如何保护 .NET 应用程序中的 API 密钥 [英] How to protect an API key in a .NET application

问题描述

我的应用程序访问了许多网络服务，例如 Twitter 和 Flickr.它使用来自这些服务的 API 密钥，我想在我的二进制文件中混淆它们.(我并不担心盗版或其他任何事情，我只需要对这些密钥保密.)

My application hits a number of web services, such as Twitter and Flickr. It uses API keys from those services, and I'd like to obfuscate them in my binaries. (I'm not really worried about piracy or anything, I just need to keep these keys secret.)

最好的方法是什么?

如果我将它们存储为 const SecureString，这会让他们失去记忆吗?MSDN 描述说该文本不再需要时从计算机内存中删除"，但不是始终在内存中的常量吗?

If I store them as const SecureString, does that keep them out of memory? The MSDN description says the text is "deleted from computer memory when no longer needed", but isn't a const always in memory?

Dotfuscator 会在我的程序集中掩盖它吗?(假设我可以让它工作.)

Will Dotfuscator obscure it in my assembly? (Assuming I can get it to work.)

推荐答案

我最近不得不处理这种情况.问题不在于确保有人不能使用十六进制编辑器轻松找到它，而在于当它通过线路发送到各种 API 时.无论如何，简单地运行 fiddler 和 watch requests 都会显示密钥.某些 API 将受益于私钥/公钥，这会有所帮助.

I've recently had to deal with exactly this situation. The problem isn't so much making sure someone can't easily find it using a hex editor but rather when it's sent over the wire to the various APIs. Simply running fiddler and watching requests will show the key regardless. Some APIs will have the benefit of a private/public key which helps a little.

我能想到的唯一解决方案是创建我自己的外部托管网络服务，充当客户端和目标 API 之间的代理.这让我可以为每个终端生成单独的密钥，我可以激活/停用这些密钥，并且大部分敏感数据都存储在我的远程代理应用程序中.

The only solution I could come up with was to create a webservice of my own externally hosted that acted as a proxy between the client and the targeted API. This allowed me to generate individual keys to each terminal that I could activate/deactivate and majority of the sensitive data was stored on my remote proxy application.

祝你好运！

~别忘了喝你的阿华田"

~ "Dont't forget to drink your Ovaltine"

这篇关于如何保护 .NET 应用程序中的 API 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！