堆栈内存溢出
  简体   繁体   English

如何在桌面客户端应用程序(Java)中存储密码和敏感数据?

[英]How to store passwords and sensitive data in a desktop client application (Java)?

 原文  2013-05-27 20:30:57       java/ security/ twitter-oauth/ password-protection/ email-integration

问题描述

I want to make an application which will monitor user's email account for incoming emails as well as his twitter account for tweets. 我想制作一个应用程序,该程序将监视用户的电子邮件帐户中的传入电子邮件以及他的Twitter帐户中的推文。 The user has to provide his login credentials therefore. 因此,用户必须提供其登录凭据。 My doubt is how and where to store this sensitive data? 我的疑问是如何以及在何处存储此敏感数据? I don't want my application to annoy the user asking these things repeatedly. 我不想让我的应用程序惹恼用户反复问这些问题。

Moreover, if I should encrypt and then store these data then how should I protect the key which I am using in my application? 而且,如果我应该加密然后存储这些数据,那么我应该如何保护我在应用程序中使用的密钥?

4 个解决方案

解决方案1
 4 已采纳  2013-05-27 20:59:26

The point of encryption is to make the secrecy of a plaintext depend on the secrecy of a smaller key. 加密的重点是使明文的保密性取决于较小密钥的保密性。

In the case, encryption alone is useless to you, since you have no way to store the key either. 在这种情况下,单独加密对您没有用,因为您也无法存储密钥。

Instead, you need to use some existing secret managed by a third party (using a password), and use it to derive a key. 相反,您需要使用一些由第三方管理的现有机密(使用密码),并使用它来导出密钥。

On Windows, you can use the DPAPI, which is ultimately backed by the user's login password. 在Windows上,您可以使用DPAPI,该API最终由用户的登录密码支持。
If the user forgets his password (or if it is changed from a different account), your data will be irrecoverably lost. 如果用户忘记了自己的密码(或者从其他帐户更改了密码),则您的数据将无法恢复。

Note that this will not defend against code running as that user. 请注意,这不能防止以该用户身份运行的代码。
You need to decide what you're trying to defend against. 您需要确定要防御的内容。

解决方案2
 1  2013-05-27 20:43:05

If you really need it (it's no good idea but...) you may want to create encrypted storage for passwords like Firefox has for example. 如果确实需要它(这不是个好主意,但是...),则可能需要为诸如Firefox这样的密码创建加密存储。 Users will protect passwords with master password. 用户将使用主密码来保护密码。

解决方案3
 0  2013-05-27 20:37:42

The answer is nowhere. 答案无处。 You should never store passwords even in encrypted form. 即使以加密形式也不要存储密码。 The "correct" way is probably simulate the behavior of similar web applications. “正确”的方法可能是模拟相似Web应用程序的行为。 Indeed if you login into twitter you can select check box "remember me" and twitter will not ask you for the password next time, right? 的确,如果您登录Twitter,则可以选中“记住我”复选框,Twitter下次不会再要求您输入密码,对吗? How is it implemented? 如何实施?

Typically special token is stored on client side in cookie. 通常,特殊令牌存储在客户端的cookie中。 The cookie is sent to server and is used for authentication. Cookie被发送到服务器,并用于身份验证。 Cookie has expiration date, so it will be automatically removed when its time is over. Cookie的到期日期,因此超过时间将被自动删除。

Unless there is better solution for desktop applications I'd suggest you to try to use this mechanism. 除非针对桌面应用程序有更好的解决方案,否则建议您尝试使用此机制。

解决方案4
 0  2013-05-29 16:41:24

我认为使用的密码在您的应用程序范围内,并使用该密码加密所有其他密码,并且在应用程序说需要Twitter时,请使用该密码进行解密...进一步获取主密码的哈希值并将其保存在磁盘上。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何存储Java Web应用程序所需的密码? - How to store java web application needed passwords? Java-存储敏感数据 - Java - store sensitive data 桌面应用程序-如何存储数据以进行多次启动 - Desktop application - How to store Data for multiple boots 用Java加密敏感的应用程序数据 - Encrypting sensitive application data in Java 如何在Java配置文件中存储敏感数据? - How can I store sensitive data in Java configuration files? 如何将敏感数据存储到Java代码中以进行Android开发 - How to store sensitive data into java code for android development 您是否需要数据库来存储 java 桌面应用程序中的数据? - Do you need a database to store data in a java Desktop Application? 如何“隐藏”敏感的系统属性,例如Java应用程序设置的密码? - How to “hide” sensitive system properties like passwords set by Java applications? 如何在用 Java Swing 设计的桌面应用程序中存储静态变量? - How to store a static variable in desktop application designed in Java Swing? 如何存储Java桌面应用程序(多平台)全局设置? - How to store Java desktop application(multiplatform) global settings?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM