在 Windows 8 中保存敏感数据的最佳实践 [英] Best practice for saving sensitive data in Windows 8

问题描述

在 Windows 8 中将敏感数据保存到本地文件的最佳方式是什么?我正在开发一个需要存储 oAuth 令牌/密码的 C# 应用程序.我听说在 .NET 中加密/解密数据很常见，但我对这些机制没有任何经验.鉴于 Windows 8 应用程序有自己的类似于 Windows Phone 的个人/受保护存储区域，是否仍建议/需要加密?

What's the best way of saving sensitive data to a local file in Windows 8? I'm developing a C# application that needs to store oAuth tokens/passwords. I've heard it was common in .NET to encrypt/decrypt data, but I don't have any experience with those mechanics. Is encryption still recommended/neccesary given that Windows 8 apps have their own personal/protected storage area similar to Windows Phone?

另外，每次请求数据时加密/解密不会导致性能问题吗?(写一个自定义/精简算法会更好吗?)

Also, doesn't encrypting/decrypting each time when you request the data causes a performance issue? (would it be better to write a custom/lite algorithm?)

推荐答案

更新:请注意，虽然现代/都市应用程序被限制互相戳对方的东西，桌面em> 应用程序将可以不受限制地访问通过这些 API 存储的所有数据.请参阅 http://www.hanselman.com/blog/SavingAndRetrievingBrowserAndOtherPasswords.aspx，其中包含代码证明这一点.

UPDATE: Please be aware that while modern/metro apps are restricted from poking at each other's stuff, desktop applications will have unrestricted access to all data stored through these APIs. See http://www.hanselman.com/blog/SavingAndRetrievingBrowserAndOtherPasswords.aspx which includes code demonstrating this.

Win8 有一个名为 的新 APIPasswordVault 旨在为您解决所有这些难题.非常易于使用、安全，并且可以由用户配置为在他们的机器之间漫游，因此他们只需输入一次凭据.我已成功将其用于 OAuth 令牌

Win8 has a new API called PasswordVault that's designed for taking care of all these hard problems for you. Really easy to use, secure, and can be configured by users to roam between their machines so they only have to enter credentials once. I've successfully used this for OAuth tokens

检索凭据(注意 WinRT 引发的愚蠢异常......他们真的应该只返回 null):

Retrieving credentials (note the stupid exception that WinRT raises... they really should just return null):

const string VAULT_RESOURCE = "[My App] Credentials";
string UserName { get; set; };
string Password { get; set; };
var vault = new PasswordVault();

try
{
   var creds = vault.FindAllByResource(VAULT_RESOURCE).FirstOrDefault();
   if (creds != null)
   {
      UserName = creds.UserName;
      Password = vault.Retrieve(VAULT_RESOURCE, UserName).Password;
   }
}
catch(COMException) 
{
   // this exception likely means that no credentials have been stored
}

存储凭据:

vault.Add(new PasswordCredential(VAULT_RESOURCE, UserName, Password));

删除凭据(当用户单击应用中的注销按钮时):

Removing credentials (when the user clicks the logout button in your app):

vault.Remove(_vault.Retrieve(VAULT_RESOURCE, UserName));

这篇关于在 Windows 8 中保存敏感数据的最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！