[英]Does ProtectedData work on multiple computers?
I am looking into storing some sensitive data in an application I am working on. 我正在研究将一些敏感数据存储在我正在处理的应用程序中。 I have been looking at the
ProtectedData
class provided by Microsoft, and it looks pretty straightforward. 我一直在查看Microsoft提供的
ProtectedData
类,它看起来非常简单。 However, I have a couple of questions regarding how it works. 但是,我有几个关于它是如何工作的问题。
First, I see that it uses "the user's login credentials" to generate the encryption key. 首先,我看到它使用“用户的登录凭据”来生成加密密钥。 I have seen in the documentation that only the current user will be able to decrypt the data.
我在文档中看到只有当前用户才能解密数据。 That is not a problem, I just want to know if the same user is logged in on a different machine, will they be able to decrypt the data?
这不是问题,我只是想知道同一个用户是否在另一台机器上登录,他们是否能够解密数据? I am planning to have the saved information being shared over OneDrive, so hopefully it would be accessible on any device that the same user is using.
我计划通过OneDrive共享保存的信息,因此希望它可以在同一用户使用的任何设备上访问。
ex: 例如:
User A logs in on desktop computer, saves encrypted file abc.txt
User A then logs in on tablet, loads file abc.txt
Is abc.txt
accessible to User A on the tablet? 平板电脑上的用户A是否可以访问
abc.txt
?
Second, what happens once the user changes their password? 第二,一旦用户更改密码会发生什么? It seems to me that the encryption key would then be different, and wouldn't that cause the decryption of the data that used the previous encryption key to no longer be recoverable?
在我看来,加密密钥会有所不同,并且不会导致使用先前加密密钥的数据的解密不再可恢复?
ex: 例如:
User A logs in on desktop computer, saves encrypted file abc.txt
User A changes password
User A logs in on desktop computer, loads file abc.txt
Is abc.txt
accessible to User A anymore?? 用户A是否可以访问
abc.txt
?
Is abc.txt accessible to User A on the tablet? 平板电脑上的用户A是否可以访问abc.txt?
"For DPAPI to work correctly when it uses roaming profiles, the domain user must only be logged on to a single computer in the domain. If the user wants to log on to a different computer that is in the domain, the user must log off the first computer before the user logs on to the second computer. If the user is logged on to multiple computers at the same time, it is likely that DPAPI will not be able to decrypt existing encrypted data correctly." “为了使DPAPI在使用漫游配置文件时正常工作,域用户只能登录到域中的单台计算机。如果用户想要登录域中的其他计算机,则用户必须注销用户登录到第二台计算机之前的第一台计算机。如果用户同时登录多台计算机,则DPAPI很可能无法正确解密现有的加密数据。 - http://support.microsoft.com/kb/309408
- http://support.microsoft.com/kb/309408
Is abc.txt accessible to User A anymore? 用户A是否可以访问abc.txt? On a single machine, after changing a password the user should still be able to access previously encrypted files.
在一台计算机上,更改密码后,用户仍应能够访问以前加密的文件。 My understanding is previously generated keys are still stored in a list to allow this.
我的理解是先前生成的密钥仍然存储在列表中以允许这样做。 (It would be expensive operation to have to decrypt and re-encrypt all previously stored data every time a user changes their password, so instead they just keep the old keys.)
(每次用户更改密码时,必须对所有先前存储的数据进行解密和重新加密将是一项昂贵的操作,因此他们只需保留旧密钥。)
However, there are administrative tools that would allow you to change the password in a way that might break this. 但是,有一些管理工具允许您以可能破坏密码的方式更改密码。
I do not know the affect of changing your password on Machine A would have on Machine B. I would assume the roaming profile would deal with this properly, but that might be an invalid assumption. 我不知道在机器A上更改密码会对机器B产生影响。我会假设漫游配置文件会正确处理这个问题,但这可能是一个无效的假设。
I wouldn't store data in DPAPI that is critical without backing it up somewhere. 我不会将数据存储在DPAPI中,而这些数据在没有备份的情况下是至关重要的。 Of course that introduces other security related complexities depending on what the sensitivity of the data is.
当然,这会引入其他与安全相关的复杂性,具体取决于数据的敏感性。
The Data Protection API (DPAPI) works correctly with roaming profiles . 数据保护API(DPAPI)可与漫游配置文件一起正常运行。 So this would cover the fact that a user can decrypt the data over a network.
因此,这将涵盖用户可以通过网络解密数据的事实。 Using an IsolationStorage is used to store data that applies across multiple applications and is not tied to any particular application, such as the user's name or license information.
使用IsolationStorage用于存储跨多个应用程序应用的数据,并且不依赖于任何特定应用程序,例如用户的名称或许可证信息。
Example to create the isolated roaming store: 创建隔离漫游存储的示例:
using (IsolatedStorageFile isoStore = IsolatedStorageFile.GetStore(IsolatedStorageScope.User | IsolatedStorageScope.Domain | IsolatedStorageScope.Assembly, null, null))
{
isoStore.CreateDirectory("TopLevelDirectory");
isoStore.CreateFile("abc.txt");
}
Example to get the isolated roaming store: 获取隔离漫游存储的示例:
IsolatedStorageFile isoFile =
IsolatedStorageFile.GetStore(IsolatedStorageScope.User |
IsolatedStorageScope.Assembly |
IsolatedStorageScope.Roaming, null, null);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.