堆栈内存溢出
  简体   繁体   English

如何以及在何处存储 Java 桌面应用程序的主密码

[英]How and where to store master password for a Java desktop application

 原文  2013-11-15 14:10:24       java/ security/ encryption/ passwords/ desktop-application

问题描述

I am working on a small java desktop application that stores users passwords on a .db file.我正在开发一个将用户密码存储在 .db 文件中的小型 Java 桌面应用程序。 When the user creates a new database, the user must create a master password for that database, in order to access any facebook or twitter passwords that they may choose to store on it.当用户创建新数据库时,用户必须为该数据库创建一个主密码,以便访问他们可能选择存储在其上的任何 facebook 或 twitter 密码。 My question is, where and how should I securely store the master password?我的问题是,我应该在哪里以及如何安全地存储主密码?

My idea was to encrypt the master password and add a salt before storing it, then store the password on an encrypted text file or .db file, then read of it when a user attempts to access the database.我的想法是加密主密码并在存储之前添加盐,然后将密码存储在加密文本文件或 .db 文件中,然后在用户尝试访问数据库时读取它。 I am just looking for guidance on whether this is a good idea, or if there are any better alternatives.我只是在寻找有关这是否是一个好主意,或者是否有更好的替代方案的指导。

The application a desktop application not a web application.该应用程序是桌面应用程序,而不是 Web 应用程序。

2 个解决方案

解决方案1
 4 已采纳  2013-11-15 14:52:37

The most secure way to store passwords is in such a way that even you (your app) doesn't know what the password is.存储密码最安全的方式是,即使您(您的应用程序)也不知道密码是什么。 This is accomplished by using a one way hash.这是通过使用单向散列来完成的。 As the name implies this is one way, there is no way to "un-hash" a hashed value and see what the original value was.顾名思义,这是一种方式,无法“取消散列”散列值并查看原始值是什么。

One of the important characteristics of a cryptographic hash is that hashing a value will always produce the same hash.The SHA-2 (256) hash of "The quick brown fox jumps over the lazy dog" will always generate a hash d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592 - while there is no way to take that hash and determine what the unhashed value is a hacker with a rainbow table could see what it corresponds to (this is why weak passwords, even when hashed are still vulnerable, every rainbow table in the world is going to have the hashes for 123456 ).加密散列的重要特征之一是对一个值进行散列总是会产生相同的散列。“The quick brown fox jumps over the lazy dog”的 SHA-2 (256) 散列总是会生成一个散列d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592无法获取散列并确定未散列的值是什么 拥有彩虹表的黑客可以看到它对应的内容(这就是为什么弱密码,即使散列仍然容易受到攻击,世界上每个彩虹表都会有123456的哈希值)。

So before hashing the password we add a salt (ideally a different salt for each user).所以在对密码进行散列之前,我们添加一个盐(最好为每个用户添加不同的盐)。 If before hashing "The quick brown fox jumps over the lazy dog" we add a salt (let's just use the word "salt" as a simple example) we would now hash "saltThe quick brown fox jumps over the lazy dog" and get b369837c6389d8dddb06cb669961b0ab80f5166cc8cebcfaf9734ed009c31e8b as our hash.如果在散列“The quick brown fox jumps over the lazy dog”之前我们添加了一个盐(让我们只使用单词“salt”作为一个简单的例子),我们现在将散列“saltThe quick brown fox jumps over the lazy dog”并得到b369837c6389d8dddb06cb669961b0ab80f5166cc8cebcfaf9734ed009c31e8b作为我们的哈希。

The salted hash is what you should store (however/wherever makes sense for your application) and check against.盐渍散列是您应该存储的内容(无论如何/在任何对您的应用程序有意义的地方)并检查。 So when a user first creates an account you will:因此,当用户首次创建帐户时,您将:

  1. take the password they choose and add the salt获取他们选择的密码并添加盐
  2. hash it (using a collision free cryptographic hash, such as SHA-2 )散列它(使用无冲突的加密散列,例如SHA-2
  3. store the result存储结果

When the user attempts to login you will:当用户尝试登录时,您将:

  1. take the password they input into the login form and add the salt获取他们在登录表单中输入的密码并添加盐
  2. hash it散列它
  3. compare it to what you have stored将它与您存储的内容进行比较

If it is not identical they entered the incorrect password, if it is the same you know they entered the correct password and you can log them in.如果不相同,他们输入了错误的密码,如果相同,您知道他们输入了正确的密码,您可以登录。

解决方案2
 0  2013-11-15 15:34:02

Suppose you have a .db file which contains facebook or twitter passwords.假设您有一个 .db 文件,其中包含 facebook 或 twitter 密码。 You store them in an encrypted form and use the master password as an encryption key to encrypt/decrypt your .db file.您以加密形式存储它们,并使用主密码作为加密密钥来加密/解密您的 .db 文件。 The master passsword in this case is entered by user and is not stored anywhere (you can keep it in memory while your application is running).在这种情况下,主密码由用户输入,不会存储在任何地方(您可以在应用程序运行时将其保存在内存中)。 To validate the master password when a user attempts to access the database you can decrypt with it some string constant.要在用户尝试访问数据库时验证主密码,您可以用它解密一些字符串常量。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 java 桌面应用程序中安全地存储数据库密码的位置 - Where to store database password secure in java desktop application Java密钥库-哪里存储“主密码”? - Java Keystore - Where to store the 'Master Password'? 如何在数据库中安全存储Java应用程序密码 - how to store java application password safely in database 如何在桌面客户端应用程序(Java)中存储密码和敏感数据? - How to store passwords and sensitive data in a desktop client application (Java)? 如何在用 Java Swing 设计的桌面应用程序中存储静态变量? - How to store a static variable in desktop application designed in Java Swing? 如何存储Java桌面应用程序(多平台)全局设置? - How to store Java desktop application(multiplatform) global settings? 如何在java中安全地存储用户密码以在整个应用程序中重复使用 - How to securely store a user password in java for reuse throughout application 在Java应用程序中的哪里存储首选项? - Where to store preferences in a Java application? 您在哪里/如何在Spring Boot应用程序中存储应用程序密钥(密码,API KEY) - Where/how do you store application secrets(password, API KEY) in Spring Boot application 从应用程序更改和存储Java Mail密码 - Changing and store Java Mail password from application
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM