堆栈内存溢出
  简体   繁体   English

如何安全存储密钥?

[英]How Can I Securely Store a SecretKey?

 原文  2013-02-18 17:28:06       java/ security/ encryption/ keystore/ secret-key

问题描述

I'm building a basic webapp that takes in a user input and returns an encrypted password. 我正在构建一个基本的Webapp,该Webapp接受用户输入并返回加密的密码。

Problem is, currently the SecretKey I am using is stored in the src for the Java class. 问题是,当前我正在使用的SecretKey存储在Java类的src中。 To me, it seems this is risky practice so I'm trying to find a way to safely store my SecretKey. 对我来说,这似乎是冒险的做法,所以我试图找到一种安全存储我的SecretKey的方法。

Doing some research, I found the Java KeyStore class but I'm not entirely sure if this is what I need. 做一些研究后,我发现了Java KeyStore类,但是我不确定这是否是我所需要的。 Also, if this is what I need, can you guys point me in the direction of how to implement it, and more importantly, how it works? 另外,如果这是我的需要,你们能指出我如何实施它的方向,更重要的是,它如何运作的吗?

Thanks 谢谢

Edit: From doing a lot of thinking/reading it seems like there really isn't a great solution and really a solution isn't needed so long as your main server is secure, which mine will be, so it's not an issue. 编辑:经过大量的思考/阅读,似乎真的没有一个很好的解决方案,并且只要您的主服务器是安全的(实际上是哪一个),就不需要解决方案了,所以这不是问题。

Thank you for all the replies! 感谢您的所有答复! :) :)

2 个解决方案

解决方案1
 1  2013-02-18 17:30:18

Passwords should be stored using one way hash functions that way your system avoids this problem. 密码应使用一种散列函数存储,该散列函数可避免系统出现此问题。 See https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet 参见https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

解决方案2
 0  2013-02-18 17:37:10

If you are talking about your encryption key, then there is no secure way to store that key safely in JavaScript. 如果您谈论的是加密密钥,则没有安全的方法将该密钥安全地存储在JavaScript中。 I guess the storage you are talking about its the browsers local storage, which is nothing more then a persistent cookie on browser side. 我猜您正在谈论的存储是浏览器的本地存储,仅此而已是浏览器端的持久cookie。 Everybody that uses the chrome WebInspector or Firefox Firebug can easly read this store for any page he is visiting. 使用chrome WebInspector或Firefox Firebug的每个人都可以轻松浏览此商店中正在访问的任何页面。 Furthermore, you would have to save it in this store by JavaScript and as everybody can read your source code in the browser, its even more obvious. 此外,您必须通过JavaScript将其保存在此存储中,并且由于每个人都可以在浏览器中阅读源代码,因此它的作用更加明显。

The only possibilty to do such things safely is Server-Sided, like with PHP for example. 安全地执行此类操作的唯一可能性是Server-Sided,例如PHP。 If you though want the feeling of interactive behaviour, you can use AJAX on clientside to interact with the backend. 如果您希望获得交互行为的感觉,则可以在客户端使用AJAX与后端进行交互。

EDIT: Ah, I think I got you wrong as you are talking about Java in Backend? 编辑:啊,我想我在理解Backend中的Java时错了吗? If yes I think there is no Problem when u have the key hardcoded in your compiled sources??? 如果是的话,当您在已编译的源代码中对密钥进行硬编码时,我认为没有问题??? If you want to store it somewhere else and are afraid someone uses it, you could salt and hash it in your application before you use it for key generation (of course the salt is hardcoded then)? 如果您想将其存储在其他地方并且担心有人使用它,可以在将其用于密钥生成之前在应用程序中对其进行盐析和哈希处理(当然盐会被硬编码)?

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Android上安全存储商店敏感日期? - How can I securely store store sensitive date on an Android? 如何将String转换为SecretKey - How can I convert a String to a SecretKey 如何在操作系统“默认”密钥库中安全地存储密码? - How can I store passwords securely in Operating Systems “default” Key-Store? 如何在数据库postgresql中存储secretKey并检索它 - How to store a secretKey in database postgresql and retrieve it 如何在Java本地安全地存储保存的密码? - Where can I store saved password locally but securely in Java? 如何使用令牌安全地连接到RESTHeart - How can I securely connect to RESTHeart with a Token 如何安全保存我的密钥库 - How can I save my keystore securely 如何安全地将ftp的用户名和密码存储在android中 - How can store ftp's username and password in android with securely way 如何在Java中安全地存储加密密钥? - How do I securely store encryption keys in java? 如何将SOAP响应安全地存储在数据库中? - How do I store SOAP responses in the database securely?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM