安全地存储可选利用熵尽管DPAPI [英] Securely Storing Optional Entropy While Using DPAPI
问题描述
所以我试图用存储DPAPI对称密钥。一切都很好,很棒,但与熵怎么办呢?这在这里得到解答的问题 真的没有提供足够的洞察力。这似乎是一个滑坡 - 我可以使用本机存储来存储熵但是然后呢防止有人在那得到呢?注意:我储存使用用户范围当前关键
So I am trying to store the symmetric key using DPAPI. All is well and great, but what to do with the entropy? This answered question here really doesn't provide enough insight. It seems like a slippery slope - I could use the machine store to store the entropy but then what prevents someone from getting at that as well? Note: I am storing the current key using the User Scope.
所以我的问题是 - 什么是使用DPAPI来存储信息熵的最佳方式。
So my question is - what is the best way to store the entropy using DPAPI?
推荐答案
任何你在本地存储可以被破坏。但也有你可以采取措施,使之更加困难。有在处理密码的,你可以考虑在寻找一个文件。你认为你的熵的关键特定于应用程序的密码。
Anything you store locally can be compromised. But there are steps you can take to make it more difficult. There is a document on Handling Passwords that you may consider looking over. You consider your Entropy Key a password specific to your application.
我要请参阅您的熵作为您的键的,因为它在功能上的附加密钥。
I am going to refer to your Entropy as your Key, since it is functionally an additional key.
什么你不想做的是本地存储密钥以未加密的格式。相反,你想要么加密密钥,或从另一个派生它,在明显的来源。当然,如果你的加密密钥,那么你需要存储用于加密的关键 - 但间接很多时候这个单层是足以阻止大多数挑战者
What you don't want to do is store your key locally in an unencrypted format. Instead you want to either encrypt your key, or derive it from another, in-obvious source. Of course if your encrypt the key, then you need to store the key used to encrypt it - but often times this single layer of indirection is enough to discourage most challengers.
这将是派生密钥的优势。你可以得到它的一些其他的片常量数据的哈希(必须的东西,不与应用程序的版本变化)。虽然派生哈希当一个技巧就是散列与其他一些恒定的值(如GUID或大型随机数)相结合,使别人不能随便结合已知的哈希算法,并得到您的钥匙。这是创建自己的哈希算法(你永远不应该这样做,除非你有数学博士学位)一个更好的选择。
That would be the advantage of deriving your key. You could derive it as a hash of some other piece of constant data (needs to be something that doesn't change with revisions of your application). One trick when deriving a hash though is to combine the hash with some other constant value (like a GUID or large random number) so that someone else cannot just combine a known hash algorithm and get your key. This is a much better alternative to creating your own hash algorithm (which you should never do, unless you have a PHD in Mathematics).
在某些时候你要去需要某种关键很难在你的应用程序编码的。此键或者与在散列某些其它数据,以创建熵密钥相结合,或用于解密熵键。实际上,你可以有你的应用程序的新版本的主要变化,只要你保持解密现有的密钥旧密钥。然后,你可以将其与新的密钥或方法重新加密。
At some point your are going to need some sort of key hard coded in your application. This key is either combined with some other data in a hash to create your Entropy Key, or used to decrypt the entropy key. You actually can have the key change with a new revision of your application, as long as you keep the old key for decrypting the existing key. Then you can re-encrypt it with the new key or method.
如果你想要最好的安全性,那么你可以存储密钥熵关闭计算机。这将需要一个网络连接和SSL证书,但他们关键是从来没有在任何地方持续在当地被发现。要做到这一点,你可以设置一个更强大的挑战响应系统所以请求验证是每次都不同,关键是通过SSL加密传送,因此无法拦截。一旦密钥被使用,那么它被丢弃。当然这样的失败很多情况下,您正在使用DPAPI用于本地安全存储的目的
If you want the best security then you can store the Entropy key off the computer. This would require an internet connection and an SSL certificate, but then they key is never persisted anywhere locally to be discovered. To do this you can setup a more robust challenge response system so the request authentication is different each time, and the key is delivered over SSL encryption so it cannot be intercepted. Once the key is used, then it is discarded. Of course this kind of defeats the purpose of many scenarios where you are using DPAPI for local secure storage.
不管你做什么,请记住它会打折扣 - 总是发生时,有人已经完全进入到本地计算机,并存储在其上的数据。该解决方案是不断解放的改变方法足以使老牌劲旅不再起作用更新。这将使裂缝分布将很难找到一个合适的版本不值钱。
Whatever you do, keep in mind it will be compromised - that always happens when someone has full access to the local machine and the data stored on it. The solution to that is to keep releasing updates that change the method enough that the old crack no longer works. This will make distribution of a crack less valuable as it will be difficult to find one for the right version.
这篇关于安全地存储可选利用熵尽管DPAPI的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
