如何安全是它来存储源$ C ​​$ C加密密钥？ [英] How secure is it to store an encryption key in source code?

问题描述

这是加密类的足够安全？或者有人可以拆卸我的二进制找到密钥和IV？我用它来decrpyt许可证文件，所以它很重要的是，它不能容易破碎。

Is this encryption class sufficiently secure? Or can someone disassemble my binary to find the key and IV? I'm using it to decrpyt license files so it's quite important that it can't be easily broken.

internal static class Encryptor
{
  // Actual values are put here in my source
  private static readonly byte[] Key = { 0, 0, 0, 0, 0, 0, 0, 0 };
  private static readonly byte[] Iv = { 0, 0, 0, 0, 0, 0, 0, 0 };

  internal static String Encrypt(string source)
  {
    var des = new DESCryptoServiceProvider();
    var enc = des.CreateEncryptor(Key, Iv);
    var b = Encoding.ASCII.GetBytes(source);
    var encId = enc.TransformFinalBlock(b, 0, b.Length);
    return Convert.ToBase64String(encId);
  }

  internal static string Decrypt(string encrypted)
  {
    var des = new DESCryptoServiceProvider();
    var dec = des.CreateDecryptor(Key, Iv);
    var b = Convert.FromBase64String(encrypted);
    var decId = dec.TransformFinalBlock(b, 0, b.Length);
    return Encoding.ASCII.GetString(decId);
  }
}

这是类似于<一href="http://stackoverflow.com/questions/2528405/how-to-safely-store-encryption-key-in-a-net-assembly">this问题和这个，但也似乎有一个明确的答案（只要我能理解 - 我承认自己对这个主题的初学者）。请指教。 ：）

This is similar to this question and this one, but neither seem to have a clear answer (as far as I can understand - and I admit to being a complete beginner on this topic). Please advise. :)

推荐答案

是的，这是很容易破碎。随着如反射（或ILSpy，或dotPeek，或......）工具知识的开发，不会有任何麻烦识别加密功能，并找到你的钥匙。有人谁的组装甚至可以调用解密直接，没有打扰与提取的关键。

Yes, this is easily broken. Any developer with knowledge of tools such as Reflector (or ILSpy, or dotPeek, or ...), will have no trouble identifying the encryption function and finding your key. Someone who has the assembly will even be able to call Decrypt directly, not bothering with extracting the key.

是不是足够安全？这取决于，只有你能回答这个问题。如果这是发牌，它是把一个贴在一个盒子说：不要复制我的软件的等价物。在另一方面，使得一个强大的发牌制度，是很难打破的经验和坚定的攻击者，是一个大的事业，你可能要考虑，如果它是值得的。就个人而言，我会投入我的时间在做软件，以便真棒，人们将要为此付出代价，而不是使用它无照停止少数坏人。

Is it sufficiently secure ? It depends, only you can answer that. If this is for licensing, it is the equivalent of putting a sticker on a box saying "Don't copy my software". On the other hand, making a robust licensing scheme that is hard to break for an experienced and determined attacker, is a large undertaking, and you might want to consider if it is worth the effort. Personally, I would invest my time in making the software so awesome, that people will want to pay for it, rather than stopping a small number of bad guys from using it unlicensed.

这篇关于如何安全是它来存储源$ C ​​$ C加密密钥？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！