在哪里存储密钥MVC应用程序 [英] Where to Store Encryption Keys MVC Application

问题描述

我在MVC3应用程序中使用，需要一个密钥值和矢量值加密AES一个加密/解密类和解密数据。

I am using a AES encryption/decryption class that needs a key value and vector value encrypt and decrypt data in an MVC3 application.

在保存我加密数据，然后存储在数据库中的记录。当我检索记录我正在解密控制器，并通过未加密的价值的看法。

On saving the record I am encrypting the data then storing in a database. When i retrieve the record i am decrypting in the controller and passing the unencrypted value to the view.

，因为它穿越网络，而是为了保护它应该被泄露数据库的担忧并不保护数据。

The concern is not protecting data as it traverses the network but to protect the database should it be compromised.

我看了很多帖子说不要说把密钥进行加密在code。

I have read many posts that say dont put the keys for encryption in your code.

好了，所以应该在哪里他们保持？文件系统？另一个数据库？

Ok so where should they be kept? File system? Another Database?

寻找一些方向。

推荐答案

常识告诉我们，如果入侵者获得访问你的数据库，他们将最有可能还可以访问您的文件系统。这真的归结到你。首先，你可以尝试将其隐藏。在配置文件，在文件系统中的某个地方纯文本文件，用另一把钥匙是在应用程序中进行加密，...等等等等。

Common sense says, if an intruder gets access to your database, they will most likely also have access to your file system. It really comes down to you. For one, you can try to hide it. In configuration files, in plain files somewhere in file system, encrypt it with another key that is within the application ... and so on and so forth.

配置文件是一个符合逻辑的答案，但为什么抓住机会 - 混合。随意混合使用多级加密密钥 - 要求从记录本身的东西，是唯一的每一条记录，另外一个需要配置值，第三个需要应用程序特定的价值，也许是从库中的第四个隐藏1以及在应用程序的参考？这样一来，即使一层莫名其妙地被破坏，你将有几个人保护它。

Configuration files are a logical answer, but why take a chance - mix it. Feel free to mix keys with multi-level encryptions - one requiring something from the record itself and being unique to every record, other one requiring a configuration value, third one requiring an application-specific value, and perhaps a fourth one from a library hidden well within your application's references? This way, even if one layer somehow gets compromised, you will have several others protecting it.

是的，它的开销增加了。是的，这是比较昂贵。但它是值得的，如果你有一个像用户信用卡信息的敏感数据？你打赌它。

Yes, it adds overhead. Yes, it is relatively expensive. But is it worth it if you have sensitive data like user credit card details? You bet it is.

我使用类似的加密和我个人的小项目，是非常安全的专注和谨慎控制的一个散列技术。这取决于需要多少数据，以显示在任何一个时间 - 例如，矿井将永远在一个时间只获取10个记录，最有可能甚至更低。

I'm using similar encryption and hashing techniques in one of my personal pet projects that is highly security focused and carefully controlled. It depends how much data you need to display at any one time - for example, mine will ever fetch only 10 records at a time, most likely even less.

...要指定我的意思是通过混合：加密一次。然后用不同的密钥和suggestedly不同的算法重新加密的数据。

... To specify what I mean by mixing: Encrypt once. Then encrypt that data again with different key and suggestedly different algorithm.

这篇关于在哪里存储密钥MVC应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！