Oracle DB和SecureString [英] Oracle DB and SecureString
问题描述
我当前正在将用户密码存储在SecureString中.如果与数据库的连接重置,也可以保留该信息.
I am currently storing the user password in a SecureString. Which is also kept around in case the connection to the DB resets.
我的问题是,我正在尝试将此密码传递给OracleParamater,但是我不确定它是否支持该密码.
My problem is, I'm trying to pass this password to an OracleParamater, but I'm not sure if it supports it or not.
Oracle的Oracle.DataAccess dll是否支持SecureString或BStr?因为如果我必须将其转换为字符串,那么那会违反SecureString的目的.
Does Oracle's Oracle.DataAccess dll support SecureString or BStr? Since If I have to convert it to a string then that would kinda defeat the purpose of SecureString.
---编辑
我知道SecureString旨在通过尽可能少地保留未加密的密码副本来减少攻击面.问题是,您当然必须在某些时候解密密码才能使用它.如果我可以在OracleParameter中传递char[]或BStr或安全字符串本身,则可以在调用返回后将其清除.但是,如果我必须创建一个字符串以将其传递给Oracle,那么我刚刚创建了一个新的不可变密码副本.因此,我不确定自己是否能从中学到很多.
I know that SecureString is about reducing the attack surface by keeping as few copies of the password around unencrypted as possible. The problem is at some point you ofcourse have to decrypt the password to use it. If I could pass a char[] or a BStr or the secure string itself in an OracleParameter then I could clear it after the call returns. But If I have to create a string in order to pass it to Oracle, then I've just created a new immutable copy of the password. So I'm not really sure I gained much then.
推荐答案
否-不支持AFAIK您的要求...
No - AFAIK what you ask is not supported...
但是,即使受支持,由于使用的Oracle驱动程序(OCI)是本机并且对SecureString一无所知,因此仍然存在安全问题,因此它将在内部处理该值而无需加密,这又意味着该值可以最终例如在交换文件中未加密...
BUT even if it were supported the security issue would remain since the Oracle driver used (OCI) is native and does not know anything about SecureString thus it will handle the value internally without encryption which in turn means that this value can end up for example unencrypted in the swap file...
如果您要求的东西在.NET方面得到支持,那会更加安全,但仅此而已...
It would be a bit more secure if what you ask were supported on the .NET side of things but merely so...
如果您确实需要该级别的安全性,我建议您重新设计软件的该部分以使用加密值,这样服务器端(Oracle DB)的内容就不需要纯文本",而是可以使用加密后的值值...
IF you really need that level of security I would recommend redesigning that part of your software to use encrypted values in a way that the server-side (Oracle DB) of things does not require "plain text" but works with the encrypted values...
这篇关于Oracle DB和SecureString的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
