SHA1 is
considered to be very good and it is the recommended algorithm.
After students have run the capicomHash.asp page, show the source code of the
Web page. There are four check boxes that use the four different hash
algorithms that are supported by CAPICOM. Point out how the length of the
SHA1 hash value is longer than the other hash algorithms.
Point out that you should use the Utilities.GetRandom method to create the
key.
Choosing a
Cryptography API
Windows 2000
Cryptographic Service
Providers
Choosing a
Cryptographic Algorithm
Hashing Data
Instructor-Led Practice:
Hashing Data Using
CAPICOM
Encrypting and
Decrypting Data
vi Module 9: Encrypting, Hashing, and Signing Data
After students have run the capicomEncrypt.htm and capicomDecrypt.asp Web
pages, show the source code of the pages:
1. In Microsoft Visual Studio
®
.NET, open the 2300Demos solution.
2. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open
the capicomEncrypt.htm file.
The page has a text box that can be used for entering the data to be
encrypted and a Submit button that sends the data to the
capicomDecrypt.asp page.
3. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open
the capicomDecrypt.asp file:
a. View the inline ASP code.
The capicomDecrypt.asp page first reads the string to be encrypted from
a form variable. The code then passes that string to the
EncryptTheString function, which returns the encrypted value. The
encrypted value is then passed to the DecryptTheString function, which
returns the decrypted value.
b. View the EncryptTheString function.
The EncryptTheString function has two parameters, the string that is
used to encrypt and an error flag. The EncryptTheString function uses
the EncryptedData object to encrypt the first parameter and then returns
the encrypted data to the calling ASP code. The key for encryption is
derived from the GetRandom method of the Utilities object and is then
stored in a Session variable; therefore, the key is valid only during the
session.
c. View the DecryptTheString function.
The DecryptTheString function has two parameters, the encrypted
string and an error flag. The DecryptTheString function uses the
EncryptedData object to decrypt the first parameter by using the key
that is stored in the Session variable. The function then returns the
decrypted data to the calling ASP code.
Instructor-Led Practice:
Encrypting and
Decrypting Data Using
CAPICOM
Module 9: Encrypting, Hashing, and Signing Data vii
When signing data, the process doing the signing (either the ASP process or the
ASPNET process, depending on where the code runs in a Web application)
must have access to the certificates.
To obtain a certificate from a different store, like the local computer store, and
to use that certificate to sign data, use the following code:
Function SignTheStringWithMachineCertificate()
Dim oSignedData
Set oSignedData = CreateObject("CAPICOM.SignedData")
oSignedData.Content = "Text to sign"
'open the local machine store
Dim Store
Set Store = CreateObject("CAPICOM.Store")
Store.Open(1) 'this opens the local machine store
'get the first certificate in the store
Dim Certificate
Set Certificate = Store.Certificates(1)
'sign the data
Dim strSignedData
Dim Signer
Set Signer = CreateObject("CAPICOM.Signer")
Signer.Certificate = Certificate
strSignedData = oSignedData.Sign(Signer)
End Function
Obtaining a certificate from a different store is beyond the scope of
Course 2300, Developing Secure Web Applications.
After students have run the capicomSign.asp and capicomVerify.asp Web
pages, show the source code of the pages:
1. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open
the capicomSign.asp file.
The page has a text box that can be used for entering the data to be signed.
2. View the HTML for the page.
The Submit button calls the SignTheString function, which signs the data
in the txtClear text box. The signed data is stored in a Hidden field and is
then passed to the capicomVerify.asp page.
3. Open the capicomVerify.asp page and view the HTML.
The ASP code retrieves the signed data and then calls the
VerifyTheSignedString function.
Signing Data
Note
Instructor-Led Practice:
Signing Data Using
CAPICOM
viii Module 9: Encrypting, Hashing, and Signing Data
Lesson: Using the System.Security.Cryptography Namespace to
Hash Data
In this lesson, students will learn how to hash data by using the
System.Security.Cryptography namespace.
After explaining how to hash data by using the
System.Security.Cryptography namespace, talk about how to compare two
hashed values. Show the code at the end of the topic that loops through the
hashed values and compares each element.
After students have run the NEThashData.aspx page, show the source code of
the Web page:
1. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open
the NEThashData.aspx file.
The page has a text box on a form that can be used for entering the data to
be hashed, and a second text box on the same form that can be used to enter
a second string for comparison.
2. In the code-behind page, view the cmdHash_Click event procedure.
The cmdHash_Click event procedure uses the SHA1Managed hash
algorithm to hash data in the txtClear text box on the form, and then
displays the hash of the data in a second text box.
3. In the code-behind page, view the cmdCompare_Click event procedure.
The cmdCompare_Click event procedure uses the SHA1Managed hash
algorithm to hash data in the txtCompare text box on the form, and then
compares the two hash values to determine whether they are equivalent.
Lab 9: Hashing Data
To start the lab, the instructor must update the TailspinToys Microsoft
SQL Server
™
database to change the data type of the Password field in the
Users table to be binary. Part of the database update process is to remove and
then re-create the Users table. Students must use a new page in the
TailspinToysAdmin Web application, CreateAccount, to create new reseller
accounts in the Users table. In the first exercise of the lab, students must add
the CreateAccount page to the TailspinToysAdmin Web application and update
the other files in the Web applications that interact with the Users table.
At the end of the lab, use SQL Server Enterprise Manager to show how
passwords are now stored in the Users table in a binary format.
Hashin
g
Data
Instructor-Led Practice:
Hashing Data
Module 9: Encrypting, Hashing, and Signing Data ix
Lesson: Using the System.Security.Cryptography Namespace to
Encrypt and Sign Data
The last lesson in this module is very complex and may be too advanced
for some students. You can skip the rest of the module if you are running short
on time.
It is important to note that the new key and initialization vector (IV) that are
generated by the Microsoft .NET Framework should be generated for every
session, and the key and IV should not be stored for use in a later session.
Discuss the algorithms that are supported by the symmetric encryption classes.
You might return to the topic “Choosing a Cryptographic Algorithm,” which
appeared earlier in this module, and discuss the differences between the
algorithms.
If students are unfamiliar with streams, you should begin with an explanation of
streams. Then, you can use the illustration on the slide to explain how the
stream-based objects work together to encrypt data.
The Stream class is the abstract base class of all streams. A stream is an
abstraction of a sequence of bytes, such as a file, an input/output device, an
interprocess communication pipe, or a Transmission Control Protocol/Internet
Protocol (TCP/IP) socket. The Stream class and its derived classes provide a
generic view of these different types of input and output, isolating the
programmer from the specific details of the operating system and the
underlying devices.
Streams involve three fundamental operations:
!
Read from streams. Reading is the transfer of data from a stream into a data
structure, such as an array of bytes.
!
Write to streams. Writing is the transfer of data from a data structure into a
stream.
!
Seeking. Seeking is the querying and modifying of the current position
within a stream. Seek capability depends on the kind of backing store (a
storage medium, such as a disk or memory) that a stream has. For example,
network streams have no unified concept of a current position, and
therefore, they typically do not support seeking.
There are four stream-based objects in the .NET Framework that can be used
with encryption: BufferedStream, FileStream, MemoryStream, and
NetworkStream. The examples in the lesson and demonstrations use a
MemoryStream object.
Use the illustration on the slide to explain how the stream-based objects work
together to decrypt data.
Note
Overview of Symmetric
Encr
y
ption
Performing Symmetric
Encryption
Performing Symmetric
Decryption
x Module 9: Encrypting, Hashing, and Signing Data
After students have viewed the NETSymmetricEncryption.aspx and
NETAsymmetricEncrpyption.aspx Web pages, show the source code of the
Web pages:
1. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open
the NETSymmetricEncryption.aspx file.
The page has a text box on a form that can be used for entering the data to
be encrypted.
2. In the code-behind page, view the cmdEncrypt_Click event procedure.
The cmdEncrypt_Click event procedure converts the text in the txtClear
text box into a byte array, encrypts it by using a
DESCryptoServiceProvider object, and then stores the encrypted data in a
Session variable.
3. In the NETSymmetricEncryption.aspx.vb code-behind page, view the
cmdDecrypt_Click event procedure.
The cmdDecrypt_Click event procedure decrypts the encrypted data that is
stored in the Session variable by using the cmdEncrypt_Click event
procedure.
4. In Visual Studio .NET, open the NETAsymmetricEncryption.aspx.vb code-
behind page and view the following event procedures:
• cmdCreateKey_Click
• cmdEncrypt_Click
• cmdDecrypt_Click
You can run the NETAsymmetricEncryption.aspx page in the
Visual Studio .NET debugger to show the flow of the code.
Instructor-Led Practice:
Using Symmetric and
As
y
mmetric Encr
y
ption
Note
[...]... box, and then click Submit The data is passed to the capicomDecrypt.asp page, which first displays the encrypted data and then displays the decrypted data Module 9: Encrypting, Hashing, and Signing Data 17 Signing Data ! Sign data Dim oSignedData, strSigned Dim oSignedData, strSigned Set oSignedData = CreateObject("CAPICOM.SignedData") Set oSignedData = CreateObject("CAPICOM.SignedData") oSignedData.Content... be able to: ! Hash data by using CAPICOM ! Encrypt and decrypt data by using CAPICOM ! Sign data by using CAPICOM 10 Module 9: Encrypting, Hashing, and Signing Data Hashing Data ! Hash algorithms " ! SHA1, MD2, MD4, MD5 Using the HashedData object Dim oHash, hxHashedData Dim oHash, hxHashedData Set oHash = CreateObject("CAPICOM.HashedData") Set oHash = CreateObject("CAPICOM.HashedData") oHash.Algorithm... the SignedData.Sign method Dim strSignedData Dim Signer Set Signer = CreateObject("CAPICOM.Signer") Signer.Certificate = Certificate Module 9: Encrypting, Hashing, and Signing Data Verifying signature 19 To verify the signature of signed data, use the Verify method of the SignedData object and pass in the signed data: Dim oSignedData Set oSignedData = CreateObject("CAPICOM.SignedData") oSignedData.Verify... site at http://www.ssh.fi/tech/crypto/ algorithms.html Module 9: Encrypting, Hashing, and Signing Data 9 Lesson: Using CAPICOM ! Hashing Data ! Instructor-Led Practice: Hashing Data Using CAPICOM ! Encrypting and Decrypting Data ! Instructor-Led Practice: Encrypting and Decrypting Data Using CAPICOM ! Signing Data ! Instructor-Led Practice: Signing Data Using CAPICOM *****************************ILLEGAL... SHA-1 and Digital Signature Standard (DSS) algorithms Microsoft Base DSS and Diffie-Hellman Cryptographic Provider A superset of the Microsoft DSS Cryptographic Provider that also supports Diffie-Hellman key exchange, hashing, data signing, and signature verification by using the SHA-1 and DSS algorithms 6 Module 9: Encrypting, Hashing, and Signing Data (continued) CSP Description Microsoft Base DSS and. .. is signed and sent to the capicomVerify.asp page This page verifies the signature and displays the signed data What certificate was used to sign the data? The student’s personal certificate Module 9: Encrypting, Hashing, and Signing Data 21 Lesson: Using the System.Security.Cryptography Namespace to Hash Data ! Hashing Data ! Instructor-Led Practice: Hashing Data *****************************ILLEGAL... System.Security.Cryptography namespace to encrypt and decrypt data by using both symmetric and asymmetric encryption, and sign data in an ASP.NET Web application Note The code samples in this module are provided in both Microsoft Visual Basic® NET and C# 2 Module 9: Encrypting, Hashing, and Signing Data Lesson: Encryption and Digital Signing Libraries ! Choosing a Cryptography API ! Windows 2000 Cryptographic... algorithms, and a multiple-line text box that can be used for entering the data to be hashed 2 In Internet Explorer, click Hash The hash of the data is displayed Module 9: Encrypting, Hashing, and Signing Data 13 Encrypting and Decrypting Data ! Encryption algorithms " RC2, RC4, DES, Triple-DES, Rijndael ! Encrypt Dim ed, strEncrypted Dim ed, strEncrypted Set ed = CreateObject("CAPICOM.EncryptedData")... CreateObject("CAPICOM.EncryptedData") ed.SetSecret(Session("key")) ed.Decrypt(strEncrypted) strDecrypted = ed.Content Note CAPICOM does not support the PKCS7 EncryptedData object content type, but instead uses a nonstandard ASN structure for the EncryptedData object Therefore, only CAPICOM can decrypt a CAPICOM EncryptedData object 16 Module 9: Encrypting, Hashing, and Signing Data Instructor-Led Practice: Encrypting and Decrypting... and Tailspin_WriteDBUtils class libraries are placed in the C:\Documents and Settings\2300Student\ My Documents\Visual Studio Projects\2300Labs.NET folder Module 9: Encrypting, Hashing, and Signing Data 1 Overview ! Encryption and Digital Signing Libraries ! Using CAPICOM ! Using the System.Security.Cryptography Namespace to Hash Data ! Using the System.Security.Cryptography Namespace to Encrypt and .
Hashing Data
Instructor-Led Practice:
Hashing Data Using
CAPICOM
Encrypting and
Decrypting Data
vi Module 9: Encrypting, Hashing, and Signing Data
. Encrypt and Sign Data 42
Review 62
Module 9: Encrypting,
Hashing, and Signing
Data
Information in this document, including URL and other
Ngày đăng: 24/01/2014, 10:20
Xem thêm: Tài liệu Module 9: Encrypting, Hashing, and Signing. Data pptx, Tài liệu Module 9: Encrypting, Hashing, and Signing. Data pptx