如何在 ac# 应用程序中正确保护 api 凭据
[英]How to correctly secure api credentials in a c# application
问题描述
Ok, so just a bit of a background on the setup.
好的,所以只是一些关于设置的背景。
i currently have a Web Api2 project which is the server side of this restful api.我目前有一个 Web Api2 项目,它是这个 Restful api 的服务器端。 Clients currently use a username/password combination to obtain a bearer token which is then used in subsequent api calls.客户端当前使用用户名/密码组合来获取不记名令牌,然后在随后的 api 调用中使用该令牌。 The project is stored in a private project on GitHub.该项目存储在 GitHub 上的私有项目中。
i am looking to build and deploy ac# windows service that will utilize this api.我正在寻找构建和部署将利用此 api 的 ac# windows 服务。 What would be the best practice in regards to deploying/storing the credentials along with this windows service.与此 Windows 服务一起部署/存储凭据的最佳实践是什么。
I control both ends of the api and i will be controlling the deployment of the windows service as well.我控制 api 的两端,我也将控制 Windows 服务的部署。 This will be packaged as an msi and deployed through some 3rd party software (automated).这将打包为 msi 并通过某些 3rd 方软件(自动化)进行部署。
Here are the requirements以下是要求
- Credentials cannot be stored in source control凭据不能存储在源代码管理中
- Credentials cannot be in plain text on the client side.客户端的凭据不能为纯文本。
So my question is, how would i get the api credentials onto the client, not in plain text but in a usable format?所以我的问题是,我如何将 api 凭证获取到客户端,而不是纯文本,而是可用的格式?
Or should i be looking into a different type of authentication for the api?或者我应该为 api 寻找不同类型的身份验证? I had a brief look at oauth2, but as far as i can tell you would need someone at the client side to accept?我对 oauth2 进行了简要介绍,但据我所知,您需要在客户端有人接受吗?
If anyone has any advice or resources on how to accomplish this, that would be awesome.如果有人对如何实现这一点有任何建议或资源,那就太棒了。
1 个解决方案
解决方案1
1 已采纳 2017-01-20 07:06:27
I'm not that of an expert, but I had a similar case, I'll take my chance for getting some down votes :0)我不是专家,但我有一个类似的案例,我会抓住机会获得一些反对票:0)
One approach in desktop/service applications is to ask the user to enter the credentials.桌面/服务应用程序中的一种方法是要求用户输入凭据。 If it's possible, then this is the best way for you.如果可能,那么这对您来说是最好的方法。 If the user can enter the credentials even once, you can save the data encrypted using ProtectedData (using this class you don't have to save the encryption key in your code, which is very easy to extract (using reflector...)).如果用户甚至可以输入一次凭据,您可以保存使用ProtectedData加密的数据(使用此类您不必在代码中保存加密密钥,这很容易提取(使用反射器...)) .
But if you want to do this automatic and store the credentials there isn't a good way to do so.但是,如果您想自动执行此操作并存储凭据,则没有好的方法可以这样做。 You can obfuscate the credentials, and prevent script kids to see them, but for more serious hackers, it will be rather easy to hack.您可以混淆凭据,并防止脚本小子看到它们,但对于更严重的黑客来说,破解将相当容易。
There are several other options but they are all hackables.还有其他几种选择,但它们都是可破解的。 A different approach will be to register each machine on your server with a MAC address and a random string (GUID will do the job) which is saved using the ProtectedData class and then only this specific key-value pair will be able to get data from your API.一种不同的方法是使用 MAC 地址和随机字符串(GUID 将完成工作)注册服务器上的每台机器,该字符串使用 ProtectedData 类保存,然后只有这个特定的键值对才能从中获取数据你的 API。 You have 2 problems here:你在这里有两个问题:
- If the user uninstall the app and reinstall it, then he won't be able to reconnect to the server (since he can't re-produce the same GUID).如果用户卸载应用程序并重新安装,则他将无法重新连接到服务器(因为他无法重新生成相同的 GUID)。 You can delete the user in the server and create a new user, but you can't just change the guid on the server since anyone will be able to hack the user data on the server.您可以删除服务器中的用户并创建一个新用户,但您不能只更改服务器上的 guid,因为任何人都可以破解服务器上的用户数据。
- Anyone will be able to open users on your API and use it.任何人都可以在您的 API 上打开用户并使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.