安全地存储在程序code密码? [英] Securely store a password in program code?
问题描述
我的应用程序将使用RijndaelManaged类来加密数据。由于这种加密的一部分,我用装有一个密码,得到的会转换为字节数组,并加载到在运行时RajindaelManaged对象的关键一SecureString的对象。
My application makes use of the RijndaelManaged class to encrypt data. As a part of this encryption, I use a SecureString object loaded with a password which get's get converted to a byte array and loaded into the RajindaelManaged object's Key at runtime.
我的问题是这样的SecureString的的存储。用户输入的密码可以在运行时被输入,并且,可以是牢固装入SecureString的对象,但是,如果没有用户输入的口令,然后我需要默认为某物。
The question I have is the storage of this SecureString. A user entered password can be entered at run-time, and that can be "securely" loaded into a SecureString object, but if no user entered password is given, then I need to default to something.
所以,最后的quesiton归结为:
So ultimately the quesiton comes down to:
如果我必须有一些已知的字符串或字节数组加载到每一次我的应用程序运行一个SecureString的对象,我该怎么办呢?最终得到被其他应用程序解密,因此即使未指定用户输入的密码加密的数据,我还需要同时它从一个应用程序到另一个数据进行加密。这意味着我不能有默认密码是随机的,因为其他应用程序将无法正常进行解密。
If I have to have some known string or byte array to load into a SecureString object each time my application runs, how do I do that? The "encrypted" data ultimately gets decrypted by another application, so even if no user entered password is specified, I still need the data to be encrypted while it goes from one app to another. This means I can't have the default password be random, because the other app wouldn't be able to properly decrypt it.
一个可行的办法,我的想法是创建一个DLL只吐出一个密码,然后使用该密码,并通过几个不同的散列的运行/重组功能,在运行之前,我最终将其送到SecureString的目的。这是否足够安全?
One possible solution I'm thinking is to create a dll which only spits out a single passphrase, then I use that passphrase and run it through a couple of different hashing/reorganizing functions at runtime before I ultimately feed it into the secureString object. Would this be secure enough?
编辑为了清楚*:经加密的数据被经由计算机之间的文件传递。把它看成是一个压缩文件,它总是有一个密码,一个默认的假设,如果没有被用户直接输入。
Edit For clarity*: The encrypted data is being passed via files between machines. Think of it as a Zip file which always has a password, a default one is assumed if nothing is directly entered by the user.
推荐答案
有一个在一个字符串是硬coded到你的可执行文件加密对称没有意义。它只会造成安全的假象。再多的散列修复了这个方案。
There is no point in symmetrically encrypting with a string that's hard-coded into your executable. It will only give a false sense of security. No amount of hashing fixes this scheme.
请参阅这Pidgin的常见问题解答同一点在不同的上下文。
See this Pidgin FAQ for the same point in a different context.
我不清楚为什么你认为你需要跨应用程序通信进行加密。如果此通信是本地的机器,那么我不认为有必要进行加密,特别是加密的,是不是用户特定的。这是一个DRM方案?
I am unclear why you think you need the inter-app communication to be encrypted. If this communication is local to the machine, then I don't see the need for encryption, particularly encryption that isn't user-specific. Is this a DRM scheme?
编辑:如果它被传递到不同的机器,或许你可以硬codeA 公钥,然后让其他机进行解密,与匹配的私钥。
If it's being passed to a different machine, perhaps you can hard-code a public key, and then have the other machine decrypt with the matching private key.
这篇关于安全地存储在程序code密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
