Connection对象连接加密2

一般情况下，大多数人习惯于将数据库连接写在web.config上里面，理论上讲，将明文存放在该文件里面是安全的，因为web.config文件是不允许被客户端下载，但一旦该文件泄漏出去，哪怕是很短的时间，数据库都将承受巨大的危害，可能花上N年才充实起来的信息在很短时间里毁于一旦。这是任何程序绝对不应该出现的问题。有人用简单的对称加密来将数据库连接字符串的密文存放，但密钥一旦丢失，加密与否，形同虚设，那么如何保证连接字符串的安全性呢。下面这个类就完成这个功能，该类调用系统API，在不同的系统中对相同的连接串会生成不同的密文，即使非法获得该串，不能获得在服务器上的管理员权限，仍然没有能力知道数据库的真正所在。有人说，那服务器管理员权限也被盗用了呢？那盗用者还需要经过一系列复杂的跟踪和总结，来获得系统标识变量。这无疑又是一个难度，等到他真正破解了解该系统的时候，也许你早就在此之前，改正了服务器的配置和密码，还害得人家白忙活了一趟。够阴的！

using System;
using System.Text;
using System.Runtime.InteropServices;

namespace JillZhang.Security
{
    public enum  Store
    {
        USE_NACHINE_STORE=1,USE_USER_STORE
    };
    public class DataProtector
    {

        [DllImport("Crypt32.dll",SetLastError=true,CharSet=System.Runtime.InteropServices.CharSet.Auto)]
        private static extern bool CryptProtectData
            (
            ref DATA_BLOB pDataIn,
            String szDataDecr,
            ref DATA_BLOB pOptionEntropy,
            IntPtr pvReserved,
            ref CRYPTPROTECT_PROMPTSTRUCT pPromptStruct,
            int dwFlags,
            ref DATA_BLOB pDataOut
            );

        [DllImport("Crypt32.dll",SetLastError=true,CharSet=System.Runtime.InteropServices.CharSet.Auto)]
        private static extern bool CryptUnprotectData
            (
            ref DATA_BLOB pDataIn,
            String szDataDecr,
            ref DATA_BLOB pOptionEntropy,
            IntPtr pvReserved,
            ref CRYPTPROTECT_PROMPTSTRUCT pPromptStruct,
            int dwFlags,
            ref DATA_BLOB pDataOut
            );

        [DllImport("kernel32.dll",CharSet=System.Runtime.InteropServices.CharSet.Auto)]
        private unsafe static extern int FormatMessage
            (
            int dwFlags,
            ref IntPtr lpSource,
            int dwMessageId,
            int dwLanguageId,
            ref String lpBuffer,
            int nSize,
            IntPtr *Arguments
            );
        [StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]
            internal struct DATA_BLOB
        {
            public int cbData;
            public IntPtr pbData;
        }
        [StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]
            internal struct CRYPTPROTECT_PROMPTSTRUCT
        {
            public  int cbSize;
            public int dwPromptFlags;
            public IntPtr hwndApp;
            public String szPrompt;
        }
        static  private  IntPtr NullPtr=((IntPtr)((int)(0)));
        private const int CRYPTPROTECT_UI_FORBIDDEN=0x1;
        private const int CRYPTPROTECT_LOCAL_MACHINE=0x4;

        private Store store;
        public DataProtector(Store tempStore)
        {
            store=tempStore;
        }
        public byte[] Encrypt(byte[] plainText,byte[] optionalEntropy)
        {
            bool reVal=false;
            DATA_BLOB plainTextBlob = new DATA_BLOB();
            DATA_BLOB cipherTextBlob=new DATA_BLOB();
            DATA_BLOB entropyBlob = new DATA_BLOB();
            CRYPTPROTECT_PROMPTSTRUCT prompt=new CRYPTPROTECT_PROMPTSTRUCT();
            InitPromptstruct(ref prompt);
            int dwFlags;
            try
            {
                try
                {
                    int byteSize=plainText.Length;
                    plainTextBlob.pbData=Marshal.AllocHGlobal(byteSize);
                    if(IntPtr.Zero==plainTextBlob.pbData)
                    {
                        throw new Exception("Unable to allocate plaintext buffer:");
                    }
                    plainTextBlob.cbData=byteSize;
                    Marshal.Copy(plainText,0,plainTextBlob.pbData,byteSize);
                }
                catch(Exception ex)
                {
                    throw new Exception("Exception marshalling data.:"+ex.Message);
                }
                if(Store.USE_NACHINE_STORE==store)
                {
                    //计算机存储区
                    dwFlags=CRYPTPROTECT_LOCAL_MACHINE|CRYPTPROTECT_UI_FORBIDDEN;
                    if(null==optionalEntropy)
                    {
                        optionalEntropy=new byte[0];
                    }
                    try
                    {
                        int byteSize=optionalEntropy.Length;
                        entropyBlob.pbData=Marshal.AllocHGlobal(optionalEntropy.Length);
                        if(IntPtr.Zero==entropyBlob.pbData)
                        {
                            throw new Exception("Unable to allocate entropy data buffer.");
                        }
                        Marshal.Copy(optionalEntropy,0,entropyBlob.pbData,byteSize);
                        entropyBlob.cbData=byteSize;
                    }
                    catch(Exception ex)
                    {
                        throw new Exception("Exception entropy marshalling data."+ex.Message);
                    }
                }
                else
                {
                    dwFlags=CRYPTPROTECT_UI_FORBIDDEN;
                }
                reVal=CryptProtectData(ref plainTextBlob,"",ref entropyBlob,IntPtr.Zero,ref prompt,dwFlags,ref cipherTextBlob);
                if(false == reVal)
                {
                    throw new Exception("Encryption failed."+GetErrorMessage(Marshal.GetLastWin32Error()));
                }
            }
            catch(Exception ex)
            {
                throw new Exception("Exception encrypting:"+ex.Message);
            }
            byte[] cipherText = new byte[cipherTextBlob.cbData];
            Marshal.Copy(cipherTextBlob.pbData,cipherText,0,cipherTextBlob.cbData);
            return cipherText;
        }
        public byte[] Decrypt(byte[] ciperText,byte[] optionalEntropy)
        {
            bool reVal=false;
            DATA_BLOB plainTextBlob=new DATA_BLOB();
            DATA_BLOB cipherBlob=new DATA_BLOB();
            CRYPTPROTECT_PROMPTSTRUCT prompt=new CRYPTPROTECT_PROMPTSTRUCT();
            InitPromptstruct(ref prompt);
            try
            {
                try
                {
                    int cipherTextSize=ciperText.Length;
                    cipherBlob.pbData=Marshal.AllocHGlobal(cipherTextSize);
                    if(IntPtr.Zero==cipherBlob.pbData)
                    {
                        throw new Exception("unable to allocate cipherText buffer.");
                    }
                    cipherBlob.cbData=cipherTextSize;
                    Marshal.Copy(ciperText,0,cipherBlob.pbData,cipherBlob.cbData);
                }
                catch(Exception ex)
                {
                    throw new Exception("Exception marshalling data."+ex.Message);
                }
                DATA_BLOB entropyBlob=new DATA_BLOB();
                int dwFlags;
                if(Store.USE_NACHINE_STORE==store)
                {
                    dwFlags=CRYPTPROTECT_LOCAL_MACHINE|CRYPTPROTECT_UI_FORBIDDEN;
                    if(null==optionalEntropy)
                    {
                        optionalEntropy=new byte[0];
                    }
                    try
                    {
                        int byteSize=optionalEntropy.Length;
                        entropyBlob.pbData=Marshal.AllocHGlobal(byteSize);
                        if(IntPtr.Zero==entropyBlob.pbData)
                        {
                            throw new Exception("Unable to allocate entropy buffer.");
                        }
                        entropyBlob.cbData=byteSize;
                        Marshal.Copy(optionalEntropy,0,entropyBlob.pbData,byteSize);
                    }
                    catch(Exception ex)
                    {
                        throw new Exception("Exception entropy marshalling data."+ex.Message);
                    }
                }
                else
                {
                    dwFlags=CRYPTPROTECT_UI_FORBIDDEN;
                }
                reVal=CryptUnprotectData(ref cipherBlob,null,ref entropyBlob,IntPtr.Zero,ref prompt,dwFlags,ref plainTextBlob);
                if(false==reVal)
                {
                    throw new Exception("Decryption failed."+GetErrorMessage(Marshal.GetLastWin32Error()));
                }
                if(IntPtr.Zero!=cipherBlob.pbData)
                {
                    Marshal.FreeHGlobal(cipherBlob.pbData);
                }
                if(IntPtr.Zero!=entropyBlob.pbData)
                {
                    Marshal.FreeHGlobal(entropyBlob.pbData);
                }

            }
            catch(Exception ex)
            {
                throw new Exception("Exception decrypting."+ex.Message);
            }
            byte[] plainText=new byte[plainTextBlob.cbData];
            Marshal.Copy(plainTextBlob.pbData,plainText,0,plainTextBlob.cbData);
            return plainText;
        }

        private void InitPromptstruct(ref CRYPTPROTECT_PROMPTSTRUCT ps)
        {
            ps.cbSize=Marshal.SizeOf(typeof(CRYPTPROTECT_PROMPTSTRUCT));
            ps.dwPromptFlags=0;
            ps.hwndApp=NullPtr;
            ps.szPrompt=null;
        }
        private unsafe static String GetErrorMessage(int errorCode)
        {
            int FORMAT_MESSAGE_ALLOCATE_BUFFER=0x00000100;
            int FORMAT_MESSAGE_IGNORE_INSERTS=0x00000200;
            int FORMAT_MESSAGE_FROM_SYSTEM=0x00001000;
            int messageSize=255;
            String lpMsgBuf="";
            int dwFlags=FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM|FORMAT_MESSAGE_IGNORE_INSERTS;
            IntPtr ptrlpSource=new IntPtr();
            IntPtr ptrArgument=new IntPtr();
            int retVal=FormatMessage(dwFlags,ref ptrlpSource,errorCode,0,ref lpMsgBuf,messageSize,&ptrArgument);
            if(0==retVal)
            {
                throw new Exception("Failed to format message for error code"+errorCode+".");
            }
            return lpMsgBuf;
        }

    }
}