储存我的亚马逊凭据在C#桌面应用程序 [英] Storing My Amazon Credentials in C# Desktop App
问题描述
我期待在使用Amazon S3和SimpleDB的桌面应用程序。
I'm Looking at using Amazon S3 and simpleDB in a desktop application.
主要的问题我已经是我要么需要存储我的AWS凭据的应用程序,或者使用一些其他的方案。
The main issue I have is that I either need to store my aws credentials in the application or use some other scheme.
我猜测,将它们存储在应用程序出了问题,他们会很容易地挑选出来。
I'm guessing that storing them in the application is out of the question as they would be easily picked out.
另一种方法是创建一个用于创建AWS认证签名的web服务,但这有它自己的问题。 是否需要签名从文件多数民众赞成在所有的数据被上传?如果是的话我会所有的数据传输的两倍。 那么就不会有这是使用AWS的主要原因之一中央故障点。
Another option is to create a web service that creates the aws authentication signature but this has its own issues. Does the signature require all the data from a file thats being uploaded? If so I would have to transfer all the data twice. There would then be a central failure point which was one of the main reasons for using aws.
任何想法?
更新:
我需要使它成为一个更清楚一点,我正在想保存我的AWS凭据发放给其他应用程序。 DPAPI或任何其他加密只会使用反射来获取证书只能阻止人们。使用任何加密仍然需要,很容易拿到钥匙。
I needed to make it a bit clearer that I'm wanting to store my aws credentials in an application handed out to others. DPAPI or any other encryption would be only stop people simply using reflector to get the credentials. Using any encryption still needs the key that is easy to get.
更新2 - 2011年9月
亚马逊已经发布了有关使用AWS安全令牌服务,它允许进行身份验证,但不透露你的密钥的一些细节。更多详细信息可在<一href="http://aws.typepad.com/aws/2011/09/updated-mobile-sdks-for-aws-improved-credential-management.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3a%20AmazonWebServicesBlog%20%28Amazon%20Web%20Services%20Blog%29">this博客文章。
Amazon have released some details on using the AWS Security Token Service, which allows for authentication without disclosing your secret key. More details are available on this blog post.
推荐答案
蒂姆,你确实击中了两个关键的方法:
Tim, you're indeed hitting on the two key approaches:
-
不够好:存储在应用程序中的密钥秘密。有确实是有人只是挑选出来的应用程序,code的重大风险。有些缓解可能是(一)使用DPAPI来存储应用程序二进制文件外键,或(b)从Web服务获得过线的关键每次你需要它时(通过SSL),但从来没有存储在本地。没有缓解真的可以减缓胜任攻击者使用调试器,作为明文密钥必须结束了在应用程序的内存。
NOT GOOD ENOUGH: store the secret key "secretly" in the app. There is indeed a grave risk of someone just picking it out of the app code. Some mitigations might be to (a) use the DPAPI to store the key outside the app binary, or (b) obtain the key over the wire from your web service each time you need it (over SSL), but never store it locally. No mitigation can really slow down a competent attacker with a debugger, as the cleartext key must end up in the app's RAM.
BETTER:将需要被保护到Web服务,并签署在那里的内容。好消息是,只有请求名称和时间戳需要签名 - 并不是所有的上传位(我猜亚马逊并不想花个周期验证所有这些位要么!)。以下是亚马逊自己有关的code线<一href="http://developer.amazonwebservices.com/connect/entry.jspa?externalID=875&categoryID=47">Introduction到AWS的C#开发人员。请注意 Aws_GetSignature 被调用只能用PutObject和时间戳?你肯定可以实现自己的Web服务的签名,而无需发送整个文件,并不会影响你的关键。如果你想知道, Aws_GetSignature 是9行函数,它在常量字符串AmazonS3,在操作名称的串联一个SHA1哈希和RFC822再时间戳presentation - 用你的密钥
BETTER: Push the content that needs to be protected to your web service and sign it there. The good news is that only the request name and timestamp need to be signed -- not all the uploaded bits (I guess Amazon doesn't want to spend the cycles on verifying all those bits either!). Below are the relevant code lines from Amazon's own "Introduction to AWS for C# Developers". Notice how Aws_GetSignature gets called only with "PutObject" and a timestamp? You could definitely implement the signature on your own web service without having to send the whole file and without compromising your key. In case you're wondering, Aws_GetSignature is a 9-line function that does a SHA1 hash on a concatenation of the constant string "AmazonS3", the operation name, and the RFC822 representation of the timestamp -- using your secret key.
DateTime timestamp = Aws_GetDatestamp();
string signature = Aws_GetSignature( "PutObject", timestamp );
byte[] data = UnicodeEncoding.ASCII.GetBytes( content );
service.PutObjectInline( "MainBucket", cAWSSecretKey, metadata,
data, content.Length, null,
StorageClass.STANDARD, true,
cAWSAccessKeyId, timestamp, true,
signature, null );
编辑:请注意,当你可以让你的亚马逊身份隐藏的秘密密钥部分,访问密钥ID部分需要被嵌入的请求。除非你通过自己的Web服务发送的文件,你必须将其嵌入应用程序。
note that while you can keep the secret key portion of your Amazon identity hidden, the access key ID portion needs to be embedded in the request. Unless you send the file through your own web service, you'll have to embed it in the app.
这篇关于储存我的亚马逊凭据在C#桌面应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
