在源代码中存储加密密钥的安全性如何? [英] How secure is it to store an encryption key in source code?
问题描述
internal static class Encryptor
{
//实际值放在我的源
private static readonly byte [] Key = {0,0,0,0,0,0,0,0};
private static readonly byte [] Iv = {0,0,0,0,0,0,0,0} 0;
内部静态String Encrypt(string source)
{
var des = new DESCryptoServiceProvider();
var enc = des.CreateEncryptor(Key,Iv);
var b = Encoding.ASCII.GetBytes(source);
var encId = enc.TransformFinalBlock(b,0,b.Length);
return Convert.ToBase64String(encId);
}
内部静态字符串解密(字符串加密)
{
var des = new DESCryptoServiceProvider();
var dec = des.CreateDecryptor(Key,Iv);
var b = Convert.FromBase64String(encrypted);
var decId = dec.TransformFinalBlock(b,0,b.Length);
return Encoding.ASCII.GetString(decId);
}
}
这与这个问题和这个,但是似乎没有一个明确的答案(据我所知,我承认自己是一个关于这个话题的完整的初学者)。请指教。 :)
是的,这很容易破碎。任何具有反射器(或ILSpy或dotPeek或...)等工具知识的开发人员都无需识别加密功能并找到密钥。有组装的人甚至可以直接调用 Decrypt ,而不用提取密钥。
是它足够安全吗?这取决于,只有你可以回答。如果这是许可证,相当于在不要复制我的软件的框上贴上贴纸。另一方面,为一个经验丰富和坚定的攻击者制定一个难以破解的强大的许可证制度是一件很大的事情,你可能想考虑是否值得付出努力。就个人而言,我会投入时间使软件变得如此棒,人们会想要付出代价,而不是阻止少数坏人使用它来进行无牌。
Is this encryption class sufficiently secure? Or can someone disassemble my binary to find the key and IV? I'm using it to decrpyt license files so it's quite important that it can't be easily broken.
internal static class Encryptor
{
// Actual values are put here in my source
private static readonly byte[] Key = { 0, 0, 0, 0, 0, 0, 0, 0 };
private static readonly byte[] Iv = { 0, 0, 0, 0, 0, 0, 0, 0 };
internal static String Encrypt(string source)
{
var des = new DESCryptoServiceProvider();
var enc = des.CreateEncryptor(Key, Iv);
var b = Encoding.ASCII.GetBytes(source);
var encId = enc.TransformFinalBlock(b, 0, b.Length);
return Convert.ToBase64String(encId);
}
internal static string Decrypt(string encrypted)
{
var des = new DESCryptoServiceProvider();
var dec = des.CreateDecryptor(Key, Iv);
var b = Convert.FromBase64String(encrypted);
var decId = dec.TransformFinalBlock(b, 0, b.Length);
return Encoding.ASCII.GetString(decId);
}
}
This is similar to this question and this one, but neither seem to have a clear answer (as far as I can understand - and I admit to being a complete beginner on this topic). Please advise. :)
Yes, this is easily broken. Any developer with knowledge of tools such as Reflector (or ILSpy, or dotPeek, or ...), will have no trouble identifying the encryption function and finding your key. Someone who has the assembly will even be able to call Decrypt directly, not bothering with extracting the key.
Is it sufficiently secure ? It depends, only you can answer that. If this is for licensing, it is the equivalent of putting a sticker on a box saying "Don't copy my software". On the other hand, making a robust licensing scheme that is hard to break for an experienced and determined attacker, is a large undertaking, and you might want to consider if it is worth the effort. Personally, I would invest my time in making the software so awesome, that people will want to pay for it, rather than stopping a small number of bad guys from using it unlicensed.
这篇关于在源代码中存储加密密钥的安全性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
