如何在Winforms应用程序中存储密码

如何在Winforms应用程序中存储密码

本文介绍了如何在Winforms应用程序中存储密码?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在编写用于查询用户邮箱存储配额的winforms应用程序中有一些类似的代码.

DirectoryEntry mbstore = new DirectoryEntry(
      @"LDAP://" + strhome,
      m_serviceaccount,
      [m_pwd],
      AuthenticationTypes.Secure);

无论我尝试了哪种方法(例如SecureString),都可以使用Reflector或使用Process Explorer的可执行文件的字符串选项卡轻松查看密码( m_pwd ).

>

我知道我可以将这段代码放在服务器上,或者使用委派之类的机制来加强安全性,并且仅将所需的特权授予服务帐户.

有人可以建议一种合理的安全方式将密码存储在本地应用程序中,而不会将密码透露给黑客吗?

无法散列,因为我需要知道确切的密码(不仅仅是用于匹配目的的散列).加密/解密机制不起作用,因为它们取决于计算机.

解决方案

成圣的方法是使用CryptoAPI和数据保护API.

要进行加密,请使用以下类似内容(C ++):

DATA_BLOB blobIn, blobOut;
blobIn.pbData=(BYTE*)data;
blobIn.cbData=wcslen(data)*sizeof(WCHAR);

CryptProtectData(&blobIn, description, NULL, NULL, NULL, CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN, &blobOut);
_encrypted=blobOut.pbData;
_length=blobOut.cbData;

解密相反:

DATA_BLOB blobIn, blobOut;
blobIn.pbData=const_cast<BYTE*>(data);
blobIn.cbData=length;

CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut);

std::wstring _decrypted;
_decrypted.assign((LPCWSTR)blobOut.pbData,(LPCWSTR)blobOut.pbData+blobOut.cbData/sizeof(WCHAR));

如果您未指定CRYPTPROTECT_LOCAL_MACHINE,则加密的密码可以安全地存储在注册表或配置文件中,只有您才能解密.如果指定LOCAL_MACHINE,那么有权访问该计算机的任何人都可以得到它.

I have some code like this in a winforms app I was writing to query a user's mail box Storage Quota.

DirectoryEntry mbstore = new DirectoryEntry(
      @"LDAP://" + strhome,
      m_serviceaccount,
      [m_pwd],
      AuthenticationTypes.Secure);

No matter what approach I tried (like SecureString), I am easily able to see the password (m_pwd) either using Reflector or using strings tab of Process Explorer for the executable.

I know I could put this code on the server or tighten up the security using mechanisms like delegation and giving only the required privileges to the service account.

Can somebody suggest a reasonably secure way to store the password in the local application without revealing the password to hackers?

Hashing is not possible since I need to know the exact password (not just the hash for matching purpose).Encryption/Decryption mechanisms are not working since they are machine dependent.

解决方案

The sanctified method is to use CryptoAPI and the Data Protection APIs.

To encrypt, use something like this (C++):

DATA_BLOB blobIn, blobOut;
blobIn.pbData=(BYTE*)data;
blobIn.cbData=wcslen(data)*sizeof(WCHAR);

CryptProtectData(&blobIn, description, NULL, NULL, NULL, CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN, &blobOut);
_encrypted=blobOut.pbData;
_length=blobOut.cbData;

Decryption is the opposite:

DATA_BLOB blobIn, blobOut;
blobIn.pbData=const_cast<BYTE*>(data);
blobIn.cbData=length;

CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut);

std::wstring _decrypted;
_decrypted.assign((LPCWSTR)blobOut.pbData,(LPCWSTR)blobOut.pbData+blobOut.cbData/sizeof(WCHAR));

If you don't specify CRYPTPROTECT_LOCAL_MACHINE then the encrypted password can be securely stored in the registry or config file and only you can decrypt it. If you specify LOCAL_MACHINE, then anyone with access to the machine can get it.

这篇关于如何在Winforms应用程序中存储密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-19 00:41