正确加密应用程序数据的方法
[英]Correct method of encrypting application data
问题描述
Just a quick question about the use of encryption for app data. 
只是有关对应用程序数据使用加密的一个简短问题。
Say you have a mobile app, this app needs to store some potentially sensitive data. 假设您有一个移动应用程序,则该应用程序需要存储一些潜在的敏感数据。 In this case, a list of corporate ip addresses that need to be kept hidden. 在这种情况下,需要隐藏的公司IP地址列表。
The obvious answer would be to encrypt with the hash of a user's password. 显而易见的答案是使用用户密码的哈希值进行加密。 However in this case, a user account is optional and so a password may not exist. 但是,在这种情况下,用户帐户是可选的,因此密码可能不存在。 What would be the next best method of encrypting the stores data? 加密商店数据的下一个最佳方法是什么?
My first guess and probably the least secure is a key built into the application, but issue here is risk of different attacks that could see that password recovered. 我的第一个猜测(可能是最不安全的)是应用程序中内置的密钥,但是这里的问题是存在各种攻击的风险,这些攻击可能会使密码恢复。
Next guess would be finding some sort of identifier of the device that can be used as a seed for a password generator. 接下来的猜测是找到可以用作密码生成器种子的设备的某种标识符。 Again seems like a flawed method. 再次似乎是一种有缺陷的方法。
Last idea is to securely randomly generate the password and store it encrypted with one of the above methods. 最后一个想法是安全地随机生成密码,并使用上述方法之一对其进行加密存储。
Am I following the right train of thought or am I way off? 我遵循正确的思路还是走了?
I have a decent understanding of cryptography algorithms but finding the right application has me scratching my head. 我对加密算法有很好的了解,但是找到合适的应用程序使我抓狂。 Any help would be much appreciated. 任何帮助将非常感激。
Thank you 谢谢
2 个解决方案
解决方案1
0 已采纳 2018-01-30 11:44:57
The point is: as long as your data only resides on the mobile device, in the end, you are limited. 关键是:只要您的数据仅驻留在移动设备上,最终您就会受到限制。 In that sense: if you need to store information in a secure and reliable way, then you should consider a "server side" solution. 从这个意义上讲:如果您需要以安全可靠的方式存储信息,则应考虑“服务器端”解决方案。
If that isn't possible, the next best thing is to have your app ask the user for a distinct password - which is then used as key as outlined in your question. 如果这不可能,那么下一个最好的事情就是让您的应用向用户询问一个不同的密码-然后将其用作您问题中所概述的密钥。 You definitely do not want a single generic key that works for all users/devices. 您绝对不希望有一个适用于所有用户/设备的通用密钥。
But of course - asking the user to type a special password each time he wants to use the app will not be a solution your users will like. 但是,当然-要求用户每次想要使用该应用程序时都键入一个特殊密码将不是您的用户想要的解决方案。 So you will have to offer the user to store that password somehow - which again increases the range of potential attacks. 因此,您将不得不为用户提供以某种方式存储该密码的方法-这又增加了潜在攻击的范围。
Long story short: without a "remote" service you simply have to balance "user experience" with "enough security". 长话短说:没有“远程”服务,您只需在“用户体验”与“足够的安全性”之间取得平衡。 Depending on your user set, you have to determine what is more crucial to these people - security or convenience. 根据您的用户群,您必须确定对这些人来说更重要的是安全性还是便利性。
解决方案2
-1 2018-01-30 11:38:25
Next guess would be finding some sort of identifier of the device that can be used as a seed for a password generator. 接下来的猜测是找到可以用作密码生成器种子的设备的某种标识符。 Again seems like a flawed. 再次似乎是有缺陷的。 --- ? -?
You can encrypt it with the hash of ANDROID_ID or UUID in place of password 您可以使用ANDROID_ID或UUID的哈希代替密码来对其进行加密
What's your opinion on this? 您对此有何看法?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.