如何保护在.NET应用程序的API密钥 [英] How to protect an API key in a .NET application

问题描述

我的申请击中了一些web服务，如Twitter和Flickr。它使用API​​密钥从这些服务，我想混淆他们在我的二进制文件。 （我真的不担心盗版或任何东西，我只需要保持这些密钥的秘密。）

My application hits a number of web services, such as Twitter and Flickr. It uses API keys from those services, and I'd like to obfuscate them in my binaries. (I'm not really worried about piracy or anything, I just need to keep these keys secret.)

什么是去了解它的最好方法是什么？

What's the best way to go about it?

如果我将它们存储为const SecureString的，这是否让他们出去的内存？在MSDN的描述说，文本是从计算机内存中删除时，不再需要，而不是一个常量总是在内存中？

If I store them as const SecureString, does that keep them out of memory? The MSDN description says the text is "deleted from computer memory when no longer needed", but isn't a const always in memory?

威尔Dotfuscator不起眼的它在我的组装？ （假设我能得到它的<一个href="http://stackoverflow.com/questions/4937738/dotfuscator-doesnt-support-current-net-framework">work.)

Will Dotfuscator obscure it in my assembly? (Assuming I can get it to work.)

推荐答案

我最近不得不面对的正是这种情况。问题是没有这么多，确保使用十六进制编辑器，但别人不容易发现，而当它通过线路发送到各种API。只需运行小提琴手和看不管请求将显示的关键。某些API将有私人/公共密钥，这有助于一点点的利益。

I've recently had to deal with exactly this situation. The problem isn't so much making sure someone can't easily find it using a hex editor but rather when it's sent over the wire to the various APIs. Simply running fiddler and watching requests will show the key regardless. Some APIs will have the benefit of a private/public key which helps a little.

使用是创建我自己的web服务外部托管了充当客户端和目标API之间的代理我能想出的唯一解决方案。这让我产生各个键的每个终端，我可以激活/停用和广大的敏感数据被存储在我的远程代理应用程序。

The only solution I could come up with was to create a webservice of my own externally hosted that acted as a proxy between the client and the targeted API. This allowed me to generate individual keys to each terminal that I could activate/deactivate and majority of the sensitive data was stored on my remote proxy application.

祝你好运！

〜Dont't忘记喝你的阿华田

~ "Dont't forget to drink your Ovaltine"

这篇关于如何保护在.NET应用程序的API密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！