安全地存储客户机密码 [英] Store client secret securely

问题描述

我知道公共客户端不应使用客户端密码a>因为，无论你多么模糊它，它都不会受到逆向工程。

但是，负责我正在认证的服务的人不想/不能改变它。所以，我需要存储客户端的秘密，尽量保护它免受逆向工程的影响。

所以，我想到在构建时使用渐变加密它，并将其存储在一个文件中。然后，当我需要它在运行时解密它。但是现在我必须解决如何存储加密密钥的问题 ...

我对安全性不太了解，所以，我不知道这是否可以解决，或者如果Android（最小sdk 15）为这种情况提供了任何机制。

任何想法？

解决方案

本文建议这些选项从少到安全：

1. 以明文方式存储




2. 使用对称密钥存储加密




3. 使用Android密钥库




4. 使用非对称密钥存储加密

可能使用＃4的组合和某种方式来统一识别设备

I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering.

But, the people in charge of the service I am authenticating to don't want to/can't change it. So, I need to store the client secret and try to protect it from reverse engineering as much as I can.

So, I thought of encrypting it using at build time using gradle and store it in a file. Then, when I need it at run time I decrypt it. But now I have to solve the problem of how to store the encryption key...

I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios.

Any idea?

解决方案

This article suggests these options, from less to more secure:

1. Store in cleartext

2. Store encrypted using a symmetric key

3. Using the Android Keystore

4. Store encrypted using asymmetric keys

Probably, using a combination of #4 and some way to univocally identify the device would be secure enough

这篇关于安全地存储客户机密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！