安全存储的限制-KeyChain和KeyStore [英] Limitations of secure storage - KeyChain and KeyStore

问题描述

我打算在我的应用中使用 flutter_secure_storage 来保留一些私钥和令牌. 我正在寻找Android和iOS上安全存储的限制，但找不到以下问题的答案:

I'm planning to use flutter_secure_storage in my app to keep some private keys and tokens. I'm looking for limitations of secure storage on both Android and iOS but I cannot find answers to some of the questions:

1. KeyChain和KeyStore存储分别在iOS和Android上有多大?
2. 我们可以在其中存储多少个密钥?
3. 个人钥匙有多大?
4. 什么是存储寿命?它仅在安装应用程序时存在吗?它是短暂的吗?

谢谢

推荐答案

安全存储就像Shared Prefences/NSUserDefaults.它以键值对的形式存储数据.数据被加密，并使用由唯一设备密钥构成的密钥对存储的数据进行加密和解密.数据存储在根目录中的某个位置，只有操作系统可以访问它.

Secure storage is like Shared Prefences/NSUserDefaults. It stores data in key-value pairs. The data is encrypted and uses a key made from a unique device key to encrypt and decrypt the data stored. The data is stored somewhere in the root directory where only the OS can access it.

1. 安全存储没有存储限制(任何文档中都没有空间限制，但我确实认为您不能存储1Gb +以上的大量数据)
2. 您可以在其中存储无限数量的密钥
3. 基于 MKJParekh的答案，您最多可以存储2147483647个字符.
4. 在卸载应用后，数据将被删除. (请注意，安全存储中的数据无法在Android中备份)看看这个

1. There is no storage limitations for secure storage (There is no space limits mentioned in any docs but I do think that you cannot store large amounts of data that are 1Gb+)
2. You can store an unlimited amount of keys inside
3. Based on MKJParekh's answer, you can store up to 2147483647 characters.
4. The data gets deleted once the app is uninstalled. (Take note that the data in secured storage can't be backuped in Android) Take a look at this

请勿使用安全存储来存储敏感的私钥和令牌.您未指定要在安全存储中存储哪些私钥和令牌.您可能正在存储数据库凭据或其他用户不应该获取的凭据.尽管存储在安全存储中的数据是经过加密的，但它并不完全安全.用户可以root/越狱他们的设备，从而完全控制操作系统.有一些工具可以拦截所提供的密钥，并使用它来解密数据.防止这种情况的唯一方法是永远不要将密钥提供给用户.您应该将其存储在可以控制的服务器中. (Firebase Cloud Functions，AWS ECS或您自己的VPS)就是这些服务器的示例.

Do not use secure storage for storing sensitive private keys and tokens. You didn't specify what private keys and tokens you're going to store in secure storage. You might be storing your database credentials or something that another user shouldn't obtain. Although data being stored in secure storage is encrypted, it isn't entirely secure. Users can root/jailbreak their devices which gives them full control of the OS. There are tools that can intercept keys as they are provided and use it to decrypt the data. The only way to prevent that is to never give the keys to the user. You should store it in a server that you can control. (Firebase Cloud Functions, AWS ECS, or your own VPS) are examples of these severs.

何时使用安全存储
使用安全存储来存储应加密并向用户隐藏的数据.该数据应仅存储用户的敏感数据，例如其api键，而不存储您的服务器私钥.

When to use Secure Storage
Use secure storage to store data that should be encrypted and hidden from the user. That data should store only store user's sensitive data such as their api keys and not your server private keys.

这篇关于安全存储的限制-KeyChain和KeyStore的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！