如何在 C# 中安全地嵌入静态字符串(密钥)? [英] How can I securely embed a static string (key) in C#?

问题描述

我正在寻找一种在 WP7 应用程序中安全存储 API 密钥的方法.键是一个字符串，目前被硬编码到代码中(见下文).我知道有反射器程序的人可以很容易地看到这个.有没有更好的方法将此密钥打包为我的应用程序的一部分?资源会更安全吗?

I'm looking for a way to securely store an API key in a WP7 application. The key is a string and is currently hard coded into the code (see below). I know that someone with a reflector program could easily view this. Is there a better way to package this key as part of my app? Would a resource be more secure?

string key = "DSVvjankjnersnkaecjnDFSD44VDS23423423rcsedzcadERVSDRFWESDVTsdt";

(这实际上不是关键；))

(This isn't actually the key ;) )

提前致谢.

推荐答案

看看 保护代码中的数据库连接字符串和其他敏感设置，这是一本很好的读物.您的问题在隐藏应用程序源代码中的密钥"部分.

Have a look at Safeguard Database Connection Strings and Other Sensitive Settings in Your Code, it is a good read. Your question is under the "Hiding Keys in the Application Source Code" section.

摘录:

如果在应用程序中定义了key，除了混淆程序集之外，尽量不要在源代码中存储实际的key字节.相反，使用持久特性实现密钥生成逻辑，例如加密算法、密钥大小、密码短语、初始化向量和盐(参见 使用对称(Rijndael)密钥加密和解密数据).这将引入额外的间接层，因此无法通过简单地从应用程序二进制文件转储符号来访问密钥.只要您不更改密钥生成逻辑和密钥特性，就可以保证生成的密钥是相同的.最好不要使用静态字符串作为密钥生成特征，而是即时构建它们.另一个建议是以与数据存储相同的方式处理程序集，即通过应用适当的 ACL.并且仅当其他数据保护技术均无效且您唯一的选择是不加密敏感数据时，才将此选项用作最后的手段.

If you define the key in the application, in addition to obfuscating the assembly, try not to store the actual key bytes in the source code. Instead, implement key-generation logic using persistent characteristics, such as the encryption algorithm, key size, pass phrase, initialization vector, and salt (see an example at Encrypt and Decrypt Data Using a Symmetric (Rijndael) Key). This will introduce an extra layer of indirection, so the key will not be accessible by simply dumping the symbols from the application binary. As long as you do not change key-generation logic and key characteristics, the resulting key is guaranteed to be the same. It may also be a good idea not to use static strings as key-generation characteristics, but rather build them on the fly. Another suggestion would be to treat the assembly the same way as the data store should be treated, that is, by applying the appropriate ACLs. And only use this option as a last resort, when none of the other data protection techniques work and your only alternative is leaving sensitive data unencrypted.

这篇关于如何在 C# 中安全地嵌入静态字符串(密钥)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！