NET 3.5的,最安全的方式来传递进程之间串 [英] .Net 3.5, most secure way to pass string between processes
问题描述
我希望能够通过一个SecureString的(缓存密码),在C#(.NET 3.5)一个子进程,但我不知道最安全的方式是怎样做到这一点。如果我的SecureString的转换回一个普通的字符串,并将其作为一个命令行参数,例如,然后我的认为的值可能会有磁盘分页 - 这将使明文触摸文件系统,毁掉使用SecureString的点。
I'd like to be able to pass a SecureString (a cached passphrase) to a child process in C# (.Net 3.5), but I don't know what the most secure way is to do it. If I were to convert the SecureString back to a regular string and pass it as a command-line argument, for example, then I think the value may be prone to disk paging--which would make the plaintext touch the filesystem and ruin the point of using SecureString.
能否IntPtr的为SecureString的传递呢?我可以使用命名管道不增加风险?
Can the IntPtr for the SecureString be passed instead? Could I use a named pipe without increasing the risk?
推荐答案
一般来说,你应该担心更多的外来袭击之前定义你的威胁模型。在这种情况下:你是否担心有人关闭计算机并执行硬盘的取证分析?应用程序的内存也可以换出,这样一个简单的事实的一个的进程在内存中,使得它有可能有可能它结束在交换文件。那么冬眠?期间休眠的存储器的全部内容被写入到硬盘(包括SecureString的! - 和presumably加密密钥)。如果有什么攻击者访问系统的,而它的运行的,并且可以通过应用程序的内存搜索?
In general you should define your threat model before worrying about more exotic attacks. In this case: are you worried that somebody shuts down the computer and does a forensic analysis of the harddrive? Application memory can also be swapped out, so the simple fact that one process has it in memory, makes it potentially possible for it to end in the swap file. What about hibernation? During hibernation the entire content of the memory is written to the harddisk (including the SecureString - and presumably the encryption key!). What if the attacker has access to the system while it's running and can search through the memory of applications?
在一般的客户端安全性是非常棘手,除非你有专门的硬件(如TPM芯片),这几乎是不可能得到正确的。两种解决方案是:
In general client side security is very tricky and unless you have dedicated hardware (like a TPM chip) it is almost impossible to get right. Two solutions would be:
- 如果你只需要测试两个字符串(例如:是这样的字符串一样的一个我早些时候曾)之间的平等,店内只有一个(咸)哈希它值
- 请用户重新输入信息时,需要进行第二次(不是很方便,但是安全性和便利性都彼此相对)
这篇关于NET 3.5的,最安全的方式来传递进程之间串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
