“隐藏”的最佳做法秘密 [英] Best practice for "hiding" secrets

问题描述

大家好，


让我说我有一个秘密。我希望隐藏，让我们说一个数据库密码。

对于更详细的问题，使用

连接字符串的Web应用程序/服务。


我提出的所有解决方案（嵌入代码，加密 - 解密）

涉及在代码中嵌入/另一个秘密。既然我的问题不能请求用户干预，我就停止了。


什么是避免在代码中写秘密或隐藏它们的最佳方法

其他地方（注册表，外部文件），同时避免用户干预

检索秘密？


Thanx，

Picho


PS - 我正在考虑这样的说法，即代码中嵌入（硬编码）的任何东西都可以通过调试或

反映等来提取。

解决方案

这种方法对于某些商店来说是一个根本性的转变，但不允许任何

应用程序与您的数据库建立连接。 （下巴放在胸前）。

相反，让你的应用程序连接到建立连接的组件

并返回DataSet，DataReader等。然后使用域安全性

确定谁可以访问哪些数据。我们每天都会在我的

客户网站上面对这一挑战。有些人接受这种改变，有些人会反对。如果安全对您很重要，请自行询问

。

" Picho" < SP ******** @ telhai.ac.il>在消息中写道

news：uK ************** @ TK2MSFTNGP10.phx.gbl ...

大家好，

让我们说我有一个秘密。我希望隐藏，让我们说一个数据库密码。
对于更详细的问题，使用
连接字符串的Web应用程序/服务。

所有解决方案我提出（嵌入代码，
加密 - 解密）涉及在代码中嵌入/另一个秘密。由于我的问题无法请求用户干预，我处于停止状态。

什么是避免在代码中写秘密或隐藏它们的最佳方法
其他地方（注册表） ，外部文件）同时避免用户干预
来检索秘密？

Thanx，

Picho

PS - 我正在考虑通过调试
或反映等来解释代码中嵌入（硬编码）的任何东西的原理。

谢谢Keith的回复。


你说的不是一个实用的解决方案，我们可以轻松地讨论
$'$ b''组件''连接到数据库的方式（网络应用程序不是那么多b $ b不同于任何其他组件，除了它使用的频道或
$ b DMZ中的$ b）....


Picho


" Keith" < css@NO_SPAM_ConsultWithUs.com>在留言中写道

新闻：OF ************* @ TK2MSFTNGP12.phx.gbl ...

这种做法是一个根本性的转变对于某些商店，但不允许任何
应用程序连接到您的数据库。 （下巴上b
胸部）。相反，让您的应用程序连接到建立
连接的组件并返回DataSet，DataReader等。然后使用域安全性来确定谁可以访问哪些数据。我们每天都在客户的网站上以
的价格面对这一挑战。有些人接受这种改变，有些人会反对。如果安全对您很重要，请务必询问自己。

Picho < SP ******** @ telhai.ac.il>在消息中写道
新闻：英国************** @ TK2MSFTNGP10.phx.gbl ...

大家好，
密码。对于更详细的问题，使用
连接字符串的Web应用程序/服务。

我提出的所有解决方案（嵌入代码，加密 - 解密）

涉及在代码中嵌入/另一个秘密。由于我的问题
无法请求用户干预，我处于停止状态。

什么是避免在代码中写入秘密或在其他任何地方隐藏
的最佳方法（注册表） ，外部文件）同时避免用户

介入

检索秘密？

Thanx，
Picho

PS - 我正在考虑一个说法，即代码中嵌入（硬编码）的任何东西都可以通过调试

或

反映等来提取。

这就是为aspnet_setreg创建的。


参见这篇文章：
http://msdn.microsoft.com/library/de...itysection.asp


想法是存储你的注册表设置中的凭据，采用加密的

格式。即使有人拿到你的应用程序，他们也没有得到注册表。您可以在注册表项上设置ACL，以防止网络外的任何人获取加密凭据。已经存在一个实用程序

允许系统管理员加密凭据并将它们存储到

正确的位置，并且您的配置文件可以提取凭证而不需要很多

代码更改。


HTH

---尼克

" Picho" < SP ******** @ telhai.ac.il>在消息中写道

news：uK ************** @ TK2MSFTNGP10.phx.gbl ...

大家好，

让我们说我有一个秘密。我希望隐藏，让我们说一个数据库密码。
对于更详细的问题，使用
连接字符串的Web应用程序/服务。

所有解决方案我提出（嵌入代码，
加密 - 解密）涉及在代码中嵌入/另一个秘密。由于我的问题无法请求用户干预，我处于停止状态。

什么是避免在代码中写秘密或隐藏它们的最佳方法
其他地方（注册表） ，外部文件）同时避免用户干预
来检索秘密？

Thanx，

Picho

PS - 我正在考虑通过调试
或反映等来解释代码中嵌入（硬编码）的任何东西的原理。

Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password.
For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting)
involve embedding the/another secret in the code. since my problem cannot
request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them
anywhere else (registry, external files) while avoiding user intervention to
retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging or
reflecting etc.

解决方案

This approach is a radical shift for some shops, but do not allow any
applications to make connections into your database. (jaw drops on chest).
Instead, have your apps connect to a component that establishes a connection
and returns a DataSet, DataReader, etc. Then use Domain security to
determine who can access which data. We face this challenge every day at my
clients'' sites. Some accept this change, some fight it. Just have to ask
yourself if security is important to you.
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...

Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password.
For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting) involve embedding the/another secret in the code. since my problem cannot
request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them
anywhere else (registry, external files) while avoiding user intervention to retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging or reflecting etc.

thank you Keith for your reply.

what you say is not a practical solution, we could easly be discussing the
way that ''component'' connects to the database (the web-application is not so
different than any other component except for the channel it uses or being
in the DMZ)....

Picho

"Keith" <css@NO_SPAM_ConsultWithUs.com> wrote in message
news:OF*************@TK2MSFTNGP12.phx.gbl...

This approach is a radical shift for some shops, but do not allow any
applications to make connections into your database. (jaw drops on chest). Instead, have your apps connect to a component that establishes a connection and returns a DataSet, DataReader, etc. Then use Domain security to
determine who can access which data. We face this challenge every day at my clients'' sites. Some accept this change, some fight it. Just have to ask
yourself if security is important to you.
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...

Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password. For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting)

involve embedding the/another secret in the code. since my problem cannot request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them anywhere else (registry, external files) while avoiding user

intervention to

retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging

or

reflecting etc.

This is what aspnet_setreg was created for.

See this article:
http://msdn.microsoft.com/library/de...itysection.asp

The idea is to store your credentials in a registry setting, in an encrypted
format. Even if someone gets your app, they don''t get the registry. You
can set ACLs on the registry keys to prevent anyone outside the network from
getting the encrypted credentials. There is a utility already in existence
to allow system admins to encrypt the credentials and store them into the
correct spots, and your config files can pull the credentials without many
code changes on your part.

HTH
--- Nick
"Picho" <SP********@telhai.ac.il> wrote in message
news:uK**************@TK2MSFTNGP10.phx.gbl...

Hi all,

Lets say I have a "secret" I wish to "hide", lets say a database password.
For the more detailed problem, a web application/service that uses a
connection string.

all the solutions I came up with (embedding in code, encrypting-decrypting) involve embedding the/another secret in the code. since my problem cannot
request a user intervention, I am at a stop.

what will be the best way to avoid writing secrets in code or hiding them
anywhere else (registry, external files) while avoiding user intervention to retrieve the secret?

Thanx,

Picho

P.S. - I am taking into consideration the axume that says that anything
embedded (hard coded) in the code can be extracted by means of debugging or reflecting etc.

这篇关于“隐藏”的最佳做法秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！