问题描述
我在编写用于查询用户邮箱存储配额的winforms应用程序中有一些类似的代码.
DirectoryEntry mbstore = new DirectoryEntry(
@"LDAP://" + strhome,
m_serviceaccount,
[m_pwd],
AuthenticationTypes.Secure);
无论我尝试了哪种方法(例如SecureString),都可以使用Reflector或使用Process Explorer的可执行文件的字符串选项卡轻松查看密码( m_pwd ).
我知道我可以将这段代码放在服务器上,或者使用委派之类的机制来加强安全性,并且仅将所需的特权授予服务帐户.
有人可以建议一种合理的安全方式将密码存储在本地应用程序中,而不会将密码透露给黑客吗?
无法散列,因为我需要知道确切的密码(不仅仅是用于匹配目的的散列).加密/解密机制不起作用,因为它们取决于计算机.
成圣的方法是使用CryptoAPI和数据保护API.
要进行加密,请使用以下类似内容(C ++):
DATA_BLOB blobIn, blobOut;
blobIn.pbData=(BYTE*)data;
blobIn.cbData=wcslen(data)*sizeof(WCHAR);
CryptProtectData(&blobIn, description, NULL, NULL, NULL, CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN, &blobOut);
_encrypted=blobOut.pbData;
_length=blobOut.cbData;
解密相反:
DATA_BLOB blobIn, blobOut;
blobIn.pbData=const_cast<BYTE*>(data);
blobIn.cbData=length;
CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut);
std::wstring _decrypted;
_decrypted.assign((LPCWSTR)blobOut.pbData,(LPCWSTR)blobOut.pbData+blobOut.cbData/sizeof(WCHAR));
如果您未指定CRYPTPROTECT_LOCAL_MACHINE,则加密的密码可以安全地存储在注册表或配置文件中,只有您才能解密.如果指定LOCAL_MACHINE,那么有权访问该计算机的任何人都可以得到它.
I have some code like this in a winforms app I was writing to query a user's mail box Storage Quota.
DirectoryEntry mbstore = new DirectoryEntry(
@"LDAP://" + strhome,
m_serviceaccount,
[m_pwd],
AuthenticationTypes.Secure);
No matter what approach I tried (like SecureString), I am easily able to see the password (m_pwd) either using Reflector or using strings tab of Process Explorer for the executable.
I know I could put this code on the server or tighten up the security using mechanisms like delegation and giving only the required privileges to the service account.
Can somebody suggest a reasonably secure way to store the password in the local application without revealing the password to hackers?
Hashing is not possible since I need to know the exact password (not just the hash for matching purpose).Encryption/Decryption mechanisms are not working since they are machine dependent.
The sanctified method is to use CryptoAPI and the Data Protection APIs.
To encrypt, use something like this (C++):
DATA_BLOB blobIn, blobOut;
blobIn.pbData=(BYTE*)data;
blobIn.cbData=wcslen(data)*sizeof(WCHAR);
CryptProtectData(&blobIn, description, NULL, NULL, NULL, CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN, &blobOut);
_encrypted=blobOut.pbData;
_length=blobOut.cbData;
Decryption is the opposite:
DATA_BLOB blobIn, blobOut;
blobIn.pbData=const_cast<BYTE*>(data);
blobIn.cbData=length;
CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut);
std::wstring _decrypted;
_decrypted.assign((LPCWSTR)blobOut.pbData,(LPCWSTR)blobOut.pbData+blobOut.cbData/sizeof(WCHAR));
If you don't specify CRYPTPROTECT_LOCAL_MACHINE then the encrypted password can be securely stored in the registry or config file and only you can decrypt it. If you specify LOCAL_MACHINE, then anyone with access to the machine can get it.
这篇关于如何在Winforms应用程序中存储密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!