数据保护
本文介绍了如何在 UWP 应用中使用 Windows.Security.Cryptography.DataProtection 命名空间中的 DataProtectionProvider 类加密和解密数字数据。
可以多种方式使用数据保护 API:
- 保护 Active Directory (AD) 安全主体(如 AD 组)的数据。 本组的任何成员均可解密数据。
- 保护包含在 X.509 证书中的公钥的数据。 私钥所有者可解密这些数据。
- 使用对称密钥保护数据。 例如,这用于将数据保护到非 AD 主体,如 Live ID。
- 保护在登录到网站时使用的凭据(密码)的数据。
为保护数据,在创建 DataProtectionProvider 对象时,必须在调用 ProtectAsync 或 ProtectStreamAsync 之前指定保护描述符。 以下示例显示了可能的示例保护描述符。
保护静态数据
以下示例说明了如何使用 ProtectAsync 和 UnprotectAsync 方法以非对称方式针对当前用户的 SID 保护静态数据。
using Windows.Security.Cryptography;
using Windows.Security.Cryptography.DataProtection;
using Windows.Storage.Streams;
using System.Threading.Tasks;
namespace SampleProtectAsync
{
sealed partial class StaticDataProtectionApp : Application
{
public StaticDataProtectionApp()
{
// Initialize the application.
this.InitializeComponent();
// Protect data asynchronously.
this.Protect();
}
public async void Protect()
{
// Initialize function arguments.
String strMsg = "This is a message to be protected.";
String strDescriptor = "LOCAL=user";
BinaryStringEncoding encoding = BinaryStringEncoding.Utf8;
// Protect a message to the local user.
IBuffer buffProtected = await this.SampleProtectAsync(
strMsg,
strDescriptor,
encoding);
// Decrypt the previously protected message.
String strDecrypted = await this.SampleUnprotectData(
buffProtected,
encoding);
}
public async Task<IBuffer> SampleProtectAsync(
String strMsg,
String strDescriptor,
BinaryStringEncoding encoding)
{
// Create a DataProtectionProvider object for the specified descriptor.
DataProtectionProvider Provider = new DataProtectionProvider(strDescriptor);
// Encode the plaintext input message to a buffer.
encoding = BinaryStringEncoding.Utf8;
IBuffer buffMsg = CryptographicBuffer.ConvertStringToBinary(strMsg, encoding);
// Encrypt the message.
IBuffer buffProtected = await Provider.ProtectAsync(buffMsg);
// Execution of the SampleProtectAsync function resumes here
// after the awaited task (Provider.ProtectAsync) completes.
return buffProtected;
}
public async Task<String> SampleUnprotectData(
IBuffer buffProtected,
BinaryStringEncoding encoding)
{
// Create a DataProtectionProvider object.
DataProtectionProvider Provider = new DataProtectionProvider();
// Decrypt the protected message specified on input.
IBuffer buffUnprotected = await Provider.UnprotectAsync(buffProtected);
// Execution of the SampleUnprotectData method resumes here
// after the awaited task (Provider.UnprotectAsync) completes
// Convert the unprotected message from an IBuffer object to a string.
String strClearText = CryptographicBuffer.ConvertBinaryToString(encoding, buffUnprotected);
// Return the plaintext string.
return strClearText;
}
}
}
保护流数据
以下示例显示了如何使用 ProtectStreamAsync 和 UnprotectStreamAsync 方法以异步方式针对当前用户的 SID 保护流数据。
using Windows.Security.Cryptography;
using Windows.Security.Cryptography.DataProtection;
using Windows.Storage.Streams;
using System.Threading.Tasks;
namespace SampleProtectStreamAsync
{
sealed partial class StreamDataProtectionApp : Application
{
public StreamDataProtectionApp()
{
// Initialize the application.
this.InitializeComponent();
// Protect a stream synchronously
this.ProtectData();
}
public async void ProtectData()
{
// Initialize function arguments.
String strDescriptor = "LOCAL=user";
String strLoremIpsum = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse elementum "
+ "ullamcorper eros, vitae gravida nunc consequat sollicitudin. Vivamus lacinia, "
+ "diam a molestie porttitor, sapien neque volutpat est, non suscipit leo dolor "
+ "sit amet nisl. Praesent tincidunt tincidunt quam ut pharetra. Sed tincidunt "
+ "sit amet nisl. Praesent tincidunt tincidunt quam ut pharetra. Sed tincidunt "
+ "porttitor massa, at convallis dolor dictum suscipit. Nullam vitae lectus in "
+ "lorem scelerisque convallis sed scelerisque orci. Praesent sed ligula vel erat "
+ "eleifend tempus. Nullam dignissim aliquet mauris a aliquet. Nulla augue justo, "
+ "posuere a consectetur ut, suscipit et sem. Proin eu libero ut felis tincidunt "
+ "interdum. Curabitur vulputate eros nec sapien elementum ut dapibus eros "
+ "dapibus. Suspendisse quis dui dolor, non imperdiet leo. In consequat, odio nec "
+ "aliquam tincidunt, magna enim ultrices massa, ac pharetra est urna at arcu. "
+ "Nunc suscipit, velit non interdum suscipit, lectus lectus auctor tortor, quis "
+ "ultrices orci felis in dolor. Etiam congue pretium libero eu vestibulum. "
+ "Mauris bibendum erat eleifend nibh consequat eu pharetra metus convallis. "
+ "Morbi sem eros, venenatis vel vestibulum consequat, hendrerit rhoncus purus.";
BinaryStringEncoding encoding = BinaryStringEncoding.Utf16BE;
// Encrypt the data as a stream.
IBuffer buffProtected = await this.SampleDataProtectionStream(
strDescriptor,
strLoremIpsum,
encoding);
// Decrypt a data stream.
String strUnprotected = await this.SampleDataUnprotectStream(
buffProtected,
encoding);
}
public async Task<IBuffer> SampleDataProtectionStream(
String descriptor,
String strMsg,
BinaryStringEncoding encoding)
{
// Create a DataProtectionProvider object for the specified descriptor.
DataProtectionProvider Provider = new DataProtectionProvider(descriptor);
// Convert the input string to a buffer.
IBuffer buffMsg = CryptographicBuffer.ConvertStringToBinary(strMsg, encoding);
// Create a random access stream to contain the plaintext message.
InMemoryRandomAccessStream inputData = new InMemoryRandomAccessStream();
// Create a random access stream to contain the encrypted message.
InMemoryRandomAccessStream protectedData = new InMemoryRandomAccessStream();
// Retrieve an IOutputStream object and fill it with the input (plaintext) data.
IOutputStream outputStream = inputData.GetOutputStreamAt(0);
DataWriter writer = new DataWriter(outputStream);
writer.WriteBuffer(buffMsg);
await writer.StoreAsync();
await outputStream.FlushAsync();
// Retrieve an IInputStream object from which you can read the input data.
IInputStream source = inputData.GetInputStreamAt(0);
// Retrieve an IOutputStream object and fill it with encrypted data.
IOutputStream dest = protectedData.GetOutputStreamAt(0);
await Provider.ProtectStreamAsync(source, dest);
await dest.FlushAsync();
//Verify that the protected data does not match the original
DataReader reader1 = new DataReader(inputData.GetInputStreamAt(0));
DataReader reader2 = new DataReader(protectedData.GetInputStreamAt(0));
await reader1.LoadAsync((uint)inputData.Size);
await reader2.LoadAsync((uint)protectedData.Size);
IBuffer buffOriginalData = reader1.ReadBuffer((uint)inputData.Size);
IBuffer buffProtectedData = reader2.ReadBuffer((uint)protectedData.Size);
if (CryptographicBuffer.Compare(buffOriginalData, buffProtectedData))
{
throw new Exception("ProtectStreamAsync returned unprotected data");
}
// Return the encrypted data.
return buffProtectedData;
}
public async Task<String> SampleDataUnprotectStream(
IBuffer buffProtected,
BinaryStringEncoding encoding)
{
// Create a DataProtectionProvider object.
DataProtectionProvider Provider = new DataProtectionProvider();
// Create a random access stream to contain the encrypted message.
InMemoryRandomAccessStream inputData = new InMemoryRandomAccessStream();
// Create a random access stream to contain the decrypted data.
InMemoryRandomAccessStream unprotectedData = new InMemoryRandomAccessStream();
// Retrieve an IOutputStream object and fill it with the input (encrypted) data.
IOutputStream outputStream = inputData.GetOutputStreamAt(0);
DataWriter writer = new DataWriter(outputStream);
writer.WriteBuffer(buffProtected);
await writer.StoreAsync();
await outputStream.FlushAsync();
// Retrieve an IInputStream object from which you can read the input (encrypted) data.
IInputStream source = inputData.GetInputStreamAt(0);
// Retrieve an IOutputStream object and fill it with decrypted data.
IOutputStream dest = unprotectedData.GetOutputStreamAt(0);
await Provider.UnprotectStreamAsync(source, dest);
await dest.FlushAsync();
// Write the decrypted data to an IBuffer object.
DataReader reader2 = new DataReader(unprotectedData.GetInputStreamAt(0));
await reader2.LoadAsync((uint)unprotectedData.Size);
IBuffer buffUnprotectedData = reader2.ReadBuffer((uint)unprotectedData.Size);
// Convert the IBuffer object to a string using the same encoding that was
// used previously to conver the plaintext string (before encryption) to an
// IBuffer object.
String strUnprotected = CryptographicBuffer.ConvertBinaryToString(encoding, buffUnprotectedData);
// Return the decrypted data.
return strUnprotected;
}
}
}