C＃中的密码修改 [英] Password encrtption in C#

问题描述

我需要为存储在配置文件中的密码实现密码输入。



最好的对称方法是什么？



我的尝试：



只是一些研究，但不确定什么是最好用的

I need to implement a password encrtption for passwords stored in a config file.

What is the best symetric method to use?

What I have tried:

Just some research, but not sure what is best to use

推荐答案

第一个重要注意事项：如果你可以避免解密密码，你应该这样做。例如，如果只是将用户输入与先前存储的密码进行比较，则不应使用加密/解密算法，而应使用散列算法或密钥派生算法，以便有人不能只恢复原始密码。为此，请查看bcrypt或PBKDF2。



当然，您需要解密它的目的 - 例如，当您需要通过它时作为Web请求的一部分。为此，存储密码的最佳方式取决于操作系统：

A first important note: if you can avoid the need to decrypt the password, you should. For example, if it's just to compare user input to a previously stored password, you should not use an encryption/decryption algorithm, but a hashing algorithm or a key derivation algorithm so someone can't just recover the original password. For this purpose, take a look into bcrypt or PBKDF2.

Of course there are purposes where you do need to decrypt it - for example, when you need to pass it as part of a web request. For that purpose, the best way to store the password depends on the operating system:

安全堆栈交换中的'多项式'[ ^ ]：

如果您在谈论Windows桌面应用程序，则应使用CryptProtectData API，它将凭据存储在受保护的内存区域中并使用密钥是用户配置文件的一部分。这是Windows应用程序的标准保护机制。



在Linux上你可以考虑使用GNOME密钥环或KDE钱包，OS X有一套API用于它钥匙圈也是。这将确保用户密钥环的安全设置采取覆盖控制 - 他们可以决定他们想要重新输入主密钥的频率。



任何程序你选择混淆密码是对任何半决定的攻击者徒劳无功的行为，所以最多你创造了一种安全感。我的建议是包含一个记住我的密码的设置，但是警告用户密码将以可逆的格式本地存储，几乎不提供安全性，以便他们知道这个问题。

If you're talking about a Windows desktop application, you should use the CryptProtectData API, which stores the credentials in protected memory regions and encrypts them with a key that is part of the user profile. This is the standard protection mechanism for Windows applications.

On Linux you could look into using the GNOME keyring or KDE wallet, and OS X has a set of APIs for its keyring too. This would ensure that the security settings for the user's keyring take overriding control - they can decide how often they want to have to re-enter their master key.

Any procedure you choose to obfuscate passwords is an exercise in futility against any half-determined attacker, so at most you're creating an illusion of security. My suggestion is to include a setting that says "remember my password", but warn your users that the password will be stored locally in a reversible format that offers little security, so that they're aware of the issue.

For Linux或Mac我无法提供示例。如果您正在使用Windows并希望查看CryptProtectData API的实现：我有一篇文章 [ ^ ]其中CryptProtectData API是其中的一部分：您将对本文的EncryptDecryptData - 使用CryptProtectData进行加密和解密部分感兴趣。

For a Linux or a Mac I can't provide an example. If you're using Windows and want to see an implementation of the CryptProtectData API: I have an article[^] of which the CryptProtectData API is a part: you'll be interested in the "EncryptDecryptData - for encryption and decryption using CryptProtectData" section of the article.

这篇关于C＃中的密码修改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！