保护胖客户端应用程序中的 API 密钥 [英] Protecting API Secret Keys in a Thick Client application

问题描述

在一个应用程序中，我使用 Secret Keys 来计算 API 调用的哈希值.在 .NET 应用程序中，使用 Reflector 等程序从程序集中提取信息以包含这些键是相当容易的.

Within an application, I've got Secret Keys uses to calculate a hash for an API call. In a .NET application it's fairly easy to use a program like Reflector to pull out information from the assembly to include these keys.

混淆程序集是保护这些密钥的好方法吗?

Is obfuscating the assembly a good way of securing these keys?

推荐答案

可能不会.

研究密码学和 Windows 的内置信息隐藏机制(例如，DPAPI 和将密钥存储在受 ACL 限制的注册表项中).这与您获得的安全性一样好，您需要将其与应用程序保持在同一系统上.

Look into cryptography and Windows' built-in information-hiding mechanisms (DPAPI and storing the keys in an ACL-restricted registry key, for example). That's as good as you're going to get for security you need to keep on the same system as your application.

如果您正在寻找一种方法来阻止实际坐在机器前的人获取您的信息，请忘记它.如果有人确定并且可以不受限制地访问不受您控制的计算机，则无法 100% 确定数据在所有情况下都受到保护.下定决心的人，只要愿意就会去做.

If you are looking for a way to stop someone physically sitting at the machine from getting your information, forget it. If someone is determined, and has unrestricted access to a computer that is not under your control, there is no way to be 100% certain that the data is protected under all circumstances. Someone who is determined will get at it if they want to.

这篇关于保护胖客户端应用程序中的 API 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！