隐藏硬编码凭据 [英] Hiding hard coded credentials

问题描述

大家好，



昨天我使用了我在本网站上找到的一些代码来临时验证UNC路径，然后传输数据。以下是使用凭证连接到UNC路径的链接[ ^ ]。



它工作得很好，但问题是验证文件服务器的凭据在代码中是纯文本的。显然，当使用.exe时用户看不到它，但我担心一些邪恶的用户可以反编译exe并获取凭据。这是我甚至应该关注的事情吗？如果是这样，有没有办法以某种方式隐藏或加密凭据，以便在这种情况下它们不可见？



先谢谢你的帮助。



-Matt

Hello all,

Yesterday I used some code I found on this site to temporarily authenticate to a UNC path and then transfer data. Here is the link Connect to a UNC Path with Credentials[^].

It works great but the problem is that the credentials for authenticating to the file server are in plain text in the code. Obviously it is not visible to the user when using the .exe but I am concerned that some nefarious user could decompile the exe and get at the credentials. Is this something I should even be concerned about? If so, is there a way to somehow hide or encrypt the credentials so that they would not be visible in such a situation?

Thanks in advance for your help.

-Matt

推荐答案

首先，评估与检索凭证的人相关的风险，特别是在以下方面：



1.它有多大可能。

2.使用这些凭据的人会造成什么样的损害。

3.在保护资源用于访问凭据的资源方面，您能够多快地做出妥协在分发修复方面。



我几乎肯定会建议至少应该进行一些混淆，因为凭证可能非常容易访问，因为它们只是文本常量。至于混淆文本，我建议使用某种对称算法（不需要用密钥加密）然后放入一些反调试代码。 本书 [ ^ ]这是一个值得关注的夜晚。



如果妥协的影响和可能性很大，那么您可能需要考虑一些更安全的东西并放弃硬编码凭证。

Firstly, assess the risk associated with someone retrieving the credentials, particularly in terms of:

1. How likely it is.
2. What damage would be caused by someone using those credentials.
3. How quickly you can respond to the compromise in terms of securing the resource the credentials are used to access and in terms of distributing a fix.

I would almost certainly suggest there should at least be some obfuscation as the credentials are probably very easily accessible of they are just text constants. As for obfuscating the text, I would suggest some kind of symmetric algorithm (not neccessarily encryption with a key) and then put some anti debugging code in place. There are some good chapters in this book[^] that mnight be worth looking at.

If the impact and likelihood of a compromise is significant, then you may need to think about something a bit more secure and abandon hard coded credentials.

它更容易获取这些凭据然后反编译。你可以使用Sysinternals Process Explorer（如果你还没有看到它，它是类固醇的任务经理）。有了它，你可以查看任何正在运行的应用程序中的所有字符串。



我现在肯定有更好的方法，但我可能会加密凭据并隐藏它们在我的应用程序中包含的.dll中。当您的应用启动时，请阅读.dll中的凭据，解密它们并使用它们进行连接。然后在包含凭据的字符串中写一个新值。



就像我说的 - 我相信这些天有更好的办法来处理这个问题 - 但是我会做的。



- Pete

It''s easier to get those credentials then decompiling. You can just use Sysinternals Process Explorer (if you haven''t seen it yet, it''s task manager on steroids). With that, you can view all the strings in any running application.

I''m sure there are better ways now, but I would probably encrypt the credentials and hide them in a .dll that I include with my application. When your app starts up, read the credentials from the .dll, decrypt them and use them to connect. Then write a new value to the string that contained the credentials.

Like I said - I''m sure there are better ways to handle this these days - but that''s what I would do.

- Pete

这篇关于隐藏硬编码凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！