堆栈内存溢出
  简体   繁体   English

安全存储客户端密码

[英]Store client secret securely

 原文  2015-02-19 14:57:30       android/ security/ encryption/ oauth/ secret-key

问题描述

I know that a public client shouldn't use a client secret because, no matter how much you obfuscate it, it won't be protected from reverse engineering . 我知道公共客户端不应该使用客户端密钥,因为无论您对它进行多少混淆,它都不会受到逆向工程的保护。

But, the people in charge of the service I am authenticating to don't want to/can't change it. 但是,我正在验证的服务负责人不想/不能改变它。 So, I need to store the client secret and try to protect it from reverse engineering as much as I can. 所以,我需要存储客户端的秘密,尽量保护它免受逆向工程的影响。

So, I thought of encrypting it using at build time using gradle and store it in a file. 所以,我想过使用gradle在构建时加密它并将其存储在文件中。 Then, when I need it at run time I decrypt it. 然后,当我在运行时需要它时,我解密它。 But now I have to solve the problem of how to store the encryption key ... 但现在我必须解决如何存储加密密钥的问题 ......

I don't know much about security, so, I don't know if this can be solved, or if Android (min sdk 15) provides any mechanism for this kind of scenarios. 我不太了解安全性,因此,我不知道这是否可以解决,或者Android(min sdk 15)是否为这种情况提供了任何机制。

Any idea? 任何的想法?

5 个解决方案

解决方案1
 4 已采纳  2015-07-11 02:15:19

This article suggests these options, from less to more secure: 本文提出了这些选项,从更少到更安全:

  1. Store in cleartext 以明文形式存储

  2. Store encrypted using a symmetric key 使用对称密钥加密存储

  3. Using the Android Keystore 使用Android Keystore

  4. Store encrypted using asymmetric keys 使用非对称密钥加密存储

Probably, using a combination of #4 and some way to univocally identify the device would be secure enough 也许,使用#4的组合以及某种方式来明确识别设备将足够安全

解决方案2
 2  2015-07-23 19:24:26

Maybe the best option is to use NDK because it can not be decompiled, like Godfrey Nolan points here 也许最好的选择是使用NDK,因为它不能被反编译,就像戈弗雷·诺兰点这里

Here is a resource I found useful that helped me to implement it link to the resource 这是我发现有用的资源,帮助我实现它与资源的链接

Cheers 干杯

解决方案3
 1  2015-02-19 15:07:25

As you said, whatever you do, how much you try to hide your key, you can not hide it 100%. 正如你所说,无论你做什么,你试图隐藏你的钥匙多少,你都无法100%隐藏它。 But, if you want to make reverse engineer's work harder; 但是,如果你想让逆向工程师的工作更加努力;

Firstly obfuscate your client (I guess you already do). 首先混淆你的客户端(我猜你已经这样做了)。

Secondly, do not put your key into the client hard-coded. 其次,不要将密钥放入客户端硬编码。 Receive the key after login or user opened the application. 登录后或用户打开应用程序后接收密钥。 And deliver secret key to the client over SSL. 并通过SSL向客户端提供密钥。 Store the secret as byte array and do not save it into the client. 将密钥存储为字节数组,不要将其保存到客户端。 Just store in the memory. 只需存储在内存中。

These steps do not guarantee the safety of the secret key, but makes reverse engineer's job really hard. 这些步骤并不能保证密钥的安全,但却使逆向工程师的工作变得非常困难。

解决方案4
 0  2015-02-19 15:20:36

You can also try Dexguard to obfuscate and encrypt the data. 您还可以尝试Dexguard对数据进行模糊处理和加密。 Dexguard is made by the same guy that developed proguard. Dexguard是由开发proguard的同一个人制作的。

解决方案5
 0  2017-10-15 19:29:12

@Semih's answer was on the right track. @Semih的回答是在正确的轨道上。 The secret key part is what needs to be expanded upon. 秘密关键部分是需要扩展的部分。

  1. The secret key is between the application and the gateway server not to the underlying services. 密钥在应用程序和网关服务器之间,而不是底层服务。
  2. The gateway server is responsible for converting that key to something specific for the services. 网关服务器负责将该密钥转换为特定于服务的密钥。

The secret key is built using the following after the login process is complete 登录过程完成后,使用以下内容构建密钥

  1. the server generates a key pair specific for the client logging in. 服务器生成特定于客户端登录的密钥对。
  2. The server's public key is sent for encryption specific for the client logging in 发送服务器的公钥以进行特定于登录的客户端的加密
  3. the app will generate a key pair for it's own purposes 应用程序将根据自己的目的生成密钥对
  4. the app will send the public key encrypted with the server's public key 该应用程序将发送使用服务器的公钥加密的公钥
  5. the server will validate the public key is signed with their public key. 服务器将验证公钥是否使用其公钥进行签名。

Any future requests would involve the following 任何未来的请求都将涉及以下内容

All data being sent from client to the server would be encrypted using JWT the message would be signed by the app's private key and encrypted using the server's public key. 从客户端发送到服务器的所有数据都将使用JWT加密,消息将由应用程序的私钥签名,并使用服务器的公钥进行加密。

The problem is securing #1 anyone can login and get the process started, so how would you prevent that? 问题是保护#1任何人都可以登录并开始进程,那么你将如何防止这种情况发生? The only way I can think of is to do a CAPTCHA check on the login. 我能想到的唯一方法是对登录进行CAPTCHA检查。

The solution pushes the storage of the client secrets to the server rather than on the app itself and protecting it using the app's credentials. 该解决方案将客户端机密的存储推送到服务器而不是应用程序本身,并使用应用程序的凭据保护它。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 Android 中安全地存储访问令牌和秘密? - How to securely store access token and secret in Android? 在移动平台上安全存储密钥真的难吗? - Is it really that hard to securely store a secret key in mobile platforms? 将客户端证书和密钥 (.pem) 安全地存储在 Android 中 - Store Client Certificate and key (.pem) in Android securely 实施后端客户端Web应用程序以将秘密信息存储在Aouth中 - Implement backend client web app to store the secret info in Aouth 安全地存储api凭证 - store api credential securely 如何在android中安全地保存密钥 - How to save secret key securely in android 如何在使用OAuth时在Android应用上存储'client_secret'和'client_id'? - how to store 'client_secret' and 'client_id' on Android app when using OAuth? 需要安全地存储和传输密钥 - Need to securely store and transmit Keys 钛-将信息安全存储在设备上 - Titanium - Securely store information on device 如何安全地临时存储密码? - How to securely temporarily store a password?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM