问题描述
有类似的问题如何在对称算法中管理密钥在何处存储密钥在SHA-1哈希中使用?
我的问题是一样的,但我想换一个问题
My question is same, But I want to ask it differently
我有C#应用程序.我正在加密应用程序中的某些数据.对于加密,我使用秘密密钥或密码.解密需要同样的东西.
I have C# application. I am encrypting some data in the application. For encryption I am using secret key or password. This same thing is needed for decryption.
此秘密密钥或密码在哪里/如何存储在应用程序中?它很容易从反射中查看字符串密码.我可能会使用某种组合来生成密码,但是一些聪明的人可以通过一些努力来猜测.
Where/how to store this secret key or password in application? its easy to view string password from reflection. I may use some combination to generate password, but some smart guys can guess that with some efforts.
是否存在任何安全的方式来存储或管理应用程序中用于加密数据的秘密密码?
Is there any secured way to store or manage secret password which is used in application to encrypt data?
推荐答案
我怀疑是否存在任何保证安全的密钥存储方式.最终,您的程序必须能够访问该密钥,并且破解者可以通过逆向工程轻松弄清楚这是怎么回事,并将该字符串重定向到他们想要的任何位置.
I doubt there is any guaranteed secure way to store the key. Ultimately your program has to get access to the key, and a cracker could easily work out how that is happening via reverse engineering and redirect that string to wherever they want to.
您最好的选择是:
-
尽可能混淆密钥.这使得访问秘密密钥"变得更加困难,但并不会使它变得不可能(请参见上文).
Obfuscate the key as much as possible. This makes it more difficult to access the "secret key" but does not make it impossible (see above). Rather than storing it as a string, generate it using a function, or use a seed and pass that through a function to get the secret string.
如果用例允许,请使用公钥/私钥对.仅当您希望您的应用程序对数据进行加密,将其发送到服务器并随后对其进行解密时,此方法才有效.在这种情况下,您可以将公用密钥嵌入到应用程序中(解密者是否发现该密钥无关紧要),并将私钥保留给您自己或您的服务器.
If your use case allows it, use a public/private key pair. It only works if you want your application to encrypt the data, send it to your servers, and then you want to decrypt it. In this case, you embed the public key into the application (doesn't matter if crackers discover that), and keep the private key to yourself or your server.
这篇关于在哪里存储C#应用程序的密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!