我有以下代码使用 .NET 中的 RijndaelManaged 加密和解密数据。
public string EncryptString(string ClearText)
{
byte[] clearTextBytes = Encoding.UTF8.GetBytes(ClearText);
SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
MemoryStream ms = new MemoryStream();
byte[] rgbIV = Encoding.ASCII.GetBytes("xhxqtbaoxhvchptd");
byte[] key = Encoding.ASCII.GetBytes("ajyvccpeycjeauyncgdiohssyvusdknj");
CryptoStream cs = new CryptoStream(ms, rijn.CreateEncryptor(key, rgbIV), CryptoStreamMode.Write);
cs.Write(clearTextBytes, 0, clearTextBytes.Length);
cs.Close();
return Convert.ToBase64String(ms.ToArray());
}
public string DecryptString(string EncryptedText)
{
byte[] encryptedTextBytes = Convert.FromBase64String(EncryptedText);
SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
MemoryStream ms = new MemoryStream();
byte[] rgbIV = Encoding.ASCII.GetBytes("xhxqtbaoxhvchptd");
byte[] key = Encoding.ASCII.GetBytes("ajyvccpeycjeauyncgdiohssyvusdknj");
CryptoStream cs = new CryptoStream(ms, rijn.CreateDecryptor(key, rgbIV), CryptoStreamMode.Write);
cs.Write(encryptedTextBytes, 0, encryptedTextBytes.Length);
cs.Close();
return Encoding.UTF8.GetString(ms.ToArray());
}
我有两个问题:
1)我知道将密钥保留在源代码中的做法不好,因为可以阅读源代码的人可以获得密钥。是否有一些关于在何处以及如何存储密钥的最佳实践?
2) 上面的代码是否足够安全,可以部署在生产环境中,记住密钥是安全存储的?