[英]How should I store sensitive data for use by my application in VB.net?
A problem I've happened upon is trying to find a way to securely store certain pieces of information. 我遇到的一个问题是试图找到一种安全地存储某些信息的方法。 I am still learning and experimenting with .NET as an introductory language along with C. So if I lack basic logic, bear with me.
我仍在学习和尝试使用.NET和C作为入门语言。因此,如果我缺乏基本的逻辑,请多多包涵。
The Requirement 要求
At the moment I'm using the "Settings" store within my application settings to store several pieces of information, these include: 目前,我正在应用程序设置中使用“设置”存储来存储几条信息,其中包括:
I've been using the 'Settings' store because quite frankly it's easier to be able to change the value in one central location and it being reflected within my code. 我一直在使用“设置”存储区,因为坦率地说,很容易能够在一个中央位置更改值并将其反映在我的代码中。
I realize of course that I can just as easily create a shared class and use that as a reference for all these settings. 我当然意识到,我可以轻松地创建一个共享类并将其用作所有这些设置的参考。
I need to make it so that someone can't just use a .NET reflector and grab all this information. 我需要这样做,以便某人不能只是使用.NET反射器来获取所有这些信息。 - After experimenting with SmartAssemply it became quickly apparent that the "Settings" container was something ignored during obfuscation.
-在尝试使用SmartAssemply之后, 很快就发现混淆过程中忽略了“设置”容器。
The way forward? 前进的方向?
So I did some research and at the moment I'm faced with what I consider to be the main possible ways forward. 因此,我进行了一些研究,此刻,我面临着我认为是前进的主要可能途径。 (remember this is coming from my limited experience) :
(请记住,这是根据我的有限经验得出的) :
Example 例
Let's say for example I was trying to hide the following string. 例如,假设我试图隐藏以下字符串。
Dim ConnStr As String = "server=100.100.100.1;user=admin;database=database2;port=3306;password=password123"
I would be extremely appreciative if users who provide answers could, along with their suggestion provide a small PoC showing how I can protect a string like the one above and how I can reference it within my program (if you're leaning towards encryption for example). 如果提供答案的用户可以提供一个小的PoC,说明我如何保护上述字符串以及如何在程序中引用该字符串(例如,如果您倾向于加密),我将非常感激。 )。
Binary serialization will render things like Dates and Integers so they cannot be easily read, but not so with strings. 二进制序列化将呈现诸如Dates和Integers之类的内容,因此它们不易阅读,但使用字符串则不易阅读。 The NET BinaryFormatter will even use the property name as the key resulting in something like
NET BinaryFormatter甚至会使用属性名称作为键,从而导致类似
"SecretEmail" / "Sam@somewhere.com"
"ExpiryDate" / <binary>
I am quite fond of ProtoBuff-NET for the flexibility it has. 我非常喜欢ProtoBuff-NET的灵活性。 It is a replacement for the standard NET BinaryFormatter and offers an easy option for this:
它是标准NET BinaryFormatter的替代,为此提供了一个简单的选项:
<ProtoBeforeSerialization>
Private Sub Encryptor()
_foo = Crypto.Encrypt(_foo)
_bar = Crypto.Encrypt(_bar)
_secret = Crypto.Encrypt(_secret)
End Sub
<ProtoAfterDeSerialization>
Private Sub Decryptor()
_foo = Crypto.Decrypt(_foo)
_bar = Crypto.Decrypt(_bar)
_secret = Crypto.Decrypt(_secret)
End Sub
String data would be clear text while the app is running, but encrypted when saved (which may not be what you want). 字符串数据在应用程序运行时将是纯文本,但在保存时会加密(可能不是您想要的)。 In addition, it uses integer values in place of property names in the output.
此外,它在输出中使用整数值代替属性名称。
Just before the data is serialized you could encypt or simple scramble the strings so that they are only readable when loaded into the app. 就在数据序列化之前,您可以加密或简单地对字符串进行加扰,以使它们仅在加载到应用程序后才可读。 Likewise,
<ProtoAfterDeSerialization>
would allow you to UnDo whatever you did. 同样,
<ProtoAfterDeSerialization>
将允许您撤消所做的一切。 Any backing fields with defaults ( Private _foo As String = "bar"
) may/should get handled by your tool. 任何带有默认值(
Private _foo As String = "bar"
)的后备字段都可以/应该由您的工具处理。
There are other options, this one has the virtue of having hooks provided for it in the serialization mechanism you can use to save the file. 还有其他选项,该选项的优点是在可用于保存文件的序列化机制中为其提供了挂钩。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.