存储密码 [英] Storing a password

问题描述

在这个的问题，OP si建议存储用户的凭据清楚。

但是如果我想要存储使用SecretKeySpec（用于加密数据的密码）创建的加密密码？从我的理解，秘密密钥本身是加密的。

所以我可以存储和检索它。

注意：我不是要求如何存储偏好，只要我对SecretKeySpec的工作原理以及如何进行排序，序列化和检索加密密码的理解。

EDIT ：对不起，我忘了指定需要与API 4级兼容。

解决方案

开发者网站。

关于安全性的智慧！

了解AccountManager不是加密服务或钥匙串很重要。它像您通过纯文本一样存储帐户凭据。在大多数设备上，这并不是一个特别的问题，因为它将它们存储在只能由root访问的数据库中。但是在有根设备的设备上，任何拥有adb访问设备的人都可以阅读凭据。

考虑到这一点，您不应该将用户的实际密码传递给AccountManager.addAccountExplicitly（）。相反，您应该存储对攻击者有限的使用密码安全令牌。如果您的用户凭据保护有价值的东西，您应该仔细考虑做类似的事情。

记住：关于安全代码，请遵循Mythbusters规则：在家试试这个！在实施任何自定义帐户代码之前，请咨询安全专业人士。

现在安全免责声明已经不合时宜了，现在该重新开始工作了。您已经实施了您的自定义帐户代码的肉;剩下的是管道。

I'm creating a app to store encrypted data.

In this question, the OP si advised to store user's credential in clear.

But what if I'd like to store an encrypted password created with SecretKeySpec (the one used to encrypt data)? From my understanding the secret key is itself encrypted.

So I can I store and retrieve it.

Note: I'm not asking how to store preferences, just if my understanding of how SecretKeySpec works and how to, sort of, serialize and retrieve the encrypted password.

EDIT: Sorry, I forgot to specify it needs to be compatible with API level 4.

解决方案

Straight from the developer website.

Be Smart About Security!

It's important to understand that AccountManager is not an encryption service or a keychain. It stores account credentials just as you pass them, in plain text. On most devices, this isn't a particular concern, because it stores them in a database that is only accessible to root. But on a rooted device, the credentials would be readable by anyone with adb access to the device.

With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly(). Instead, you should store a cryptographically secure token that would be of limited use to an attacker. If your user credentials are protecting something valuable, you should carefully consider doing something similar.

Remember: When it comes to security code, follow the "Mythbusters" rule: don't try this at home! Consult a security professional before implementing any custom account code.

Now that the security disclaimers are out of the way, it's time to get back to work. You've already implemented the meat of your custom account code; what's left is plumbing.

这篇关于存储密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！