在 c# dotnet 核心控制台应用程序中保护密码输入 [英] Securing a password input in c# dotnet core console app

问题描述

在这里潜伏了很长时间，终于有一个我没有看到的问题.我正在 dotnet core 中编写一个 c# 控制台应用程序并试图允许用户输入密码，并且担心安全性，尤其是内存转储.

long time lurker here finally having a question that I'm not seeing. I am writing a c# console application in dotnet core and trying to allow a user to input a password, and am concerned about security, particularly memory dumping.

以下:密码屏蔽控制台应用程序我的理解是密码存储为字符串变量可能会通过内存转储暴露(参考).

Following: Password masking console application my understanding is that a password stored as a string variable could be exposed through a memory dump (reference).

SecureString 通常是到这里的方式，但在 dotnet 中似乎不受支持核心.

SecureString would normally be the way to go here but doesn't seem to be supported in dotnet core.

我尝试修改代码以使用 char 数组，因为我有限的理解是它不是一成不变的，因此它不会全部存储在单个内存中.老实说，虽然安全性不是我的强项，所以我的问题是，下面的代码是否能正确保护我免于通过内存转储暴露密码?

I've tried to modify the code to use a char array, because my limited understanding is that it is not immutable so it will not all be stored in a single piece of memory. Honestly though security is not my forte, so my question is if this code below properly protects me from exposing the password through a memory dump?

        Console.WriteLine("Enter pass");
        char[] passwordArray = new char[256];
        int whileIndex = 0;

        while (true)
        {
            ConsoleKeyInfo key = Console.ReadKey(true);
            if (key.Key == ConsoleKey.Enter)
            {
                break;
            }
            else if (key.Key == ConsoleKey.Backspace)
            {
               if (whileIndex != 0) //so it doesn't explode if someone holds backspace
                {
                    whileIndex--;
                }
            }
            else
            {
                passwordArray[whileIndex] = key.KeyChar;
                whileIndex++;
            }
        }
        //Truncate array to length of password
        var endIndex = Array.IndexOf(passwordArray,'');
        char[] shortenedPasswordArray = new char[endIndex];
        Array.Copy(passwordArray, shortenedPasswordArray, endIndex);

        //Authentication code here

        //Wipe the characters when done
        foreach(var passChar in passwordArray)
        {
            passwordArray[passChar] = '';
        }

        foreach (var passChar in shortenedPasswordArray)
        {
            shortenedPasswordArray[passChar] = '';
        }

推荐答案

一些评论:1) 首先要记住，安全问题不是在一个应用程序中解决的.对于可以完全访问机器的人来说，您(几乎)无能为力来确保密码真正安全.

Some comments: 1) First and foremost remember that security is not solved in one application. For somebody with full access to the machine there is (almost) nothing you can do to keep a password truly secure.

(有趣的练习:如何在完全不将密码保存在内存中的情况下验证密码?)

(Fun exercise: How would you authenticate a password without keeping the password in memory at all?)

2) SecureString 仅让您确定密码何时消失，从而让您更好地控制密码在内存中的寿命.一个普通的字符串可能会在内存中持续很长时间，甚至直到程序退出，因为它在垃圾收集之前不会消失.SecureString 允许您显式擦除它，但在此之前它仍然存在于内存中.

2) SecureString only gives you more control over the lifespan of a password in memory by letting you determine when it goes away. A normal string may last a very long time in memory, even until the program exits, since it doesn't go away until garbage collection. SecureString lets you explictly wipe it, but it still exists in memory until then.

3) 使用您自己的字符数组是个好主意，但我可能使用了 List，因为它允许可变长度，甚至可能使用 LinkedList，因为它将字符分散到内存中.耸耸肩.回顾 #1 并考虑您要保护密码免受哪种攻击.

3) Using your own char array is a good idea, but I might have used a List because it allows a variable length, or maybe even a LinkedList because it spreads the characters out in memory. Shrug. Refer back to #1 and consider what kind of attacks you're protecting the password from.

这篇关于在 c# dotnet 核心控制台应用程序中保护密码输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！