简体繁体 English

如何通过反编译器向精明的用户隐藏硬编码的用户名和密码？

[英]How can I hide a hard coded username and password from a savvy user with a decompiler?

原文 2012-03-03 18:02:42 3 7 c#/ obfuscation/ decompiling/ dotfuscator

I want to create a simple C# application that uploads a text file to my web server. 我想创建一个简单的C＃应用程序，将文本文件上传到我的Web服务器。 But to do this I need to have my username and password included in the code. 但是要做到这一点，我需要在代码中包含我的用户名和密码。 I've tried using the obfuscator that's included in Visual Studio, but after decompiling with a free decompiler I was still able to find them. 我曾尝试使用Visual Studio中包含的混淆器，但是使用免费的反编译器反编译后，我仍然能够找到它们。

Is this possible? 这可能吗？

Thanks! 谢谢！

7 个解决方案

Perhaps you need to rethink the fundamentals here 也许您需要在这里重新考虑基础知识

You can never secure a platform that attackers have physical access to 您永远无法保护攻击者可以物理访问的平台
You want to achieve a situation, whereby your users, on their own platform, can submit a text file to your server, but only using your application. 您想要实现一种情况，用户可以在自己的平台上将文本文件提交到服务器，但只能使用您的应用程序。 Even using SSL, this gets tricky since they can always monitor the HTTP communication 即使使用SSL，这也很棘手，因为他们始终可以监视HTTP通信
You can never trust anything that comes from the internet. 您永远无法相信来自互联网的任何信息。 Yes, that includes your text file too. 是的，它也包括您的文本文件。

What you should do instead, is configuring the server so that regardless on what is being sent to it, it does not affect your business case. 您应该做的是配置服务器，以便无论发送给它什么，它都不会影响您的业务案例。

What are you using that username/password for? 您正在使用该用户名/密码做什么？

Put it this way - if the username and password reside on the user's computer, and some program has to operate on that data in unencrypted form at some point, it is logically impossible to guarantee they are unable to view it. 这样说-如果用户名和密码位于用户的计算机上，并且某些程序必须在某个时候以未加密的形式对该数据进行操作，则从逻辑上讲不可能保证他们无法查看该数据。 So the answer is no. 所以答案是否定的。 It's a logical impossibility. 这在逻辑上是不可能的。

Perhaps you could create a separate user on your web server with very restricted permissions and use that instead? 也许您可以在具有非常严格的权限的Web服务器上创建一个单独的用户，而改为使用它？ Then you'd have less to worry about if the user was able to retrieve the credentials from your application. 这样，您就不必担心用户是否能够从您的应用程序中检索凭据。

No. 没有。

The only way to prevent users from decompiling your code, and seeing everything in it, is not to give them your code, ie, put the code on a server (under your control) instead of the client. 防止用户反编译您的代码并查看其中所有内容的唯一方法是不向他们提供您的代码，即，将代码放在服务器上（由您控制）而不是客户端上。

Consider writing something server-side (WCF endpoint, REST service, or something similar) that lets them send the content via something like an HTTP POST, with no authentication required. 考虑编写一些服务器端（WCF端点，REST服务或类似的东西），使他们可以通过HTTP POST之类的方式发送内容，而无需身份验证。 Then there's no password to crack, but your server-side code is in full control of what happens to the content that gets sent. 这样就没有密码可破解了，但是您的服务器端代码可以完全控制要发送的内容发生了什么。

No. You could encrypt them, but you'll need to get a decryption key from somewhere, and its likely that someone determined enough will be able to decompile your code and figure out where that key is. 不可以。您可以对它们进行加密，但是您需要从某个地方获取解密密钥，并且有足够决心的人很可能可以反编译您的代码并弄清楚该密钥在哪里。

I suppose you might be able to have a web request that returns a one time username and password.. so your application would call that, get the user / pwd and use it to upload. 我想您可能可以通过Web请求返回一次用户名和密码..因此您的应用程序将调用该请求，获取用户/ pwd并使用它进行上传。 Once used, you'd need a way to disable / delete that account. 使用后，您需要一种禁用/删除该帐户的方法。

More details might lead to an answer that's more likely to work for you, as maybe my solution is too much for what your concerns are. 更多详细信息可能会为您提供一个更可能适用的答案，因为也许我的解决方案对于您所关注的问题而言过于复杂。

Does it need to be in the source code? 是否需要在源代码中？ If this only needs to run on your computer when you're logged in you could store the password in a file and protect it with file permissions. 如果仅在登录时需要在计算机上运行此密码，则可以将密码存储在文件中，并以文件权限对其进行保护。

What kind of access are you talking about ? 您在谈论哪种访问方式？ If user and password is required to make the upload, then it will ultimately be accessible in the code, and even easier, using a proxy / network listening tool. 如果需要用户和密码来进行上传，则最终可以使用代理/网络侦听工具在代码中对其进行访问，甚至更加容易。 Would it be possible to create a specific user for your application that has only upload capability (not reading any other's files, etc.) ? 是否可以为您的应用程序创建一个仅具有上载功能（不读取任何其他文件等）的特定用户？

You cant rely on code to safely and securely store credentials. 您不能依靠代码来安全地存储凭据。 You should consider passing the user name and password into your program as parameters and rely on the appropriate operating system security (eg windows security) to prevent users from accessing them. 您应该考虑将用户名和密码作为参数传递到程序中，并依靠适当的操作系统安全性（例如Windows安全性）来防止用户访问它们。

If you are in an environment where you cannot control the windows credentials, you should consider a server side authorization over a secure connection like SSL. 如果您在无法控制Windows凭据的环境中，则应考虑通过安全连接（例如SSL）进行服务器端授权。