将数据安全地存储在内存中(基于密码的加密) [英] Store data securely in memory (password based encryption)
问题描述
我必须将密钥存储到内存中.因此,出于安全考虑,我们不能将加密密钥直接存储到内存中,我们需要以加密方式存储密钥.因此,我们的想法是我们以加密方式存储密钥,并且在进行加密操作时,只需解密密钥并使用它并配置密钥即可.
I have to store the key into memory. So as security concern we can not store the cryptographic key into the memory directly, We need to store the key in Encrypted way. So the idea is we store the key in encrypted manner and at the time of crypto operation, just decrypt the key and use it and dispose the key.
So we are using Password based encryption(PBE) define in BouncyCastle c# version Example code.
代码中的问题是密码已在此处修复.我必须在运行时生成密码.
The problem in code is that the password is fix here. I have to generate the password at run time.
存储密钥的步骤:
- 生成密码
- 创建临时密钥以加密密钥(安全数据)
- 保存到内存
执行加密操作的步骤:
- 生成密码
- 创建临时密钥以解密密钥(安全数据)
- 执行加密操作
- 配置密钥(安全数据)
推荐答案
这里是一个主意,因此永远不要将密码在未加密的情况下存储在本地var外:
Here is an idea so the password can be never stored unencrypted outside local vars:
using System;
using System.Security;
using System.Security.Cryptography;
using System.Text;
private string _SecureKey;
public bool MemorizePassword { get; set; }
public string Password
{
get
{
if ( _Password.IsNullOrEmpty() ) return _Password;
var buf = Encoding.Default.GetBytes(_Password);
ProtectedMemory.Unprotect(buf, MemoryProtectionScope.SameProcess);
return Encoding.Default.GetString(Decrypt(buf, _SecureKey.ToString()));
}
set
{
if ( !MemorizePassword )
{
_Password = "";
return;
}
CreateSecureKey();
if ( value.IsNullOrEmpty() )
_Password = value;
else
{
var buf = Encrypt(Encoding.Default.GetBytes(value), _SecureKey.ToString());
ProtectedMemory.Protect(buf, MemoryProtectionScope.SameProcess);
_Password = Encoding.Default.GetString(buf);
}
}
}
private void CreateSecureKey()
{
_SecureKey = new SecureString();
foreach ( char c in Convert.ToBase64String(CreateCryptoKey(64)) )
_SecureKey.AppendChar(c);
_SecureKey.MakeReadOnly();
}
static public byte[] CreateCryptoKey(int length)
{
if ( length < 1 ) length = 1;
byte[] key = new byte[length];
new RNGCryptoServiceProvider().GetBytes(key);
return key;
}
static public byte[] Encrypt(byte[] data, string password)
{
return Encrypt(data, password, DefaultCryptoSalt);
}
static public byte[] Decrypt(byte[] data, string password)
{
return Decrypt(data, password, DefaultCryptoSalt);
}
static public string Encrypt(string str, string password, byte[] salt)
{
if ( str.IsNullOrEmpty() ) return str;
PasswordDeriveBytes p = new PasswordDeriveBytes(password, salt);
var s = Encrypt(Encoding.Default.GetBytes(str), p.GetBytes(32), p.GetBytes(16));
return Convert.ToBase64String(s);
}
static public string Decrypt(string str, string password, byte[] salt)
{
if ( str.IsNullOrEmpty() ) return str;
PasswordDeriveBytes p = new PasswordDeriveBytes(password, salt);
var s = Decrypt(Convert.FromBase64String(str), p.GetBytes(32), p.GetBytes(16));
return Encoding.Default.GetString(s);
}
static public byte[] Encrypt(byte[] data, byte[] key, byte[] iv)
{
if ( data == null ) return data;
using ( MemoryStream m = new MemoryStream() )
{
var r = Rijndael.Create().CreateEncryptor(key, iv);
using ( CryptoStream c = new CryptoStream(m, r, CryptoStreamMode.Write) )
c.Write(data, 0, data.Length);
return m.ToArray();
}
}
static public byte[] Decrypt(byte[] data, byte[] key, byte[] iv)
{
if ( data == null ) return data;
using ( MemoryStream m = new MemoryStream() )
{
var r = Rijndael.Create().CreateDecryptor(key, iv);
using ( CryptoStream c = new CryptoStream(m, r, CryptoStreamMode.Write) )
c.Write(data, 0, data.Length);
return m.ToArray();
}
}
特定于您的应用程序的盐示例(使用0到255之间的任意随机值):
Example of salt specific to your app (use any random value between 0 and 255):
byte[] DefaultCryptoSalt = new byte[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
这篇关于将数据安全地存储在内存中(基于密码的加密)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
