在VB.NET中安全数据？ [英] Secure data in VB.NET?

问题描述

我的VB.NET应用程序有一个非常重要的布尔变量。我需要能够将其保存在某处，并在将来读取（即使应用程序已关闭）。

目前，我将变量存储为.bin文件在某处但是我担心用户可以简单地抓取该文件并做一些魔术来编辑该值。

我需要使用该值完全不可用。 或者至少不能编辑。什么是最好的方式来隐藏这样的价值？

我设法将变量存储在我的在线MySQL数据库中。但是老实说，这对我的目的来说不是很好。我需要在本地存储...

任何想法？

解决方案

理论上，你根本不能隐藏这个变量。但是，您可以更难找到或阅读。要知道如何隐藏变量，您必须首先了解一些常见的检索方式。

典型问题和解决方案

其他人如何理论上检索您的变量值

1. 使用 .NET反思器或任何其他.NET解压缩程序。


2. 在程序运行时分析PC的内存，并检索值


3. 如果您的值被保存在文件中，用户可以通过钩子或转储比较分析硬盘IO活动来轻松找到它。


4. 如果您的值保存在注册表中，则可以使用简单的注册表钩子或注册表转储比较工具来确定该值的存储位置。


5. 如果您的值被加密，则方法＃1 （反编译程序）可用于确定如何进行解密。

解决可能性

1. 可以使用一般的混淆程序，使其难以反编译应用程序。为此，我建议 SmartAssembly 。除此之外，还有一个名为 Spoon Studio （以前称为PostBuild）的工具，它将将您的应用程序重新编译为汇编代码（并使其运行）没有安装.NET Framework）。


2. SecureString 类可以用来在内存中找到并解密该值时更难找到并解密。这个课程在使用后也会自动清理，但通常比正常的字符串稍慢一些。


3. 将东西存储在文件中不是一个坏主意（即使人们可以嗅探文件活动），因为您可以永远以非漂亮的方式存储变量。例如，您可以使用一个名为IsFullScreen.bin的文件，其中包含布尔变量（1或0或true或false）的值，即使它与全屏显示无关。


4. 对于注册表，解决方案3中的所有内容仍然适用。


5. 加密也不是一个坏主意，而且很难解密一些加密类型（例如，如果你有一台服务器，那就是公共/私人密钥加密）或散列（如MD5或SHA1）。


6. 在您的情况下，您可以将值存储在服务器上吗？

所以总结...

您无法完全保护您的应用程序。但是，您可以使用上面的一些解决方案（或组合它们）以获得更好的保护，使其变得更加困难。

当然，过早的安全性是坏的。如果那个布尔值并不重要，那么我认为一些简单的加密也是很好的。

还有更多...

编辑1

我刚刚注意到您已经评论过您自己的答案，说该文件不应该是将其复制到另一台计算机并从那里读取后才能生效。

如果是这样，可以使用一些基于密钥的加密，如XOR加密，然后使用PC的MAC地址或主板序列号作为密钥为加密。

然后需要在文件创建的计算机上阅读文件。如果您对此感兴趣，请添加评论，我会给您一个代码示例。

My VB.NET application has a very important boolean variable. I need to be able to save it "somewhere" and read it back in the future (even if the application is closed).

Currently, I store the variable as a .bin file somewhere. But I fear that the user can simply grab the file and do some magic to edit the value.

I need to make this value completely unavailable from the user's eyes. Or at least, make it impossible to edit. What is the best way to hide such value?

I managed to store the variable in my online MySQL database. But honestly, that doesn't work very well for my purposes. I need to store it locally...

Any ideas?

解决方案

Theoretically, you can never hide this variable at all. However, you can make it harder to find or read. To know how to hide the variable, you must first know some common ways of retrieving it.

Typical problems and solutions

How others could theoretically retrieve your variable value

1. Decompiling your program with a single click using .NET Reflector or any other .NET Decompilation program.
2. Analyze the memory of the PC while the program is running, and retrieve the value from there.
3. If your value was saved in a file, the user could easily find it by analyzing harddrive IO activity through a hook or a dump comparison.
4. If your value was saved in the registry, a simple registry hook or registry dump comparison tool could figure out where the value is stored.
5. If your value is encrypted, method #1 (decompiling the program) could be used to figuring out how a decryption could be done.

Solving the possible issues above

1. A general obfuscation program can be used to make it harder to decompile applications. For this, I suggest SmartAssembly. Other than that, there's a tool called Spoon Studio (previously called PostBuild) which will recompile your application into assembly code (and also make it run without the .NET Framework installed).
2. The SecureString class could be used to make it harder to find and decrypt the value while it's in the memory. This class also cleans itself up after usage, but is generally slightly slower to use than a normal string.
3. Storing things in a file is not nescessarily a bad idea (even if people can sniff file activity), since you can always store the variable in a non-pretty way. For instance, you could have a file called IsFullScreen.bin, that contained the value of your boolean variable (1 or 0, or true or false), even though it has nothing to do with full-screen rendering. This would make it a bit confusing, but also not very pretty programming-wise.
4. For the registry, everything in solution #3 still applies.
5. Encryption is not a bad idea either, and it is hard to decrypt some encryption types (for instance public/private key encryption if you have a server), or hashing (such as MD5 or SHA1).
6. In your scenario, could you store the value on a server instead?

So to summarize ...

You can't protect your application entirely. But you can use some of the solutions above (or combine them) for a better protection making it harder.

Of course, premature security is bad. If that boolean isn't VERY important, then some simple encryption would be fine too in my opinion.

There's more ...

Edit 1

I just noticed that you've commented on your own answer saying that the file should not be "valid" after copying it to another computer and reading it from there.

If that's the case, you could use some key-based encryption such as XOR encryption, and then use the MAC-address of the PC or the motherboard serial number as key for that encryption.

Being on the computer that the file was created on would then be needed to read the file as well. If you're interested in this, add a comment and I'll give you a code example.

这篇关于在VB.NET中安全数据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！