保护C＃dotnet核心控制台应用程序中的密码输入 [英] Securing a password input in c# dotnet core console app

问题描述

长时间潜伏在这里终于有一个我没有看到的问题。我在dotnet核心中编写ac＃控制台应用程序，并试图允许用户输入密码，并担心安全性，尤其是内存转储。

long time lurker here finally having a question that I'm not seeing. I am writing a c# console application in dotnet core and trying to allow a user to input a password, and am concerned about security, particularly memory dumping.

以下内容：密码屏蔽控制台应用程序我的理解是，存储为字符串变量的密码可以通过以下方式暴露内存转储（参考）。

Following: Password masking console application my understanding is that a password stored as a string variable could be exposed through a memory dump (reference).

通常，SecureString是到达此处的方法，但 dotnet核心不支持a>。

SecureString would normally be the way to go here but doesn't seem to be supported in dotnet core.

我试图修改代码以使用char数组，因为我的有限理解是它不是不可变的，因此不会全部存储在其中。一块内存。老实说，虽然安全不是我的专长，所以我的问题是下面的这段代码是否可以防止我通过内存转储公开密码？

I've tried to modify the code to use a char array, because my limited understanding is that it is not immutable so it will not all be stored in a single piece of memory. Honestly though security is not my forte, so my question is if this code below properly protects me from exposing the password through a memory dump?

        Console.WriteLine("Enter pass");
        char[] passwordArray = new char[256];
        int whileIndex = 0;

        while (true)
        {
            ConsoleKeyInfo key = Console.ReadKey(true);
            if (key.Key == ConsoleKey.Enter)
            {
                break;
            }
            else if (key.Key == ConsoleKey.Backspace)
            {
               if (whileIndex != 0) //so it doesn't explode if someone holds backspace
                {
                    whileIndex--;
                }
            }
            else
            {
                passwordArray[whileIndex] = key.KeyChar;
                whileIndex++;
            }
        }
        //Truncate array to length of password
        var endIndex = Array.IndexOf(passwordArray,'\0');
        char[] shortenedPasswordArray = new char[endIndex];
        Array.Copy(passwordArray, shortenedPasswordArray, endIndex);

        //Authentication code here

        //Wipe the characters when done
        foreach(var passChar in passwordArray)
        {
            passwordArray[passChar] = '\0';
        }

        foreach (var passChar in shortenedPasswordArray)
        {
            shortenedPasswordArray[passChar] = '\0';
        }

推荐答案

一些评论：
1）首先，请记住，在一个应用程序中不能解决安全问题。对于可以完全访问计算机的人，您几乎无法采取任何措施来确保密码的真正安全。

Some comments: 1) First and foremost remember that security is not solved in one application. For somebody with full access to the machine there is (almost) nothing you can do to keep a password truly secure.

（有趣的练习：如果没有密码，您将如何对密码进行身份验证仅将密码保留在内存中？）

(Fun exercise: How would you authenticate a password without keeping the password in memory at all?)

2）SecureString通过让您确定密码何时消失，仅使您能够更好地控制密码的使用期限。普通的字符串可能会在内存中持续很长的时间，甚至直到程序退出为止，因为直到垃圾回收它才会消失。 SecureString允许您明确擦除它，但是直到那时它仍然存在于内存中。

2) SecureString only gives you more control over the lifespan of a password in memory by letting you determine when it goes away. A normal string may last a very long time in memory, even until the program exits, since it doesn't go away until garbage collection. SecureString lets you explictly wipe it, but it still exists in memory until then.

3）使用您自己的char数组是一个好主意，但是我可能使用过List因为它允许可变长度，或者甚至是LinkedList，因为它可以将字符散布到内存中。耸耸肩。再次回到＃1并考虑保护您免受密码攻击的类型。

3) Using your own char array is a good idea, but I might have used a List because it allows a variable length, or maybe even a LinkedList because it spreads the characters out in memory. Shrug. Refer back to #1 and consider what kind of attacks you're protecting the password from.

这篇关于保护C＃dotnet核心控制台应用程序中的密码输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！