简体繁体 English

Java-存储敏感数据

[英]Java - store sensitive data

原文 2010-03-21 18:00:33 9 3 java/ security

I develop application with Java. 我用Java开发应用程序。 I need to store some initial configuration data in some kind of file. 我需要在某种文件中存储一些初始配置数据。

I want my app to be able to read this data, but I don't want user to do so. 我希望我的应用程序能够读取此数据，但我不希望用户这样做。

Example : application loads IP from encrypted file. 示例：应用程序从加密文件加载IP。 User sees like "dsda@#21da@" so he won't bother doing anything :) 用户看到的像是“ dsda @＃21da @”，因此他不会打扰任何事情:)

How should I do such a thing? 我该怎么做？ Thanx! 谢谢！

3 个解决方案

Are we talking about standard users or IT-savvy users? 我们是在谈论标准用户还是精通IT的用户？

For standard users i'd recommend to store the string base64 encoded. 对于标准用户，我建议存储以base64编码的字符串。 Or Just in an undefined binary format. 或只是未定义的二进制格式。

Otherwise... encryption with a hardcoded key? 否则...使用硬编码密钥加密吗？

If (as you say) you manage user passwords, you should not store them at all. 如果（如您所说）管理用户密码，则根本不应该存储它们。 Clear text, static keys, custom keys, it doesn't matter - someone with access to the data store and your program will always be able to retrieve them. 明文，静态键，自定义键都没关系-有权访问数据存储区和您的程序的人将始终能够检索它们。 What you do instead is use salt and a good hash function and store/compare only the hash values. 您要做的是使用salt和良好的哈希函数，并仅存储/比较哈希值。

Possibly OT, but since you mentioned it is configuration data; 可能是OT，但是由于您提到过，所以它是配置数据。 I know I'd be a little peeved to have gibberish shown to me by an application. 我知道通过应用程序向我显示乱码会有点可恶。 Either allow the users to see the data, and modify it at their risk ... or do not allow the configuration to be visible at all. 要么让用户看到数据，然后自行修改数据……要么根本不允许配置可见。

As a rule of thumb, if it is sensitive data ... don't store it in your application. 根据经验，如果它是敏感数据，请不要将其存储在您的应用程序中。