问题描述
我有一个用户名和SMTP服务器的密码。目前,他们都在我的代码硬编码:
I have a username and a password for an smtp server. Currently they are hardcoded in my code:
string userName = "username";
string password = "password";
目前,谁拆开我的DLL可以看到这些字符串,是否正确?
Currently, anyone who disassembles my dll could see these strings, correct?
我要在注册表中,安全地存储这些在SMTP服务器未来的变化,和/或凭证的情况下。我并不担心SMTP服务器地址字符串的安全性。我只担心凭据的安全。
I wish to store these securely in the registry, in case of future changes to the smtp server, and/or the credentials. I am not worried about the smtp server address string's security. I am only worried about the credentials' security.
我如何做没有硬编码的凭据哪儿了吗?我希望看到在注册表中encrpyted字符串。
How do I do this without hard-coding the credentials anywhere? I wish to see encrpyted strings in the registry.
我可以encrpyt密码,然后加密存储在注册表中删除代码的密码,并使用解密密码假设是正确的。然而,就不会有人谁拆开我的代码仍然能够解密存储在注册表中的加密字符串?
I can encrpyt the password, then store the encryption in the registry, delete the password from the code, and use the decrypted password assuming that it is correct. However, wouldn't someone who disassembles my code still be able to decrypt the encrypted string stored in the registry?
什么是最安全的方法?
推荐答案
在某些时候,无论你有多少的安全层的,代码必须使用未加密的密码。这意味着有人有足够的访问您的系统来查看和/或修改注册表可能有大量的访问代码来获取您的密码,不管你做什么。
At some point, no matter how many layers of security you have, the code will have to use the unencrypted password. That means that someone with enough access to your system to view and/or modify the registry probably has plenty of access to your code to get your password no matter what you do.
我知道,作为开发商,我们倾向于与合作偏执= Paranoia.Maximum;
很多,但有时你必须背下来了一些。
I know as developers we tend to work with paranoia = Paranoia.Maximum;
a lot, but sometimes you have to back it down some.
这是说,有一些事情可以做。如果凭据必须是安全的,可以考虑,将它们存储如果可能的话,在一个远程数据库。您可以存储他们在远程服务器上加密,以便能够访问你的机器的人不会necessarilly访问数据库服务器。
That said, there are some things you can do. If the credentials need to be that secure, consider storing them, if possible, in a remote database. You can store them encrypted on a remote server so that anyone having access to your machine won't necessarilly have access to the DB Server.
如果你真的想关闭偏执起来,使安全性,同时用户的责任,让他们提供包含数据的文件一个安全的地方。然后,您可以推荐的位置是这样一个拇指驱动器这将身体从计算机中删除当你的程序不使用。
If you really want to turn the paranoia up, and make security the user's responsibility at the same time, have them provide a "secure location" for a file that contains the data. You can then recommend that the location be something like a thumb-drive which would be removed physically from the computer when your program is not in use.
在任何情况下,安全性,你要觉得在层条款。你这样做将足以真正良好的安全性没有一件事,但通过分层几项措施可以增加安全性,应该足以满足您的需求点。
In any case, with security, you want to think in terms of layers. No one thing you do will be sufficient for really good security, but by layering several measures you can increase security to the point it should be sufficient for your needs.
这篇关于保存并在注册表中加密SMTP凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!