Change Microsoft Config File Encryption Method From TripleDES

问题

When encrypting ("protecting") Microsoft config sections, you get something that looks like the XML below. It follows (at least partially) the W3 spec for XML Encryption.

However, in the XML below you'll see that the EncryptionMethod under the EncryptedData section is "tripledes-cbc". We would like to be able to change that to a more-secure alternative, specifically AES, which is specified in the aforementioned W3 spec as well.

In many calls with Microsoft's support engineers, they are nowhere near understanding the question, much less answering it. Is there a way to change this encryption method?

I forgot to mention earlier that we are currently set to RsaProtectedConfigurationProvider, but only the key appears to be encrypted with RSA, whereas the data is encrypted with 3DES.

<MiscCryptoData configProtectionProvider="someConfigProtectionProvider">
  <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <KeyName>Rsa Key</KeyName>
        </KeyInfo>
        <CipherData>
          <CipherValue>asf78ag78asg\...cryptoyadayada...asdf8r=</CipherValue>
        </CipherData>
      </EncryptedKey>
    </KeyInfo>
    <CipherData>
      <CipherValue>zxcv6asdf35...largercryptoyadayada...u7i8o9p=</CipherValue>
    </CipherData>
  </EncryptedData>
</MiscCryptoData>

回答1:

I've just checked RsaProtectedConfigurationProvider with the Reflector and as I found out there is nothing you can do to change tripledes-cbc to anything else.

So you have to write your own ProtectedConfigurationProvider if you want to use AES encryption. You may want to use the Reflector to give you a good start.

回答2:

You probably want to build a custom ProtectedConfigurationProvider. See Implementing a Protected Configuration Provider and How to: Build and Run the Protected Configuration Provider Example.

来源：https://stackoverflow.com/questions/4797030/change-microsoft-config-file-encryption-method-from-tripledes