如何写一个“真实"的C#中的私有方法? [英] How to write a "truly" private method in C#?
问题描述
实际上,私有方法是在C#中实现的,仍然可以使用Reflection进行搜索.
In fact, private methods are implemented in C# that can still be searched with Reflection.
我要做的是编写public string Encrypt(string data)和private string Decrypt(string cipher)方法来执行加密和解密.
What I am going to do is to write public string Encrypt(string data) and private string Decrypt(string cipher) methods to perform encryption and decryption.
不幸的是,如果有人知道.NET框架,他可以使用Reflection查找Decrypt方法并将其解密所有加密的内容.
Unfortunately, if someone knows .NET framework, he can use Reflection to find Decrypt methods and it decrypt everything that is encrypted.
似乎并不那么安全.因此,我想将Decrypt方法设置为真正私有方法.
It seems that is not that secure. So I want to make Decrypt method to truly private method.
但是该怎么做?
悉尼时间2012年1月9日晚上10:52更新
Updated 09 Jan 2012 10:52PM Sydney Time
黑体提供此问题的技术说明
埃里克·利珀特提供此问题的政治解释
感谢两位专家!
推荐答案
您不能.如果攻击者可以访问您的代码,已编译或源代码,则他可以跟踪您的程序并找到在何处进行加密或解密.
You can't. If the attacker has access to your code, compiled or source, he can trace your program and find where it's being encrypted or decrypted.
您可以通过将密钥存储在单独的位置来增加安全性,但是通常,如果攻击者在服务器上执行代码,则已经很麻烦了.
You can add a layer of security by storing the key in a separate location, but generally if the attacker is executing code on your server, you're already screwed.
(您仅担心攻击者在服务器上执行代码,因为否则该方法是否私有并不重要.此外,除非他使用以下方法,否则他不能使用反射来查找方法名称:在服务器上执行代码.简而言之:您在这里担心的是错误的事情.)
(You're only worried about this if the attacker is executing code on your server, because otherwise it doesn't matter whether or not the method is private. Also, he can't use reflection to find method names unless he's executing code on your server. In short: you're worrying about the wrong thing here.)
这篇关于如何写一个“真实"的C#中的私有方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
