最佳实践在Windows保存敏感数据的8 [英] Best practice for saving sensitive data in Windows 8

问题描述

什么是在Windows 8中的敏感数据保存到本地文件的最好方法？我正在开发一个需要存储的OAuth令牌/密码的C＃应用​​程序。我听说它是​​在.NET加密/解密数据的常见的，但我没有与任何机械的经验。被加密还是建议/ neccesary考虑到Windows 8的应用程序有自己的个人/保护的存储类似于Windows Phone的面积？

What's the best way of saving sensitive data to a local file in Windows 8? I'm developing a C# application that needs to store oAuth tokens/passwords. I've heard it was common in .NET to encrypt/decrypt data, but I don't have any experience with those mechanics. Is encryption still recommended/neccesary given that Windows 8 apps have their own personal/protected storage area similar to Windows Phone?

另外，不加密/每次解密当你请求的数据会导致性能问题？ （它会更好编写自定义/精简版算法？）

Also, doesn't encrypting/decrypting each time when you request the data causes a performance issue? (would it be better to write a custom/lite algorithm?)

推荐答案

更新：请注意，虽然现代/城域应用从对方的东西戳，限制的桌面应用程序必须通过这些API存储所有数据不受限制的访问。见<一href=\"http://www.hanselman.com/blog/SavingAndRetrievingBrowserAndOtherPasswords.aspx\">http://www.hanselman.com/blog/SavingAndRetrievingBrowserAndOtherPasswords.aspx其中包括code证明了这种

UPDATE: Please be aware that while modern/metro apps are restricted from poking at each other's stuff, desktop applications will have unrestricted access to all data stored through these APIs. See http://www.hanselman.com/blog/SavingAndRetrievingBrowserAndOtherPasswords.aspx which includes code demonstrating this.

Win8中有一个名为新的API <一个href=\"http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordvault.aspx\">PasswordVault它的设计采取的为你所有这些难题照顾。好不好用，安全，可以由用户自行配置他们的计算机之间漫游，所以他们只需要输入一次凭据。我已经成功地用它进行OAuth凭证

Win8 has a new API called PasswordVault that's designed for taking care of all these hard problems for you. Really easy to use, secure, and can be configured by users to roam between their machines so they only have to enter credentials once. I've successfully used this for OAuth tokens

检索凭据（注意愚蠢的异常WinRT的提高......他们真的应该只返回null）：​​

Retrieving credentials (note the stupid exception that WinRT raises... they really should just return null):

const string VAULT_RESOURCE = "[My App] Credentials";
string UserName { get; set; };
string Password { get; set; };
var vault = new PasswordVault();

try
{
   var creds = vault.FindAllByResource(VAULT_RESOURCE).FirstOrDefault();
   if (creds != null)
   {
      UserName = creds.UserName;
      Password = vault.Retrieve(VAULT_RESOURCE, UserName).Password;
   }
}
catch(COMException) 
{
   // this exception likely means that no credentials have been stored
}

存储凭证：

vault.Add(new PasswordCredential(VAULT_RESOURCE, UserName, Password));

删除凭据（当用户点击您的应用程序注销按钮）：

Removing credentials (when the user clicks the logout button in your app):

vault.Remove(_vault.Retrieve(VAULT_RESOURCE, UserName));

这篇关于最佳实践在Windows保存敏感数据的8的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！