SecureString 是如何“加密"的?还能用吗? [英] How is SecureString "encrypted" and still usable?
问题描述
根据 MSDN SecureString 内容被加密 为了额外的安全,如果程序被交换到磁盘,字符串内容就无法被嗅探.
According to MSDN SecureString contents is encrypted for additional safety so that if the program is swapped to disk the string contents can't be sniffed.
我想知道这种加密怎么可能?该算法将是固定的,因此要么是众所周知的,要么是可扣除的(比如行业算法中广泛使用的七种算法之一),并且程序中的某处必须有一个密钥.因此攻击者可以获取加密的字符串,获取密钥并解密数据.
How is such encryption possible I wonder? The algorithm would be fixed and therefore either well-known or deductible (say one of seven widely used in industry algorithms) and there must be a key somewhere in the program. So the attacker could fetch the encrypted string, fetch the key and decrypt the data.
这种加密有什么用?
推荐答案
我引用了一篇关于 DPAPI 用于派生密钥.这应该可以回答您关于 SecureString 的大多数问题.
I'm quoting from an article about the DPAPI which is used to derive the key. This should answer most questions that you have about SecureString.
是的,SecureString 有缺点,并不完全安全,有一些方法可以访问数据,例如注入 Hawkeye 进入该过程在 MSDN 上提到作为提取 SecureString 的一种方式.我没有亲自证实这个说法.
And yes, SecureString has drawbacks and is not completely secure, there are ways to access to data, for example, injecting Hawkeye into the process is mentioned on MSDN as a way to extract the SecureString. I have not personally verifed this assertation.
DAPI 是一种基于对称的加密技术,这意味着它使用相同的密钥来加密和解密数据.在介绍如何使用 DAPI 的一些示例之前,有必要介绍一下 DAPI 如何管理其密钥.在大多数情况下,DAPI 密钥管理过程是不可见的,您通常无需担心,这也是 DAPI 是一种好方法的主要原因.
DAPI is a symmetric based encryption technique, which means it uses the same key to both encrypt and decrypt data. Before getting to some examples of how to use DAPI it's worth covering how DAPI manages its key. For the most part DAPI key management process is invisble and you generally don't need to worry about it, which is the main reason why DAPI is a good approach.
在介绍中我写道,主密钥是从用户的登录密码生成的.这不是完整的图片.实际发生的是 Windows 使用用户的登录密码来生成主密钥.该主密钥使用用户的密码进行保护,然后与用户的配置文件一起存储.然后使用此主密钥来派生许多其他密钥,而正是这些其他密钥用于保护数据.
In the introduction I wrote that the master key is generated from the user's login password. This isn't the complete picture. What actually happens is Windows uses the user's login password to generate a master key. This master key is protected using the user's password and then stored along with the user's profile. This master key then gets used to derive a number of other keys and it's these other keys that are used to protect the data.
Windows 这样做的原因是它允许应用程序在生成单个密钥的过程中添加额外的信息,称为熵.您会看到,如果在用户登录帐户下运行的每个应用程序都使用相同的密钥,那么每个应用程序都可以取消保护 DAPI 保护的数据.有时您可能希望应用程序能够共享受 DAPI 保护的数据;然而,有时你不会.通过让应用程序为密钥的生成贡献熵,那么该密钥将成为特定于应用程序的数据,并且任何受该应用程序保护的数据只有在知道熵的情况下才能再次不受保护.
The reason why Windows does this is it allows applications to add additional information, called entropy, to the process of generating the individul keys. You see if every application running under the user's login account used the same key then every application could unprotect DAPI protected data. Sometimes you might want applications to be able to share DAPI protected data; however, sometimes you won't. By letting the application contribute entropy to the generation of a key then that key becomes application specific and any data that is protected by that application can only be unprotected again if they know the entropy.
尽管生成一个主密钥,然后使用该主密钥生成其他密钥以进行实际加密,但它似乎是一种冗长的方法,但它确实具有一个主要优势.由于用户密码保护的主密钥和用于保护数据的实际密钥之间存在额外的抽象级别,这意味着当用户更改密码时,只需要重新保护主密钥;没有任何受保护的数据需要重新保护.由于主密钥的大小比数据小得多,因此可以显着节省性能.
Although generating a master key, and then using that master key to generate other keys to do the actual encryption, might seem like a long winded approach it does have one major advantage. Since there is an additional level of abstraction between the user password protected master key and the actual keys used to protect the data it means that when the user changes their password then only the master key need to be re-protected; none of the protected data needs to be re-protected. Since the master key is much smaller in size than the data then a significant performance saving is made.
当用户的密码更改时,当然会生成一个新的主密钥.然后使用这个新的主密钥来生成新的个人密钥.但是,由于之前生成的所有单独密钥都是从旧的主密钥派生而来的,因此 Windows 需要存储所有以前的主密钥,它确实这样做了.Windows 永远不会忘记一个主密钥,所有受保护的数据都标有一个 GUID,指示使用哪个主密钥来保护数据.因此,在适应性方面,DAPI 能够应对用户密码的更改,同时确保 a) 受保护的数据不需要重新保护,以及 b) 以前用于保护数据的密钥仍然可用,以及 c) 它会自动为您完成所有这些工作.
When the user's password changes then of course a new master key is generated. This new master key is then used to generate new individual keys. However, since all the previously generated individual keys were derived from the old master key then Windows needs to store all previous master keys, which it does. Windows never forgets a master key and all protected data is marked with a GUID that indicates which master key was used to protect the data. So in terms of adaptability DAPI is able to cope with changes to users' passwords, while ensuring a) that protected data doesn't need to be re-protected, and b) that keys used to previously protect data as still available, and c) it does all this automatically for you.
除非计算机是域的成员,否则 DAPI 只能在用于保护它的同一台机器上不受保护的数据.
Unless the computer is a member of a domain DAPI can only unprotected data on the same machine that was used to protect it.
除了允许用户级保护,因为主密钥基于用户密码,一个用户的受保护数据不能被另一个用户解除保护,DAPI 还提供机器级保护,因为主密钥基于机器特定信息.机器级主密钥允许应用程序存储受保护的数据,以便应用程序的所有用户都可以不受保护.已经描述的过程的唯一区别是主密钥是根据机器特定信息而不是用户特定信息生成的.
As well as allowing user level protection, in that master keys are based on user passwords and protected data for one user cannot be unprotected by another user, DAPI also provides machine level protection, in that the master keys are based on machine specific information. Machine level master keys allow applications to store protected data so that it can be unprotected by all users of the application. The only difference in the process already described is the master key is generated from machine specific information not user specific information.
这篇关于SecureString 是如何“加密"的?还能用吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
